UNIT 3

1) What is Computer Forensic and its uses?

Ans:
Computer Forensics is a scientific method of investigation and analysis in order to
gather evidence from digital devices or computer networks and components which
is suitable for presentation in a court of law or legal body. It involves performing a
structured investigation while maintaining a documented chain of evidence to find
out exactly what happened on a computer and who was responsible for it.
TYPES
• Disk Forensics: It deals with extracting raw data from the primary or secondary
storage of the device by searching active, modified, or deleted files.
• Network Forensics: It is a sub-branch of Computer Forensics that involves
monitoring and analysing the computer network traffic.
• Database Forensics: It deals with the study and examination of databases and
their related metadata.
• Malware Forensics: It deals with the identification of suspicious code and
studying viruses, worms, etc.
• Email Forensics: It deals with emails and their recovery and analysis, including
deleted emails, calendars, and contacts.
• Memory Forensics: Deals with collecting data from system memory (system
registers, cache, RAM) in raw form and then analysing it for further
investigation.
• Mobile Phone Forensics: It mainly deals with the examination and analysis of
phones and smartphones and helps to retrieve contacts, call logs, incoming, and
outgoing SMS, etc., and other data present in it.
USES
• Track computer use, discover critical data, and make copies of information that
will be used in court, it helps the government agencies as well as private
enterprises to control their risk and maximize security
• Computer forensics is also used to know about the extent of a data breach or
any attack on the network.
• With the right tools, police or concerned authorities can uncover critical or
criminal files on the devices.
• With computer forensics, one can track the hacking or attacks to know their
source or origin.

2) Computer Forensic Services

Ans:
Computer forensics professionals should be able to successfully perform complex
evidence recovery procedures with the skill and. For example, they should be able to
perform the following services:
1. DATA SEIZURE: Following federal guidelines, computer forensics experts should
act as the representative, using their knowledge of data storage technologies to track
down evidence.
2. DATA DUPLICATION/PRESERVATION: By making an exact duplicate of the needed
data the computer forensics experts should acknowledge the concerns that are
important while seizing the data. When experts works on the duplicate data, the
integrity of the original is maintained.
3. DATA RECOVERY: Using proprietary tools, your computer forensics experts should
be able to safely recover and analyse otherwise inaccessible evidence.
4. DOCUMENT SEARCHES: Computer forensics experts should also be able to search
over 200,000 electronic documents in seconds rather than hours.
5. MEDIA CONVERSION: Computer forensics experts should extract the relevant data
from old and un-readable devices, convert it into readable formats, and place it onto
new storage media for analysis.
6. EXPERT WITNESS SERVICES: Computer forensics experts should be able to explain
complex technical processes in an easy-to- understand fashion.
7. COMPUTER EVIDENCE SERVICE OPTIONS Computer forensics experts should offer
various levels of service, each designed to suit your individual investigative needs like
Standard service and On-site service
3) Steps taken by Computer Forensic Specialists
Ans:
The computer forensics specialist should take several careful steps to identify and
attempt to retrieve possible evidence that may exist on a subject’s computer system.
For example, the following steps should be taken:
1. Protect the subject computer system during the forensic examination from any
possible alteration, damage, data corruption, or virus introduction.
2. Discover all files on the subject system. This includes existing normal files, deleted
yet remaining files, hidden files, password-protected files, and encrypted files.
3. Recover all of discovered deleted files.
4. Reveal the contents of hidden files as well as temporary or swap files used by both
the application programs and the operating system.
5. Access the contents of protected or encrypted files.
6. Analyze all possibly relevant data found in special areas of a disk. This includes but
is not limited to what is called unallocated space on a disk, as well as slack space in a
file
7. Print out an overall analysis of the subject computer system, as well as a listing of
all possibly relevant files and discovered file data.
8. Provide an opinion of the system layout, the file structures discovered, any
attempts to hide, delete, protect, and encrypt information; and anything else that
appears to be relevant to the overall computer system examination.
9. Provide expert consultation and testimony, as required.

4) Types of Computer Forensic technology

Ans:
There are 3 types of Computer Forensic technology
1) TYPES OF MILITARY COMPUTER FORENSIC TECHNOLOGY
✔ Real-time tracking of potentially malicious activity is especially difficult when the
pertinent information has been intentionally hidden, destroyed, or modified in
order to elude discovery.
✔ The Computer Forensics Experiment 2000 (CFX-2000) resulted from the
partnership of information directorate and NIJ. CFX-2000 is an integrated forensic
analysis framework.

✔ The central hypothesis of CFX-2000 is that it is possible to accurately determine

the motives, intent, targets, sophistication, identity, and location of cyber
criminals and cyber terrorists by deploying an integrated forensic analysis
framework.

✔ The cyber forensic tools involved in CFX-2000 consisted of off-the-shelf software

and R&D prototypes. CFX includes SI-FI integration environment.

✔ The Synthesizing Information from Forensic Investigations (SI-FI) integration

environment supports the collection, examination, and analysis processes
employed during a cyber-forensic investigation.

✔ The SI-FI prototype uses digital evidence bags (DEBs), which are secure and
tamperproof containers used to store digital evidence.

✔ Investigators can seal evidence in the DEBs and use the SI-FI implementation to
collaborate on complex investigations.

✔ Authorized users can securely reopen the DEBs for examination, while automatic
audit of all actions ensures the continued integrity of their contents.

✔ The results of CFX-2000 verified that the hypothesis was largely correct and that it
is possible to ascertain the intent and identity of cyber criminals.

2) TYPES OF LAW ENFORCEMENT COMPUTER FORENSIC TECHNOLOGY

Computer Evidence Processing Procedures
Processing procedures and methodologies should conform to federal computer
evidence processing standards.
1. Preservation of Evidence
✔ Computer evidence can be useful in criminal cases, civil disputes, and human
resources/ employment proceedings.
✔ Black box computer forensics software tools are good for some basic investigation
tasks, but they do not offer a full computer forensics solution.
✔ SafeBack software overcomes some of the evidence weaknesses inherent in black
box computer forensics approaches.
2. Disk Structure
Computer forensic experts must understand how computer hard disks and floppy
diskettes are structured and how computer evidence can reside at various levels
within the structure of the disk.
3. Data Encryption
Computer forensic experts should become familiar with the use of software to crack
security associated with the different file structures.
4. Matching a Diskette to a Computer
Specialized techniques and tools that make it possible to conclusively tie a diskette to
a computer that was used to create or edit files stored on it. Computer forensic
experts should become familiar how to use special software tools to complete this
process.

5. Data Compression
Computer forensic experts should become familiar with how compression works and
how compression programs can be used to hide and disguise sensitive data and also
learn how password- protected compressed files can be broken.

6. Erased Files
Computer forensic experts should become familiar with how previously erased files
can be recovered by using DOS programs and by manually using data-recovery
technique & familiar with cluster chaining.

7. Internet Abuse Identification and Detection

✔ Computer forensic experts should become familiar with how to use specialized
software to identify how a targeted computer has been used on the Internet.
✔ This process will focus on computer forensics issues tied to data that the
computer user probably doesn’t realize exists (file slack, unallocated file space,
and Windows swap files).

3) TYPES OF BUSINESS COMPUTER FORENSIC TECHNOLOGY

The following are different types of business computer forensics technology:-
1. REMOTE MONITORING OF TARGET COMPUTERS
Data Interception by Remote Transmission (DIRT) is a powerful remote control
monitoring tool that allows stealth monitoring of all activity on one or more target
computers simultaneously from a remote command centre, No physical access is
necessary.

2. CREATING TRACKABLE ELECTRONIC DOCUMENTS

✔ Binary Audit Identification Transfer (BAIT) is a powerful intrusion detection tool
that allows users to create trackable electronic documents.
✔ BAIT identifies (including their location) unauthorized intruders who access,
download, and view these tagged documents.
✔ BAIT also allows security personnel to trace the chain of custody and chain of
command of all who possess the stolen electronic documents.

3. THEFT RECOVERY SOFTWARE FOR LAPTOPS AND PCS

✔ PC PhoneHome is a software application that will track and locate a lost or stolen
PC or laptop any-where in the world.

✔ If your PC PhoneHome-protected computer is lost or stolen, all you need to do is

make a report to the local police and call CD’s 24-hour command center. CD’s
recovery specialists will assist local law enforcement in the recovery of your
property.

5) Computer Forensic Evidence and Capture

Ans:
Data Recovery Defined
Data recovery is the process in which highly trained engineers evaluate and extract
data from damaged media and return it in an intact format.
The Role of Back-up in Data Recovery
The role of Back-up has changed: The role of backup now includes the responsibility
for recovering user errors and ensuring that good data has been saved and can
quickly be restored.
The Data Recovery Solution
The complex systems that have evolved over the past 30 years must be monitored,
managed, controlled, and optimized. Backups often take place while an application is
running.
Evaluate your preparation
If all of the resources (image copies, change accumulations, and logs) are available at
recovery time, these preparations certainly allow for a standard recovery. Finding out
at recovery time that some critical resource is missing can be disastrous! Checking
your assets to make sure they’re ready should be part of your plan.
Automated Recovery
With proper planning and automation, recovery is made possible, reliance on specific
personnel is reduced, and the human-error factor is nearly eliminated. In the event of
a disaster, the Information Management System (IMS) recovery control (RECON) data
sets must be modified in preparation for the recovery.
Make Recoveries Efficient
Multithreading tasks shorten the recovery process. Recovering multiple databases
with one pass through your log data certainly will save time.
Take Back-ups
The first step to a successful recovery is the backup of your data. Your goal in backing
up data is to do so quickly, efficiently, and usually with minimal impact to your
customers.
BACK-UP AND RECOVERY SOLUTION
BMC software has developed a model called the Back-up and Recovery Solution (BRS)
for the Information Management System (IMS) product.
Image Copy
BRS contains an Image Copy component to help manage your image copy process.
Change Accumulation
The BRS Change Accumulation component takes advantage of multiple engines, large
virtual storage resources, and high-speed channels and controllers that are available
in many environments.
Recovery
The BRS Recovery component, which functionally replaces the IMS Database
Recovery utility for null- function (DL/I) databases and data-entry databases (DEDBs),
allow recovery of multiple databases with one pass of the log and change
accumulation data sets while dynamically allocating all data sets required for
recovery.
POINTER CHECKING
BRS offers the capability to verify the validity of database pointers through the
Concurrent Pointer Checking function.
INDEX REBUILD
If indexes are ever damaged or lost, the Index Rebuild function of BRS allows you
rebuild them rather than recover them.
RECOVERY ADVISOR
The Recovery Advisor component of BRS allows you to monitor the frequency of your
image copies and change accumulations. It helps you to determine whether all your
databases are being backed-up.
 UNIT 4

1) Why collect evidence, Collection options & obstacles

Ans:
Collect Evidence
The simple reasons for collecting evidence are:
✔ Future Prevention: Without knowing what happened, you have no hope of ever
being able to stop someone else from doing it again.

✔ Responsibility: The attacker is responsible for the damage done, and the only way
to bring him to justice is with proper evidence to prove his actions. Information
gathered after a compromise can be examined and used by others to prevent
further attacks.

Collection Options
Once a compromise has been detected, you have two options:
✔ Pull the system off the network and begin collecting evidence: In this case you
may find that you have insufficient evidence or, worse, that the attacker left a
dead man switch that destroys any evidence once the system detects that its
offline.

✔ Leave it online and attempt to monitor the intruder: you may accidentally alert
the intruder while monitoring and cause him to wipe his tracks any way necessary,
destroying evidence as he goes.

Obstacles
✔ Computer transactions are fast, they can be conducted from anywhere, can be
encrypted and have no intrinsic identifying features such as handwriting and
signatures to identify those responsible.
✔ Any paper trail of computer records they may leave can be easily modified or
destroyed, or may be only temporary.
✔ Auditing programs may automatically destroy the records left when computer
transactions are finished with them.
✔ Investigating electronic crimes will always be difficult because of the ease of
altering the data and the fact that transactions may be done anonymously.
2) Types of Evidence
Ans:

Collecting the shreds of evidence is really important in any investigation to support

the claims in court. Below are some major types of evidence.
• Real Evidence: These pieces of evidence involve physical evidence such as flash
drives, hard drives, documents, etc. an eyewitness can also be considered as a
shred of tangible evidence.
• Hearsay Evidence: These pieces of evidence are referred to as out-of-court
statements. These are made in courts to prove the truth of the matter.
• Original Evidence: These are the pieces of evidence of a statement that is made
by a person who is not a testifying witness. It is done in order to prove that the
statement was made rather than to prove its truth.
• Testimony: Testimony is when a witness takes oath in a court of law and gives
their statement in court. The shreds of evidence presented should be authentic,
accurate, reliable, and admissible as they can be challenged in court.

3) Rules of Evidence
Ans:

1. Admissible: Admissible is the most basic rule. The evidence must be able to be
used in court.

2. Authentic: You must be able to show that the evidence relates to the incident in a
relevant way.

3. Complete: It’s not enough to collect evidence that just shows one perspective of
the incident.

4. Reliable: Your evidence collection and analysis procedures must not cast doubt on
the evidence’s authenticity and veracity.

5. Believable: The evidence you present should be clearly understandable and

believable to a jury.
4) Volatile Evidence, General Procedure & Methods of Collection
Ans:
Volatile Evidence
Always try to collect the most volatile evidence first. Order of volatility would be:
1. Registers and cache

2. Routing tables

3. Arp cache

4. Process table

5. Kernel statistics and modules

6. Main memory

7. Temporary file systems

8. Secondary memory

9. Router configuration
10. Network topology
General Procedure
✔ Identification of Evidence: You must be able to distinguish between evidence and
junk data
✔ Preservation of Evidence: The evidence you find must be preserved as close as
possible to its original state.
✔ Analysis of Evidence: Analysis requires in-depth knowledge of what you are
looking for and how to get it.
✔ Presentation of Evidence: The manner of presentation is important, and it must
be understandable by a layman to be effective.

Methods of Collection
There are two basic forms of collection: freezing the scene and honey-potting.
Freezing the Scene
It involves taking a snapshot of the system in its compromised state. You should then
start to collect whatever data is important onto removable non-volatile media in a
standard format.

Honey-potting
It is the process of creating a replica system and luring the attacker into it for further
monitoring. The placement of misleading information and the attacker’s response to
it is a good method for determining the attacker’s motives.

5) Collection Steps of Evidence

Ans:

1. Find the Evidence: Use a checklist. Not only does it help you to collect evidence,
but it also can be used to double-check that everything you are looking for is there.

2. Find the Relevant Data: Once you’ve found the evidence, you must figure out
what part of it is relevant to the case.

3. Create an Order of Volatility: The order of volatility for your system is a good
guide and ensures that you minimize loss of uncorrupted evidence.

4. Remove external avenues of change: It is essential that you avoid alterations to

the original data.

5. Collect the Evidence: Collect the evidence using the appropriate tools for the job.

6. Document everything: Collection procedures may be questioned later, so it is

important that you document everything you do. Timestamps, digital signatures, and
signed statements are all important.

6) The chain of custody

Ans:
Chain of Custody
• Chain of custody means documentation that identifies all changes in the control,
handling, custody and ownership of a piece of evidence.
• The gathered evidences should store in a tamper-proof manner means that
evidence cannot be accessed by unauthorized person, it helps in maintain the
chain of custody. For each obtained item a complete chain-of-custody record is
kept
• Organization's best evidence should be stored in a safe room or storage so that is
inaccessible to anyone other than the appointed evidence custodians. This
storage area is also known as *evidence safe." Access to evidence safe is
controlled by the evidence custodians.
Chain of Custody Process
1. Data collection: It is the first step in the chain of custody process. It entails the
identification labelling, recording, and acquisition of data from all relevant sources
while maintaining the data and evidence's integrity.
2. Examination: During this step, the chain of custody information is documented, as
well as the forensic procedure that was followed. It's critical to take screenshots
throughout the process to demonstrate the tasks that have been completed and the
evidence that has been discovered.
3. Analysis: The result of the examination stage is the analysis stage. In the Analysis
stage, legally justifiable methods and techniques are used to gather useful
information in order to respond the questions posed in the case.
4. Reporting: In the Examination and Analysis stage, this is the documentation phase.
The following items are included in reporting:
• A statement about the Chain of Custody.
• The various tools that were used are explained.
• A description of how various data sources were analysed.
• Issues have been identified.
• Vulnerabilities have been discovered.
• Additional forensics measures that can be taken are suggested.
The procedure for establishing the Chain of Custody
A series of steps must be followed in order to ensure the chain of custody's
authenticity. It's worth noting that the more information a forensic expert obtains
about the evidence, the more reliable the chain of custody created becomes.
According to the chain of custody for electronic devices, you should ensure that the
following procedure is followed:
• Save the original files.
• Photograph the physical evidence.
• Taking screenshots of the digital evidence is a good idea.
 • Date, time, and any other information about the evidence's receipt should be
documented.
• Inject forensic computers with a bit-for-bit clone of digital evidence content.
• To authenticate the working clone, perform a hash test analysis.

6) Computer evidence processing steps

Ans:
The following are general computer evidence processing steps:
1. Shut down the computer.
Depending on the computer OS, this usually involves pulling the plug or shutting
down a network computer using relevant commands required by the network
involved.
2. Document the hardware configuration of the system.
Before dismantling the computer, it is important that pictures are taken of the
computer from all angles to document the system hardware components and how
they are connected.
3. Transport the computer system to a secure location.
A seized computer left unattended can easily be compromised. Don’t leave the
computer unattended unless it is locked up in a secure location.
4. Make bit stream backups of hard disks and floppy disks.
All evidence processing should be done on a restored copy of the bit stream backup
rather than on the original computer. Bit stream backups are much like an insurance
policy and are essential for any serious computer evidence processing.
5. Mathematically authenticate data on all storage devices.
You want to be able to prove that you did not alter any of the evidence after the
computer came into your possession. Since 1989, law enforcement and military
agencies have used a 32- bit mathematical process to do the authentication process.
6. Make a list of key search words.
Gathering information from individuals familiar with the case to help compile a list of
relevant keywords is important. Such keywords can be used in the search of all
computer hard disk drives and floppy diskettes using automated soft-ware.
7. Evaluate the Windows swap file.
The Windows swap file is a potentially valuable source of evidence and leads. When
the computer is turned off, the swap file is erased. But the content of the swap file
can easily be captured and evaluated.
8. Evaluate unallocated space (erased files).
Unallocated space should be evaluated for relevant keywords to supplement the
keywords identified in the previous steps.
9. Document file names, dates, and times.
From an evidence standpoint, file names, creation dates, and last modified dates and
times can be relevant.
10. Identify file, program, and storage anomalies.
Encrypted, compressed, and graphic files store data in binary format. As a result, text
data stored in these file formats cannot be identified by a text search program.
Manual evaluation of these files is required.
11. Evaluate program functionality.
Depending on the application software involved, running programs to learn their
purpose may be necessary. When destructive processes that are tied to relevant
evidence are discovered, this can be used to prove wilfulness.

7) Legal Aspects of collecting Computer Forensic Evidence

Ans:
Legal Requirements
• When evidence is collected, certain legal requirements must be met. These legal
requirements are vast, complex, and vary from country to country.
• This system is for the use of authorized users only. Individuals using this computer
system without authority, or in excess of their authority, are subject to having all
of their activities on this system monitored and recorded by system personnel.
• In the course of monitoring individuals improperly using this system, or in the
course of system maintenance, the activities of authorized users may also be
monitored.
• Anyone using this system expressly consents to such monitoring and is advised
that if such monitoring reveals possible evidence of criminal activity, system
personnel may provide the evidence of such monitoring to law enforcement
officials.

• The legality of workplace monitoring depends primarily on whether employment

policies exist that authorize monitoring and whether that policy has been clearly
communicated to employees.
• To prove that the policy has been communicated, employees should sign a
statement indicating that they have read, understood, and agreed to comply with
corporate policy and consent to sys-tem monitoring.

Evidence Collection Procedure

When the time arrives to begin collecting evidence, the first rule that must be
followed is
✔ Do not rush.
The investigation team will need a copy of their incident-handling procedure, an
evidence collection notebook, and evidence identification tags.
They may also need to bring tools to produce reliable copies of electronic evidence,
including media to use in the copying process.
✔ The Incident Coordinator
Policy and procedure should indicate who is to act as incident coordinator.
The Incident coordinator
• will contact the other members of the response when an incident is reported.
• will be responsible for ensuring that every detail of the incident-handling
procedure is followed, upon arrival at the incident site.
• will assign team members the various tasks outlined in the incident-handling
procedure.
• Ultimate responsibility for ensuring that evidence is properly collected and
preserved, and that the chain of custody is properly maintained, belongs to the
incident coordinator.
✔ The Evidence Notebook
One team member will be assigned the task of maintaining the evidence note-book.
This person will record the who, what, where, when, and how of the investigation
process. At a minimum, items to be recorded in the notebook include the following
task. This notebook is a crucial element in maintaining chain of custody. Therefore, it
must be as detailed as possible to assist in maintaining this chain.
a) Who initially reported the suspected incident along with time, date, and
circumstances surrounding the suspected incident?
b) Details of the initial assessment leading to the formal investigation.
c) Names of all persons conducting the investigation.
d) The case number of the incident.
e) Reasons for the investigation.
f) A list of all computer systems included in the investigation, along with complete
system specifications. Also include identification tag numbers assigned to the
systems or individual parts of the system.
g) Network diagrams.
h) Applications running on the computer systems previously listed.
i) A copy of the policy or policies that relate to accessing and using the systems
previously listed.
j) A list of administrators responsible for the routine maintenance of the system.
k) A detailed list of steps used in collecting and analysing evidence.
l) An access control list of who had access to the collected evidence at what date and
time.
✔ Evidence Collection
• Another team member will be assigned the task of evidence collection.
• To avoid confusion, the number of people assigned this task should be kept to a
minimum.
• This member should also be highly proficient with copying and analysis tools.
• This person will tag all evidence and work with the person responsible for the
evidence notebook to ensure that this information is properly recorded.
• Next, the person will also be responsible for making a reliable copy of all data to
be used as evidence.
• This can be done on-site or the entire system can be moved to a forensics lab, as
needs dictate.
• A binary copy of the data is the proper way to preserve evidence.
• A reliable copy process has some critical characteristics.
o The process must meet industry standards for quality and reliability.
o The copies must be capable of independent verification.
o The copies must be tamperproof.
• Once all evidence is collected and logged, it can be securely transported to the
forensics lab.

✔ Storage and Analysis of Data

• The lab must provide some form of access control; a log should be kept detailing
entrance and exit times of all individuals.
• It is important that evidence never be left in an unsecured area.
• If a defense lawyer can show that unauthorized persons had access to the
evidence, it could easily be declared inadmissible.
• As analysis of evidence is performed, investigators must log the details of their
actions in the evidence notebook. The following should be included at a minimum:
o The date and time of analysis
o Tools used in performing the analysis
o Detailed methodology of the analysis
o Results of the analysis.
• Finally, once all evidence has been analysed and all results have been recorded in
the evidence notebook, a copy of the notebook should be made and given to the
legal team.
• If the legal team finds that sufficient evidence exists to take legal action, it will be
important to maintain the chain of custody until the evidence is handed over to
the proper legal authorities.

8) Computer image verification & authentication

Ans:

✔ DIGITAL IDS AND AUTHENTICATION TECHNOLOGY

• Without an assurance of the software’s integrity, and without knowing who
published the software, it’s difficult for customers to know how much to trust
software.
• For example (when using Microsoft Authenticode coupled with Digital IDs™ from
VeriSign®), through the use of digital signatures, software developers are able to
include information about themselves and their code with their programs.
• When customers download software signed with Authenticode and verified by
VeriSign, they should be assured of content source, indicating that the software
really comes from the publisher who signed it, and content integrity, indicating
that the software has not been altered or corrupted since it was signed.

✔ Authenticode
• Microsoft Authenticode allows developers to include information about
themselves and their code with their programs through the use of digital
signatures.
• The user is alerted through Authenticode:
1. of the true identity of the publisher.
2. of a place to find out more about the control.
3. The authenticity of the previous information.
• Users can choose to trust all subsequent downloads of software from the same
publisher and all software published by commercial publishers that has been
verified by VeriSign.

✔ Public Key Cryptography

• In public key cryptographic systems, every entity has two complementary keys (a
public key and private key) that function only when they are held together.
• Public keys are widely distributed to users, whereas private keys are kept safe and
only used by their owner.
• Any code digitally signed with the publisher’s private key can only be successfully
verified using the complementary public key.
• Code that successfully verified using the publisher’s public key, could only have
been digitally signed using the publisher’s private key, and has not been tampered
with.

✔ Digital ID
• A Digital ID/Certificate is a form of electronic credentials for the Internet.
• A Digital ID is issued by a trusted third party to establish the identity of the ID
holder.
• The third party who issues certificates is known as a Certificate Authority (CA).
• Digital ID technology is based on the theory of public key cryptography.
• The purpose of a Digital ID is to reliably link a public/private key pair with its
owner.
• When a CA such as VeriSign issues a Digital IDs, it verifies that the owner is not
claiming a false identity.
• When a CA issues you a digital certificate, it puts its name behind the statement
that you are the rightful owner of your public/private key pair.

9) Practical Consideration and Implementation of Digital Verification and

Authentication.
Ans:

✔ Practical Consideration
• It is useful to present some fundamental requirements of a forensic data
collection system before considering how these can be securely protected.
• Forensic data collection should be complete and non-software specific, thus
avoiding software traps and hidden partitioning.
• In operation, it should be as quick and as simple as possible to avoid error or delay
• It should be possible for anyone to use a forensic data collection system with the
minimum amount of training.
• Necessary costs and resources should be kept to a minimum.
• To meet the conditions specified in items 2, 3, and 4, the digital integrity
verification and authentication protocol must be tailored to suit.
• Only investigators issued with a valid digital signature would be able to complete
copies.
Practical Implementation
• A minimum amount of reliance is placed on the technical ability of the
operator/investigator.
• It must be understood that during the copying process, procedures are
implemented to trap and handle hardware errors, mapping exceptions where
necessary.
• It must also be understood that procedures are implemented to verify that
information is copied correctly.
• This information is stored on each cartridge within a copy series.
• Also stored on each cartridge is a reference area containing copy-specific
information such as CPU type and speed, hardware equipment indicators, copying
drive serial number, etc.
• The cartridge is divided into blocks of an arbitrary chosen size. Blocks may contain
reference, ROM, CMOS, or disk data depending on their location on the cartridge.
Each cartridge contains the information copied from the suspect drive on a sector
by sector basis.
 UNIT 5

1) Determine what data to collect & analyse

Ans:
1. For target drives, use only recently wiped media that have been reformatted and
inspected for computer viruses.
2. Inventory the hardware on the suspect’s computer and note the condition of the
computer when seized.
3. Document all physical hardware components as part of your evidence acquisition
process.
4. For static acquisitions, remove the original drive from the computer, if practical,
and then check the date and time values in the system’s CMOS.
5. Record how you acquired data from the suspect drive note. The tool you use
should also create a better hash for validating the image.
6. When examining the image of the drive’s contents, process the data methodically
and logically.
7. List all folders and files on the image or drive. Note where specific evidence is
found, and indicate how it’s related to the investigation.
8. If possible, examine the contents of all data files in all folders, starting at the root
directory of the volume partition.
9. For all password-protected files that might be related to the investigation, make
your best effort to recover file contents. You can use password recovery tools for this
purpose, such as Access Data Password Recovery Toolkit (PRTK).
10. Identify the function of every executable (binary or .exe) file that doesn’t match
known hash values. Make note of any system files or folders, such as the System32
folder or its content, that are out of place.
2) Validating Forensic Data
Ans:
• Validating digital evidence is one of the most important components of computer
forensics since it is necessary to ensure the integrity of the data you gather in
order to present evidence in court. In addition, forensic hashing methods are
utilised to validate captured images before further analysis.
• Automated hashing of picture files is offered by the majority of computer forensic
products including ProDiscover, X-Ways Forensics, FTK, and Encase.
• For instance. ProDiscover performs hash when it imports an image file and
compares the result to the hash that was created when the picture was initially
obtained.
• When the Auto Image Checksum Verification dialogue box appears when
you load an image file in ProDiscover, you might recall seeing this function.
• To maintain data integrity, it is vital to understand how to utilise complex
hexadecimal editors since computer forensics programmes have some limits
when it comes to hashing.
Using Hexadecimal Editors for Validation:
• Many functions, such hashing certain files or sectors, that are not available in
computer forensics tools are available in advanced hexadecimal editors.
• It's crucial to learn how to utilise these tools, especially when you need to locate a
specific file, like a known illicit photograph.
• You may use a computer forensics programme to seek for a suspicious file that
may have had its name altered to appear to be a harmless file after you have the
hash value in your possession.
• Even though they have different names, two files with the exact same content will
have the same hash value.
• A fully functional hexadecimal editor can obtain a hash value far more quickly and
easily than a computer forensics programme can

3) Data hiding Techniques

Ans:
Data hiding involves changing or manipulating a file to conceal information. Data-
hiding techniques include changing file extensions, setting file attributes to hidden,
bit-shifting, using encryption, etc. Some of these techniques are discussed in the
following sections.
1) Hiding Partitions
• One way to hide partitions is to create a partition and then use a disk editor, such
as Norton Disk Edit, to delete any reference to it manually.
• To access the deleted partition, users can edit the partition table to re-create the
links, and then the hidden partition re-appears when the computer is restarted.
• Another way to hide partitions is with a disk-partitioning utility, such as G Disk,
Partition Magic, System Commander, or Linux Grand Unified Boot loader (GRUB),
which provides a start-up menu where you can select an OS. The system then
ignores other bootable partitions.
2) Marking Bad Clusters
• Another data-hiding technique, more common in FAT file systems, is placing
sensitive or incriminating data in free or slack space on disk partition clusters.
• This technique involves using a disk editor, such as Norton Disk Edit, to mark good
clusters as bad clusters. The OS then considers these clusters unusable.
• The only way they can be accessed from the OS is by changing them to good
clusters with a disk editor.
3) Bit-Shifting
• Some home computer users developed the skill of programming in the computer
manufacturer’s assembly language and learned how to create a low-level
encryption program that changes the order of binary data, making the altered
data unreadable when accessed with a text editor or word processor.
• These programs rearrange bits for each byte in a file. To secure a file containing
sensitive or incriminating information, these users run an assembler program (also
called a macro) on the file to scramble the bits.
• To access the file, they run another program that restores the scrambled bits to
their original order.
• Typically, antivirus tools run hashes on potential malware files, but some
advanced malware uses bit-shifting as a way to hide its malicious code from
antivirus tools.
• With the bit-shifting functions in Hex Workshop, however, you can inspect
potential malicious code manually.
• In addition, some malware that attacks Microsoft Office files consists of
executable code that’s embedded at the end of document files, such as Word
documents, and hidden with bit- shifting.
• When an Office document is opened, the malware reverses the bit-shifting on the
executable code and then runs it.

4) Performance Remote Acquisition

Ans:
• Remote acquisitions are handy when you need to image the drive of a computer
far away from your location or when you don’t want a suspect to be aware of an
ongoing investigation.
• Many tools are available for remote acquisitions; in the following sections, you
use Runtime Software to learn how remote acquisitions are made
• Runtime Software offers the following shareware programs for remote
acquisitions:
 o Disk Explorer for FAT
o Disk Explorer for NTFS
o HDHOST
• Remember that they’re designed to be file system specific, so there are Disk
Explorer versions for both FAT and NTFS that you can use to create raw format
image files or segmented image files for archiving purposes.
• HDHOST is a remote access program for communication between two computers.
The connection is established by using the Disk Explorer program (FAT or NTFS)
corresponding to the suspect (remote) computer’s file system.
• To use these tools, it’s best to have computers connected on the same local hub
or router with minimal network traffic.
5) Network Forensic
Ans:
Network Forensics Overview
• Network forensics is the process of collecting and analysing raw network data and
tracking network traffic systematically to ascertain how an attack was carried out
or how an event occurred on a network.
• Because network attacks are on the rise, there’s more focus on this field and an
increasing demand for skilled technicians.
• Network forensics can also help you determine whether a network is truly under
attack or a user has inadvertently installed an untested patch or custom program.
• Network forensics examiners must establish standard procedures for how to
acquire data after an attack or intrusion incident.
Securing a Network
• Network forensics is used to determine how a security breach occurred; however,
steps must be taken to harden networks before a security breach happens.
• Hardening includes a range of tasks, from applying the latest patches to using a
layered network defence strategy, which sets up layers of protection to hide the
most valuable data at the innermost part of the network.
• It also ensures that the deeper into the network an attacker gets, the more
difficult access becomes and the more safeguards are in place.
• The National Security Agency (NSA) developed a similar approach, called the
defense in depth (DiD) strategy. DiD have three modes of protection:
o People
o Technology
o Operations
• If one mode of protection fails, the others can be used to thwart the attack.
• The technology mode includes choosing strong network architecture and using
tested tools, such as intrusion detection systems (IDSs) and firewalls.
• Regular penetration testing coupled with risk assessment can help improve
network security, too.
6) Performing Live Acquisitions
Ans:
Performing Live Acquisitions
The following steps show the general procedure for a live acquisition:
• Create or download a bootable forensic CD, and test it before using it on a suspect
drive. If the suspect system is on your network and you can access it remotely,
add the appropriate network forensics tools to your workstation. If not, insert the
bootable forensics CD in the suspect system.
• Make sure you keep a log of all your actions; documenting your actions and
reasons for these actions is critical.
• A network drive is ideal as a place to send the information you collect. If you don’t
have one available, connect a USB thumb drive to the suspect system for
collecting data.
• Next, copy the physical memory (RAM). Microsoft has built-in tools for this task,
or you can use available freeware tools, such as mem fetch and Back Track.
• The next step varies, depending on the incident you’re investigating. With an
intrusion, for example, you might want to see whether a rootkit is present by
using a tool such as Root Kit Revealer.
• You can also access the system’s firmware to see whether it has changed, create
an image of the drive over the network, or shut the system down and make a
static acquisition later.
• Be sure to get a forensically sound digital hash value of all files you recover during
the live acquisition to make sure they aren’t altered later.
7) Developing Standard Procedures for Network
Ans:
Developing Standard Procedures for Network Forensics
A standard procedure often used in network forensics is as follows:
• Always use a standard installation image for systems on a network. This image
isn’t a bit-stream image but an image containing all the standard applications
used.
• When an intrusion incident happens, make sure the vulnerability has been fixed to
prevent other attacks from taking advantage of the opening.
• Attempt to retrieve all volatile data, such as RAM and running processes, by doing
a live acquisition before turning the system off.
• Acquire the compromised drive and make a forensic image of it.
• Compare files on the forensic image to the original installation image.
• Compare hash values of common files, such as Win.exe and standard DLLs, and
ascertain whether they have changed.
• In computer forensics, you can work from the image to find most of the deleted or
hidden files and partitions. Sometimes you restore the image to a physical drive so
that you can run programs on the drive.
• In network forensics, you have to restore the drive to see how malware attackers
have installed on the system works. For example, intruders might have trans-
mitted a Trojan program that gives them access to the system and then installed a
root kit.

8) Network Forensic Tools

Ans:
• A variety of tools are available for network administrators to perform remote
shutdowns, monitor device use, and more.
• The tools are freeware and work in Windows and UNIX.
• Sys-internals is a collection of free tools for examining Windows products. They
were created by Microsoft.
• The following list describes a few examples of the powerful Windows tools
available at Sys-internals:
o RegMon: shows all Registry data in real time.
o Process Explorer: shows what files, Registry keys, and dynamic link libraries
(DLLs) are loaded at a specific time.
o Handle: shows what files are open and which processes are using these files.
o Filemon: shows file system activity.
• Far too many tools are available to list. One in particular that’s worth investigating
is Ps-Tools, a suite created by Sys-internals that includes the following tools:
o PsExec—Runs processes remotely
o PsList—Lists detailed information about processes
o PsLoggedOn—Displays who’s logged on locally
o PsPasswd—Allows you to change account passwords
o PsService—Enables you to view and control services
o PsShutdown—Shuts down and optionally restarts a computer
9) Collecting Evidence in Private-Sector Incident Scenes
Ans:
• Private-sector organizations include businesses and government agencies that
aren’t involved in law enforcement.
• In the United States, these agencies must comply with state public disclosure and
federal Freedom of Information Act (FOIA) laws and make certain documents
available as public records.
• State public disclosure laws define state public records as open and available for
inspection. For example, divorces recorded in a public office, such as a
courthouse, become matter of public record unless a judge orders the documents
sealed.
• State public disclosure laws apply to state records, but the FOIA allows citizens to
request copies of public documents created by federal agencies.
• A special category of private-sector businesses includes ISPs and other
communication companies.
• ISPs can investigate computer abuse committed by their employees, but not by
customers.
• ISPs must preserve customer privacy, especially when dealing with e-mail.
However, federal regulations related to the Homeland Security Act and the Patriot
Act of 2001 has redefined how ISPs and large corporate Internet users operate
and maintain their records.
• ISPs and other communication companies now can investigate customers’
activities that are deemed to create an emergency situation.
• An emergency situation under the Patriot Act is the immediate risk of death or
personal injury, such as finding a bomb threat in an e-mail message.

9) Collecting Evidence in Private-Sector Incident Scenes

Ans:
• To process a crime scene properly, you must be familiar with criminal rules of
search and seizure. You should also understand how a search warrant works and
what to do when you process one.
• For all criminal investigations in the United States, the Fourth Amendment limits
how governments search and seize evidence.
• A law enforcement officer can search for and seize criminal evidence only with
probable cause.
• Probable cause refers to the standard specifying whether a police officer has the
right to make an arrest, conduct a personal or property search, or obtain a
warrant for arrest.
• With probable cause, a police officer can obtain a search warrant from a judge
that authorizes a search and the seizure of specific evidence related to the
criminal complaint.
• Although several court cases have allowed latitude when searching and seizing
computer evidence, making your warrant as specific as possible to avoid
challenges from defense attorneys is a good practice.
• Often a warrant is written and issued in haste because of the nature of the
investigation.
• Law enforcement officers might not have the time to research the correct
language for stating the nature of the complaint to meet probable cause
requirements.
• However, because a judge can exclude evidence obtained from a poorly worded
warrant, you should review these issues with your local prosecutor before
investigating a case.

10) Securing a Computer Incident or Crime Scene

Ans:
• Investigators secure an incident or crime scene to preserve the evidence and to
keep information about the incident or crime confidential.
• Information made public could jeopardize the investigation. If you’re in charge of
securing a computer incident or crime scene, use yellow barrier tape to prevent
bystanders from accidentally entering the scene.
• Use police officers or security guards to prevent others from entering the scene.
Legal authority for a corporate incident scene includes trespassing violations; for a
crime scene, it includes obstructing justice or failing to comply with a police
officer.
• Access to the scene should be restricted to only those people who have a specific
reason to be there.
• The reason for the standard practice of securing an incident or crime scene is to
expand the area of control beyond the scene’s immediate location.
• In this way, you avoid overlooking an area that might be part of the scene.
Shrinking the scene’s perimeter is easier than expanding it.
• For major crime scenes, computer investigators aren’t usually responsible for
defining a scene’s security perimeter. These cases involve other specialists and
detectives who are collecting physical evidence and recording the scene.
• For incidents primarily involving computers, the computers can be a crime scene
within a crime scene, containing evidence to be processed.

11) Seizing Digital Evidence at the Scene

Ans:
• With proper search warrants, law enforcement can seize all computing systems
and peripherals.
• In corporate investigations, you might have similar authority; however, you might
have the authority only to make an image of the suspect’s drive.
• Depending on company policies, corporate investigators rarely have the authority
to seize all computers and peripherals.
• When seizing computer evidence in criminal investigations, follow the U.S. DOJ
standards for seizing digital data.
• For civil investigations, follow the same rules of evidence as for criminal
investigation. You might be looking for specific evidence, such a particular e-mail
message or spreadsheet.
• In a criminal matter, investigators seize entire drives to preserve as much
information as possible and ensure that no evidence is overlooked.

12) Storing Digital Evidence

Ans:
• With digital evidence, you need to consider how and on what type of media to
save it and what type of storage device is recommended to secure it.
• The media you use to store digital Evidence usually depends on how long you
need to keep it. If you investigate criminal matters, store the evidence as long as
you can.
• The ideal media on which to store digital data are CDRs or DVDs. These media
have long lives, but copying data to them takes a long time.
• Older CDs had lives up to five years. Today’s larger drives demand more storage
capacity; 200 GB drives are common, and DVDs can store up to only 17 GB of
data.
• You can also use magnetic tape to preserve evidence data. The 4-mm DAT
magnetic tapes store between 40 to 72 GB or more of data, but like CD-Rs, they
are slow at reading and writing data.
• If you’re using these tapes, test your data by copying the contents from the tape
back to a disk drive. Then verify that the data is good by examining it with your
 computer forensics tools or doing an MD5 hash comparison of the original data
set and the newly restored dataset.
• If a 30-year lifespan for data storage is acceptable for your digital evidence, older
DLT magnetic tape cartridge systems are a good choice.
• DLT systems have been used with mainframe computers for several decades and
are reliable data-archiving systems.
• Depending on the size of the DLT cartridge, one cartridge can store up to 80 GB of
data in compressed mode. Speed of data transfer from your hard drive to a DLT
tape is also faster than transferring data to a CD-R or DVD.
• Recently, manufacturers have introduced a high-speed, high-capacity tape
cartridge drive system called Super Digital Linear Tape (Super-DLT or SLDT).
• These systems are specifically designed for large RAID data backups and can store
more than 1 TB of data.
13) Obtaining a Digital Hash & Reviewing a Case
Ans:
Obtaining a Digital Hash
• To verify data integrity, different methods of obtaining a unique identity for file
data have been developed.
• One of the first methods, the Cyclic Redundancy Check (CRC) is a mathematical
algorithm that determines whether a file’s contents have changed.
• CRC however, is not considered a forensic hashing algorithm.
• The first algorithm for computer forensics use was Message Digest 5 (MD5). Like
CRC, MD5 is a mathematical formula that translates a file into a hexadecimal code
value, or a hash value.
• If a bit or byte in the file changes, it alters the hash value, a unique hexadecimal
value that identifies a file or drive.
• After you process the file, you produce another digital hash. If it’s the same as the
original one, you can verify the integrity of your digital evidence with
mathematical proof that the file didn’t change.
Reviewing a Case
The following are the general tasks you perform in any computer forensics case:
• Identify the case requirements.
• Plan your investigation.
• Conduct the investigation.
• Complete the case report.
• Critique the case.
 UNIT 6

1) Computer Forensic Tools Needs or types of Computer Forensic Tools

Ans:
• Computer forensics tools are divided into two major categories: hardware and
software.
• The following sections outline basic features required and expected of most
computer forensics tools.
• Hardware Forensics Tools range from simple, single purpose components to
complete computer systems and servers.
• Single-purpose components can be devices, such as the ACARD Ultra Wide SCSI-
to-IDE Bridge, which is designed to write-block an IDE drive connected to a SCSI
cable.
• Some examples of complete systems are Digital Intelligence F.R.E.D. systems, DIBS
Advanced Forensic Workstations, etc.
• Software Forensics Tools are grouped into command-line applications and GUI
applications. Some tools are specialized to perform one task, such as Safe Back, a
command-line disk acquisition tool from New Technologies, Inc. (NTI).
• Other tools are designed to perform many different tasks. For example,
Technology Pathways Pro- Discover, X-Ways Forensics, Guidance Software En
Case, and Access Data FTK are GUI tools designed to perform most computer
forensics acquisition and analysis functions.
• Software forensics tools are commonly used to copy data from a suspect’s drive to
an image file. Many GUI acquisition tools can read all structures in an image file as
though the image were the original drive.
Tasks Performed by Computer Forensics Tools
• All computer forensics tools, both hardware and software, perform specific
functions. These functions are grouped into five major categories, each with sub
functions for further refining data analysis and recovery:
o Acquisition
o Validation and discrimination
o Extraction
o Reconstruction
 o Reporting

2) Computer Forensic Software Tools

Ans:
The following are some forensic tools:
1. SANS SIFT
• The SANS Investigative Forensic Toolkit (SIFT) is an Ubuntu based Live CD which
includes all the tools you need to conduct an in-depth forensic or incident
response investigation.
2. Crowd Strike Crowd Response
• Crowd Response is a lightweight console application that can be used as part of an
incident response scenario to gather contextual information such as a process list
scheduled tasks, or Shim Cache.
3. Volatility
• Volatility is a memory forensics framework for incident response and malware
analysis that allows you to extract digital artifacts from volatile memory (RAM)
dumps.
4. The Sleuth Kit (+Autopsy)
• The Sleuth Kit is an open source digital forensics toolkit that can be used to
perform in-depth analysis of various file systems. Autopsy is essentially a GUI that
sits on top of The Sleuth Kit .
5. ExifTool
• ExifTool is a command-line application used to read, write or edit file metadata
information. It is fast, powerful and supports a large range of file formats.
• ExifTool can be used for analysing the static properties of suspicious files in a host-
based forensic investigation, for example.
6. Free Hex Editor Neo
• Free Hex Editor Neo is a basic hex editor that was designed to handle very large
files.
7. Bulk Extractor
• bulk extractor is a computer forensics tool that scans a disk image, file, or
directory of files and extracts information such as credit card numbers, domains,
e-mail addresses. URLS, and ZIP files.
8. Last Activity View
• Last Activity View allows you to view what actions were taken by a user and what
events occurred on the machine.
• Any activities such as running an executable file, opening a file/folder from
Explorer, an application or system crash or a user performing a software
installation will be logged. The information can be exported to a CSV/XML/HTML
file.
9. DSI USB Write Blocker
• DSI USB Write Blocker is a software based write blocker that prevents write access
to USB devices.
• This is important in an investigation to prevent modifying the metadata or
timestamps and invalidating the evidence.
10. Fire Eye Red Line
• RedLine offers the ability to perform memory and file analysis of a specific host.
• It collects information about running processes and drivers from memory, and
gathers file system metadata, registry data, event logs, network information, etc
to help build an overall threat assessment profile.
11. Plain Sight
• PlainSight is a Live CD based on Knoppix (a Linux distribution) that allows you to
perform digital forensic tasks such as viewing internet histories, data carving, USB
device usage information gathering, examining physical memory dumps,
extracting password hashes.

3) Computer Forensic Hardware Tools

Ans:
• In computer Forensics hardware devices like cables, adapters, cloning devices, cell
phone devices, portable storage devices, etc are used. Digital forensics relies
 significantly on a variety of gear, including PCs, servers, write blocks, cell phone
kits, cables, and so on.
• To have a better understanding, consider the minimal and recommended system
requirements for AccessData's Forensic Tool Kit (as of press time) (FTK). The FTK
from AccessData is made up of four components and/or applications. They are as
follows:
1. Oracle Database
2. FTK Client User Interface (UI)
3. Client-side Processing Engine
4 Distributed Processing Engine.
• The minimum and recommended specs will vary depending on the component,
but suffice it to say that there is no such thing as too much RAM or computational
power.
• The minimum and recommended requirements will change depending on which
configuration is used.
• Examiners frequently shift through massive amounts of data. As such, digital
forensics labs need to have the capacity to store voluminous amounts of data.
• The majority of Computers have between 500 GB and 699 GB of hard drive space.
Multi-terabyte drives are also available. With numbers like these and caseloads
ever increasing, it's easy to see that storage is a major concern.

4) Validating & Testing Forensic Software

Ans:

• To make sure the evidence you recover and analyze can be admitted in court. To
do this, you must test and validate your software. The bellow we discuss
validation tools available at the time of this writing and how to develop your own
validation protocols.
• The National Institute of Standards and Technology (NIST) publishes articles,
provides tools, and creates procedures for testing and validating computer
forensics software.
• Establish categories for computer forensics tools—Group computer forensics
software according to categories, such as forensics tools designed to retrieve and
trace e-mail.
• Identify computer forensics category requirements—For each category, describe
the technical features or functions a forensics tool must have.
• Develop test assertions—Based on the requirements, create tests that prove or
diSprove the tool’s capability to meet the requirements.
• Identify test cases—Find or create types of cases to investigate with the forensics
tool, and identify information to retrieve from a sample drive or other media
• Establish a test method—Considering the tool’s purpose and design, specify how
to test it.
• Report test results—Describe the test results in a report that complies with ISO
17025, which requires accurate, clear, unambiguous, and objective test reports.
• Another standards document, ISO 5725, demands accuracy for all aspects of the
testing pro- cess, so results must be repeatable and reproducible.

5) E-Mail Investigation
Ans:
✔ Exploring the Role of E-mail in Investigations
• E-mail evidence has become an important part of many computing investigations,
so computer forensics investigators must know how e-mail is processed to collect
this essential evidence.
• In addition, with the increase in e-mail scams and fraud attempts with phishing or
spoofing, investigators need to know how to examine and interpret the unique
content of e-mail messages.
• As a computing investigator, you might be called on to examine a phishing e-mail
to see whether it’s authentic. Later, in tracing an E-mail Message, you learn about
resources for looking up e-mail and Web addresses to verify whether they’re
associated with a spoofed message.
• One of the most noteworthy e-mail scams was 419, or the Nigerian Scam, which
originated as a chain letter from Nigeria, Africa.
• Unlike newer, more sophisticated phishing e-mail frauds, 419 messages have
certain characteristic ploys and a typical writing style. For example, the sender
 asks for access to your bank account so that he can transfer his money to it as a
way to prevent corrupt government officials in his homeland from confiscating it.
• The sender often promises to reward you financially if you make a minor payment
or allow access to your bank account. The messages are usually in uppercase
letters and use poor grammar

✔ The Roles of the Client and Server in E-mail

• You can send and receive e-mail in two environments: via the Internet or an
intranet (an internal network).
• In both e-mail environments, messages are distributed from a central server to
many connected client computers, a configuration called client/server
architecture.
• The server runs an e-mail server program, such as Microsoft Exchange Server or
Novell GroupWise to provide e-mail services. Client computers use e-mail
programs (also called e-mail clients), to contact the e-mail server and send and
retrieve e-mail messages.
• Regardless of the OS or e-mail program, users access their e-mail based on
permissions the e-mail server administrator grants. These permissions prevent
users from accessing each other’s e-mail.
• To retrieve messages from the e-mail server, users identify themselves to the
server, as when logging on to the network. Then e-mails are delivered to their
computers.
• E-mail services on both the Internet and an intranet use a client/server
architecture, but they differ in how client accounts are assigned, used, and
managed and in how users access their e-mail.
• Overall, an intranet e-mail system is for the private use of network users, and
Internet e-mail systems are for public use.
✔ Investigating E-mail Crimes and Violations
Email crime investigation contains the following steps:
1. Examine the email
When it is come into the light that email crime has happened then it is necessary to
collect the evidence which is required to prove the crime in the court of law.
Evidence is the mail which the victim received.
 o First take the image of 'machines hard drive.
o Obtain the victims machine password to open the encrypted file.
o Take the printed copy of the crime mail (including header).
o Examine the IP address of the sender's server.
2. Copy the email message into the USB key.
3. Take the printout of the email message by using the print option available in
the mail program.
4. View the mail header
o To check the mail header,
o Open your mail.
o Right click on your mail.
o After right click menus will display. Click on view full header.
o The file header will get opened.
5. Examine the email header
The email header contains the message header and the subject body. The email
header contains the information of the email origin. It also gives the return path, and
the receiver mail id.
6. Examine the attachments
If the mail contains any attachment then copy that attachment and also take the
print of the attachment.
7. Trace the Email
The IP address of the origination computer machine tells the owner of the email
address which has been used in the possible crime that is being investigated. It may
be possible that this information may be fake. So it's important to validate the
evidence which you uncover.
✔ Understanding E-mail Servers
• An e-mail server is loaded with software that uses e-mail protocols for its services
and maintains logs you can examine and use in your investigation.
• To investigate e-mail abuse, you should know how an e-mail server records and
handles the e-mail it receives.
• Some e-mail servers use databases that store users’ e-mails, and others use a flat
file system.
• All e-mail servers can maintain a log of e-mails that are processed.
• Most e-mail administrators log system operations and message traffic to recover
e-mails in case of a disaster.
• However, the e-mail administrator can disable logging or use circular logging,
which over- writes the log file when it reaches a specified size or at the end of a
specified time frame.
• Circular logging saves valuable server space, but you can’t recover a log after it’s
overwritten. For example, on Monday the e-mail server records traffic in the
Mon.log file. For the next six days, the e-mail server uses a log for each day, such
as Tues.log, Wed.log, and so forth. On Sunday at midnight, the e-mail server starts
recording e-mail traffic in Mon.log, overwriting the information logged the
previous Monday.
• The only way to access the log file information is from a backup file, which many
e-mail administrators create before a log file is overwritten.
• E-mail logs generally identify the e-mail messages an account received, the IP
address, the time and date the e-mail server received them, the time and date the
client computer accessed the e-mail, the e-mail contents and any other
information the e-mail administrator wants to track.
• These e-mail logs are usually formatted in plain text and can be read with a basic
text editor, such as Notepad.

✔ Using Specialized E-mail Forensics Tools

• For many e-mail investigations, you can rely on e-mail message files, e-mail
headers, and e-mail server log files.
• However, if you can’t find an e-mail administrator willing to help with the
investigation, or you encounter a highly customized e-mail environment, you can
use data recovery tools and forensics tools designed to recover e-mail files.
• As technology has progressed in e-mail and other services, so have the tools for
recovering information lost or deleted from a hard drive.
• Tools for data recovery, like ProDiscover Basic and Access Data FTK can use these
tools to investigate and recover e-mail files.
• Other tools, such as the ones in the following list, are specifically created for e-
mail recovery, including recovering deleted attachments from a hard drive:
o Data Numen for Outlook and Outlook Express
o FINAL e MAIL for Outlook Express and Eudora
o Sawmill-GroupWise for log analysis office_agent.html)
o DBX tract for Outlook Express
o Fookes Aid4Mail and Mail Bag Assistant for Outlook, Thunderbird, and Eudora
o Paraben E-Mail Examiner, configured to recover several e-mail formats
o Access Data FTK for Outlook and Outlook Express
o On track Easy Recovery Email Repair for Outlook and Outlook Express
o R-Tools R-Mail for Outlook and Outlook Express.
o Office Recovery’s Mail Recovery for Outlook, Outlook Express, Exchange,
Exchange Server, and IBM Lotus Notes
• One advantage of using data recovery tools is that you don’t need to know how
the e-mail server or e-mail client operates to extract data from these computers.
• Data recovery tools do the work for you and allow you to view evidence on the
computer.
• After you compare e-mail logs with the messages, you should verify the e-mail
account, message ID, IP address, and date and time stamp to determine whether
there’s enough evidence for a warrant.