0% found this document useful (0 votes)

41 views133 pages

Digital Forensic IBM Slides

Uploaded by

Abhay Pratap Singh Jarial

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

41 views133 pages

Digital Forensic IBM Slides

Uploaded by

Abhay Pratap Singh Jarial

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 133

IBM ICE (Innovation Centre for Education)

Welcome to:
Computer Forensics

© Copyright IBM Corporation 2016 9.1

Unit objectives IBM ICE (Innovation Centre for Education)
IBM Power Systems

After completing this unit, you should be able to:

• Implement the Standard operating procedure to handle any Security Incident and collect the
vital digital evidence without corrupting it.
• Properly identify and verify the system that has been affected by the attack.
• Take the image of the storage device for preservation and for further process.
• Clearly follow the methods and techniques to recover the erased and damaged data.
• Understand the concept and technology of cryptography and data compression including the
different types of algorithm used.
• Search the evidence from the storage devices that are seized from the scene of Security
Incident.
• Handle the various digital forensic tools to analyze the data that is available in the storage
device.

© Copyright IBM Corporation 2016

Standard Procedure IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. Secure subject digital evidence including devices from any kind of destruction including
electrical short circuits.
2. Photograph the subject digital evidence and devices, document the network and other
devices attached to it.
3. Disassemble the casing of the subject digital evidence device and thoroughly examine the
physical access of the storage devices.
4. Use antistatic gloves while handling the electronic components including storage devices
5. Identify storage devices that need to be acquired. These devices can be internal, external,
or both
6. Document internal storage devices and hardware configuration
a) Drive condition (e.g., make, model, geometry, size, jumper settings, location, drive interface)
b) Internal components (e.g., sound card; video card; network card, including media access control
(MAC) address)
7. Disconnect storage devices (by removing the power connector or data cable from the back
of the storage drive or from the motherboard).

© Copyright IBM Corporation 2016

Incident Verification IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. Whenever required, perform the data acquisition using the examiner’s Forensic system.
When attaching the subject evidence and storage device to the examiner’s Forensic
system, configure the storage device so that it will be recognized
2. Proper Write Protection should be initiated (Hardware or software) while connecting the
subject evidence storage device to preserve and protect the original evidence from being
altered automatically by the operating system of examiner’s system.
3. The examiner should create a Hash value of the subject evidence storage device by
performing an independent standard Hash calculation using MD5 or SHA algorithm and
this has to be noted down along with the subject evidence identification number.
4. Ensure that the examiner’s storage device is forensically clean when acquiring the
evidence
5. Investigate the geometric properties of the storage devices in order to ensure that all space
is accounted (every bit), including host-protected data areas (e.g., non-host specific data
such as the partition table matches the physical geometry of the drive)
6. Capture the electronic serial number of the drive and other user-accessible devices.

© Copyright IBM Corporation 2016

System identification IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. Arrange a meeting with the IT manager to interview him and pick up the storage media
2. After interviewing the IT manager, fill out the evidence form, have him/her sign it, and then
sign it yourself.
3. Store the storage media in an evidence bag which includes anti-static cover and bubble
cover, and then transport it to your forensic Facility.
4. Carry the evidence in a secure container, such as a locker, cabinet, or safe.
5. Complete the evidence custody form. If there is a procedure to use a multi-evidence form,
then can store the forms in the file folder for the case. If a single-evidence form is used
then store them along with the secure container with the evidence. Reduce the risk of
tampering by limiting access to the forms.
6. Secure the evidence by locking the container

© Copyright IBM Corporation 2016

Recovery of Erased and damaged data IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. Most volumes contain reams of potentially interesting data outside of the viewable,
allocated files on a mounted file system. This includes several categories of “deleted data.”
2. Deleted files are the “most recoverable.”
3. Orphaned files are similar to deleted files except the link between the file name and
metadata structure is no longer accurate.
4. Unallocated files have their once-allocated file name entry and associated metadata
structure have become unlinked and/or reused.
5. Overwritten files have one or more of their data units reallocated to another file which is
also called file slack.

© Copyright IBM Corporation 2016

Disk imaging and preservation IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. A bit-stream copy is a bit-by-bit copy (also known as a sector copy) of the original drive or
storage medium and is an exact duplicate.
2. The more exact the copy, the better chance you have of retrieving the evidence you need
from the disk. This process is usually referred to as “acquiring an image” or “making an
image” of a suspect drive.
3. A bit-stream copy is different from a simple backup copy of a disk. Backup software can
only copy or compress files that are stored in a folder or are of a known file type. Backup
software can’t copy deleted files and e-mails or recover file fragments.
4. Acquire the “Bit Stream Image” (copy) of the subject evidence storage device to the
examiner’s storage device using the appropriate software and hardware tools.
5. Verify successful acquisition by comparing Hash values of the original subject storage
evidence device with the Hash value of the bit stream image copy or by doing a sector-by-
sector comparison of the original subject evidence storage device to the bit stream image
copy.

© Copyright IBM Corporation 2016

Data encryption and compression IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. Encrypted files are encoded to prevent unauthorized access..

2. To decode an encrypted file, users supply a password or passphrase.
3. Without the passphrase, recovering the contents of encrypted files is difficult.
4. Many commercial encryption programs use a technology called key escrow, which is
designed to recover encrypted data if users forget their passphrases or if the user key is
corrupted after a system failure.
5. Most graphics file formats, including GIF and JPEG, compress data to save disk space and
reduce the file’s transmission time. Other formats, such as BMP, rarely compress data or
do so inefficiently.
6. Data compression is the process of coding data from a larger form to a smaller form.
Graphics files and most compression tools use one of two data compression schemes:
lossless or lossy.
7. Lossless compression techniques reduce file size without removing data.
8. Lossy compression is different because it compresses data by permanently discarding bits
of information in the file. Some discarded bits are redundant, but others are not.

© Copyright IBM Corporation 2016

Forensic software IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. EnCase
2. Autopsy
3. FTK
4. ProDiscovery
5. Helix3 Enterprise
6. CAINE

© Copyright IBM Corporation 2016

Checkpoint IBM ICE (Innovation Centre for Education)
IBM Power Systems

1 When shutting down a computer, what information is typically lost?

A Data in RAM memory
B Running processes
C Current network connections
D Current logged-in users
E All of the above

2 With remote acquisitions, what problems should you be aware of?

A Data transfer speeds
B Access permissions over the network
C Antivirus, antispyware, and firewall programs
D All of the above

3 What two data-copying methods are used in software data acquisitions?

A Remote and local
B Local and logical
C Logical and physical
D Physical and compact

© Copyright IBM Corporation 2016

Checkpoint IBM ICE (Innovation Centre for Education)
IBM Power Systems

4 Hashing, filtering, and file header analysis make up which function of computer
forensics tools?
A Validation and discrimination
B Acquisition
C Extraction
D Reporting

5 Which of the following is true of most drive-imaging tools?

A They perform the same function as a backup.
B They ensure that the original drive doesn’t become corrupt and damage the digital
evidence.
C They create a copy of the original drive.
D They must be run from the command line

6 Make sure you always document the following points, except:

A Who collected the evidence, how they did it and where they got it
B Who took possession of it
C How it was stored and protected
D How it was stored and unprotected
E Who removed it from storage and why
© Copyright IBM Corporation 2016
Checkpoint IBM ICE (Innovation Centre for Education)
IBM Power Systems

7 Make sure you always label any hardware with the following, except:
A part number
B case number
C short description of the hardware
D The time and date you got the evidence
E Your signature

8 The following general computer evidence processing steps have been provided,
except:
A Shut down the computer.
B Document the hardware configuration of the system.
C Transport the computer system to an unsecure location.
D Make bit stream backups of hard disks and floppy disks.
E Mathematically authenticate data on all storage devices

© Copyright IBM Corporation 2016

Checkpoint IBM ICE (Innovation Centre for Education)
IBM Power Systems

9 When two different keys encrypt a plaintext message into the same ciphertext, this
situation is known as:
A Public key cryptography
B Cryptanalysis
C Key clustering
D Hashing

10 Which of the following is a problem with symmetric key encryption?

A It is slower than asymmetric key encryption.
B Most algorithms are kept proprietary.
C Work factor is not a function of the key size.
D It provides secure distribution of the secret key.

© Copyright IBM Corporation 2016

Checkpoint Solutions IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. E. When the system is shut down normally or the plug is pulled, all of the above live
system-state data is lost.

2. D. Should be aware of all the parameters

3. C. Logical and Physical

4. B. Acquisition

5. C. They create a copy of the original drive.

6. D. How it was stored and unprotected

7. A. A part number

8. C. Transport the computer system to an unsecure location

9. A. Public key cryptography

10. D. It provides secure distribution of the secret key

Having completed this unit, you should be able to:

© Copyright IBM Corporation 2016

IBM ICE (Innovation Centre for Education)

Welcome to:
Network Forensics

© Copyright IBM Corporation 2016 9.1

Unit objectives IBM ICE (Innovation Centre for Education)
IBM Power Systems

After completing this unit, you should be able to:

• Learn how the data packets can be captured from the network and analyze these packets.
• Use different tools and techniques to analyze and gather evidence from the data packets
captured from the network.
• Understand the order of volatility of the memory in the computer system and how this will be
useful for the investigator to identify the required evidence.
• The standard operating procedure to collect the evidence from the scene of crime/security
incident so that it will be followed by every investigator without tampering the evidence at the
crime /security incident scene.

© Copyright IBM Corporation 2016

Tracking Network Traffic IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Networking or linking computers together has some distinct advantages. Sharing resources
and collaboration are just two such benefits.
• There are different types of network that are used to communicate with different set of
computers. They are LAN, WAN and MAN.
• On a network that uses the TCP/IP protocol, each computer or device on the network has a
unique identifier or address known as an IP address

© Copyright IBM Corporation 2016

Tracking Network Traffic IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Each packet is structured in a uniform manner. Individual packets are comprised of three
parts; the header, payload, and footer.

• There are many different ways to hack and/or attack a network. They are Distributed Denial
of Service (DDoS), Identity Spoofing (IP Spoofing), Man-In-The-Middle-Attack, Social
Engineering, etc.,
• The actual traffic (packets) moving on the network can hold some valuable clues. There are
several tools, called “sniffers,” available that can capture and analyze network traffic

© Copyright IBM Corporation 2016

Reviewing Network Logs IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Many devices and computers in a network generate logs of events and activities. As such,
log files serve as a primary source of evidence in network investigations.
• There are several different types of log files. Some of the logs of interest include
authentication, application, operating system, and the firewall log.
• An authentication log identifies the account (and IP address) connected to a particular event.
• Identifying the responsible hacker is by no stretch a simple task. There are many
impediments along the way that can keep the attacker’s identity hidden.

© Copyright IBM Corporation 2016

Network Tracking Tools IBM ICE (Innovation Centre for Education)
IBM Power Systems

• A variety of tools are available for network administrators to perform remote shutdowns,
monitor device use, and more.
– Sysinternals
– Knoppix STD
– The Auditor
– Packet sniffers
– Tcpslice
– Ngrep
– Wireshark
– Monosek

© Copyright IBM Corporation 2016

Live Acquisition of Network Traffic IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Live acquisitions done before taking a system offline are also becoming a necessity because
attacks might leave footprints only in running processes or RAM.
• Live acquisition in Windows system can be performed using Mantech Memory DD tool.
• Live data from the network can also captured from many different network media types
including wireless LAN using Wireshark.

© Copyright IBM Corporation 2016

Order of Volatility IBM ICE (Innovation Centre for Education)
IBM Power Systems

• The order of volatility is:

1. CPU, cache, and Register content
2. Routing table, ARP cache, Process table, Kernel statistics
3. Memory
4. Temporary file system/swap space
5. Data on hard disk
6. Remotely logged data
7. Data contained on archival media

© Copyright IBM Corporation 2016

Standard Procedure IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Always use a standard installation image for systems on a network.

• When an intrusion incident happens, make sure the vulnerability has been fixed to prevent
other attacks from taking advantage of the opening.
• Attempt to retrieve all volatile data, such as RAM and running processes, by doing a live
acquisition before turning the system off.
• Acquire the compromised drive and make a forensic image of it.
• Compare files on the forensic image to the original installation image.

© Copyright IBM Corporation 2016

Checkpoint IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. Which of the following tools from Sysinternals monitors Registry data in real time?
A. PsList
B. Handle
C. RegMon
D. PsUpTime
2. Packet sniffers examine what layers of the OSI model?
A. Layers 2 and 4
B. Layers 4 through 7
C. Layers 2 and 3
D. All layers

3. Which of the following is not a type of volatile evidence?

A. Routing Tables
B. Main Memory
C. Log files
D. Cached Data

© Copyright IBM Corporation 2016

Checkpoint solutions IBM ICE (Innovation Centre for Education)
IBM Power Systems

1.C. RegMon
2.C. Layer 2 and 3
3.C. Log Files

© Copyright IBM Corporation 2016

Unit summary IBM ICE (Innovation Centre for Education)
IBM Power Systems

Having completed this unit, you should be able to:

© Copyright IBM Corporation 2016

IBM ICE (Innovation Centre for Education)

Welcome to:
Internet Forensics

© Copyright IBM Corporation 2016 9.1

Unit objectives IBM ICE (Innovation Centre for Education)
IBM Power Systems

After completing this unit, you should be able to:

• Understand threats on the Internet.
• Understand Analyzing and Spoofing
• Understand Monosek (Network Analyzer)

© Copyright IBM Corporation 2016

Internet & World wide web threats IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Microsoft’s answer to the ubiquitous Java technology was its first real attempt at a model for
portable, remotely consumable software application which provided an opportunity to the
attacker to enter into the system. Malicious programmers could write ActiveX controls to do
just about anything they wanted to a user’s machine.
• Exploiting the flaw allowed an attacker to run code that breaks Java’s type-safety
mechanisms in what is called a type confusion attack.
• Even the simplest JavaScript code snippets can do things such as pop up windows and
otherwise take near-complete control of the browser’s graphical interface, making it possible
to fool users into entering sensitive information or navigating to malicious sites.
• The protocol that underlies the World Wide Web, HTTP, does not have a facility for tracking
things from one visit to another, so an extension was rigged up to allow it to maintain such
“state” across HTTP requests and responses.
• Cross-Site Scripting (XSS) results from a flaw in the design of a web server–based
application.
• Secure Sockets Layer (SSL) is the protocol over which the majority of secure e-commerce
transactions occur on the Internet today. It is based on public-key cryptography, which can be
a bit intimidating to the novice, but it is a critical concept to understand for anyone who buys
and sells things in the modern digital economy

© Copyright IBM Corporation 2016

Domain Name Ownership Investigation IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Tools such as whois or nslookup have traditionally provided a quick and simple method of
investigating who is behind a particular Internet site.
• Most countries centrally manage registrations to their own Country Code TLDs (for example
.uk or .ch). Generic TLDs (for example .com or .org) are managed by independent registrars
(for example Network Solutions Inc, or Register.com).
• The domain name registrants are those parties responsible for registering and maintaining a
domain name. This typically includes the registrant, an administrative contact, a technical
contact, and possibly a billing contact.
• Email server owners can provide email logs of both incoming and outgoing email traﬃc, and
may provide investigative access to mailboxes. Email server owners are also in a position to
monitor message activity for investigative purposes

© Copyright IBM Corporation 2016

Reconstructing Past Internet Activities
and Events IBM ICE (Innovation Centre for Education)
IBM Power Systems

• The process of going through the working files and reconstructing activity is actually pretty
straightforward, and when properly validated it can be reasonably authoritative.
• The history utility in IE, creates a convenient audit trail for what a user likes to do on the
Internet. It can be used to show whether the user frequents certain types of sites, if she lands
on a site inadvertently, and what she is doing when she visits a site.
• If you can navigate the maze that is the caching structure, you can re-create pages that the
user saw and interacted with, including their forms data. There is a problem with caching
Internet files.

© Copyright IBM Corporation 2016

Email Forensics: E-mail Analysis IBM ICE (Innovation Centre for Education)
IBM Power Systems

• In some instances you may need to convert e-mail from one format to another before you
begin your investigation, or you may need to present e-mail results in a format that is easier
for you or another party to analyze and review.
• Client based e-mail is typically easier to work with than Internet-hosted mail in corporate
environments because the e-mail exists on a company-owned asset. In the case of client
based e-mail, typically both the incoming and outgoing e-mails are recorded; this is not
always the case for Internet-hosted e-mail.
• AOL is not typically used in corporate environments, but it is popular enough to cover here. If
AOL is discovered, the impact can be quite high, because people are more likely to use this
for their personal e-mail and let their guard down.
• Web-based e-mail such as Yahoo! and Hotmail challenges investigators to find the e-mail on
the computer, reconstruct activity, and identify users in ways that are different from client-
based e-mail.
• Web-hosted e-mail is popular because a number of companies provide free e-mail services
from the Internet.

© Copyright IBM Corporation 2016

Email Forensics: Email Headers and
Spoofing IBM ICE (Innovation Centre for Education)
IBM Power Systems

• E-mail headers contain general information including the e-mail addresses of who apparently
authored the e-mail and the recipient of the e-mail.
• E-mail headers also contains routing information from the point of origin to the final
destination. The servers assemble this information en route to the final destination and attach
it to the top of the e-mail.
• Other information found in headers includes the type of e-mail client used, the e-mail
gateway used, and the names of e-mail attachments.
• This information is helpful to investigators because it helps tell the full story of what
happened or points to other areas to investigate. The headers are constructed more or less
uniformly across web-hosted and client-based e-mail.

© Copyright IBM Corporation 2016

Messenger Forensics: AOL, Yahoo,
MSN, and Chats IBM ICE (Innovation Centre for Education)
IBM Power Systems

• By default, all chat messages are archived and saved, but these messages are cleared out
once the user signs out of Yahoo Messenger (YM).
• The chat messages can alternatively be saved at any specified location on the computer as
per the user’s preference. These conversations need to be saved before logging out of the
YM application.
• The evidence examination was first started by inspecting the registry structure for Windows
Vista and Windows 7 using the built in registry editor for Windows.
• Whenever a photo sharing session is initiated in Yahoo Messenger from a Vista machine, a
photo sharing folder starting with the letter “S” is created in the Program Data folder.
• MSN Messenger and its later incarnation Windows Live Messenger are one of many Instant
Messenger programs.
• The best record of conversations is found in saved conversations. Unfortunately the saving of
conversations by a user is not on by default.

© Copyright IBM Corporation 2016

Browser Forensics: Analyzing Cache and
Temporary Internet Files IBM ICE (Innovation Centre for Education)
IBM Power Systems

• The predominant two web browsers we encounter during computer related investigations are
Microsoft's Internet Explorer (IE) and the Firefox/Mozilla/Netscape family.
• IE is typically installed by default on new Windows-based computers and is used by most
private and business computer owners.
• C:\Documents and Settings\jschmo\Local Settings\Temporary Internet Files\Content.IE5\ The
directory listed above stores the cached pages and images. Inside the Content.IE5 directory
there are additional subdirectories, each with a seemingly random name that contains the
cached web data.
• C:\Documents and Settings\jschmo\Local Settings\History\History.IE5\ Under the directory
above, there will be additional subdirectories signifying the date ranges where IE had saved
the history.
• C:\Documents and Settings\jschmo\Cookies\ An investigator will typically check all three
information stores for Internet activity data.

© Copyright IBM Corporation 2016

Browser Forensics: Cookie Storage
and Analysis IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Cookies, or local Shared Objects in Macromedia parlance, are a great example of a forensic
artifact that has existed for a long time but was virtually ignored until someone decided to
shine some light on it.
• Since the .SOL files are saved individually, we have a nice set of file system timestamps to
utilize. On Windows XP (which has Access time stamping on by default) we can use the
Access Time to tell us when the LSO was last read.
• Cookies hold data in Name/Value pairs. In the example below, this Cookie contains two
records. Each record contains a Name/Value pair.

© Copyright IBM Corporation 2016

Browser Forensics: Web Browsing Activity
Reconstruction IBM ICE (Innovation Centre for Education)
IBM Power Systems

• It is hard to trace the Web sites that a user has visited if the forensic investigator can analyze
only log files from a specific Web browser. Therefore, the investigator must be able to
examine all existing Web browsers in one system and to perform integrated analysis of
multiple Web browsers.
• In a digital forensic investigation, it is critical to detect the movement of suspect along a
timeline. By performing a timeline analysis, the investigator can trace the criminal activities of
the suspect in their entirety.
• Beyond the investigation of which Web sites the suspect has visited, it is important to
investigate the search words he used in the search engine.
• When encoded characters appear, the words are not English. In a digital forensic
investigation, encoded characters create confusion for the investigator.
• In a trace of Web browser activity for an investigation, a single piece of HTTP URL
information is not enough to detect the online movements of a suspect.

© Copyright IBM Corporation 2016

Checkpoint IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. What does it mean if someone says they were a victim of a Bluejacking attack?
A. An unsolicited message was sent.
B. A cell phone was cloned.
C. An IM channel introduced a worm.
D. Traffic was analyzed
2. If a company has been contacted because its mail server has been used to spread spam,
what is most likely the problem?
A. The internal mail server has been compromised by an internal hacker.
B. The mail server in the DMZ has private and public resource records.
C. The mail server has e-mail relaying misconfigured.
D. The mail server has SMTP enabled
3. Which of the following is not an attack against email?
A. Brute force
B. Denial-of-service
C. Buffer overflow
D. Email Booming

© Copyright IBM Corporation 2016

Checkpoint solutions IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. B
2. C
3. C

© Copyright IBM Corporation 2016

Unit summary IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Having completed this unit, you should be able to:

• Understand threats on the Internet.
• Understand Analyzing and Spoofing
• Understand Monosek (Network Analyzer)

© Copyright IBM Corporation 2016

IBM ICE (Innovation Centre for Education)

Welcome to:
Forensic Investigation and Evidence Presentation

© Copyright IBM Corporation 2016 9.1

Unit objectives IBM ICE (Innovation Centre for Education)
IBM Power Systems

After completing this unit, you should be able to:

• Understand how Digital Forensic Investigations are conducted and steps followed
• Understand the steps involved in Live versus Static Forensics
• Understand which tools are used to conduct Forensics
• Understand various roles played during presenting of evidence
• Understand how to present evidence in a court of Law arising out of investigation of Forensic
evidence

© Copyright IBM Corporation 2016

Authorization to collect the evidence IBM ICE (Innovation Centre for Education)
IBM Power Systems

• One should be certain that the search is not going to violate any laws or give rise to liability.
• Computer security professionals should obtain instructions and written authorization from
their superiors who have the power to investigate, before gathering digital evidence relating
to an investigation within their organization.
• As a rule, law enforcement should obtain a search warrant if there is a possibility that the
evidence to be seized requires a search warrant.
• For a search warrant to be valid, it must both particularly describe the property to be seized
and establish probable cause for seizing the property.
• Digital investigators are generally authorized to collect and examine only what is directly
pertinent to the investigation, as established by the probable cause in an affidavit.

© Copyright IBM Corporation 2016

Acquisition of evidence IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Data acquisition is the process of copying data. For computer forensics, it’s the task of
collecting digital evidence from electronic media.
• The data a computer forensics acquisition tool collects is stored as an image file in one of
three formats, namely,
– Raw Format
– Proprietary Format
– Advanced Forensic Format
• There are two types of acquisitions: static acquisitions and live acquisitions.
• Forensic examiner needs to take precautions to protect the digital evidence. He/She should
also make contingency plans in case software or hardware doesn’t work or upon
encountering a failure during an acquisition.
• The Linux OS has many features that are applicable to computer forensics.

© Copyright IBM Corporation 2016

Authentication of the evidence IBM ICE (Innovation Centre for Education)
IBM Power Systems

• The most critical aspect of computer forensics is validating digital evidence.

• Validating digital evidence requires using a hashing algorithm utility, which is designed to
create a binary or hexadecimal number that represents the uniqueness of a data set, such as
a file or disk drive.
• The two Linux shell commands dd and dcfldd, have several options that can be combined
with other commands to validate data.
• Windows has no built-in hashing algorithm tools for computer forensics. However, many
Windows third-party programs do provide a variety of built-in tools.

© Copyright IBM Corporation 2016

Performing RAID Acquisition IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Redundant array of independent disks (RAID) is a computer configuration involving two or

more disks.
• Acquisitions of RAID drives can be challenging and frustrating for computing forensics
examiners because of how RAID systems are designed, configured, and sized.
• Several levels of RAID can be implemented through software or special hardware controllers
like RAID 0, RAID 1, RAID 5 etc.,

• RAID 0 as shown above provides rapid access and increased data storage. In RAID 0, two or
more disk drives become one large volume, so the computer views the disks as a single disk.
• There is no simple method for getting an image of a RAID server’s disks and the investigator
has to follow the standard operating procedure properly.

© Copyright IBM Corporation 2016

Remote Network Data Acquisition Tools IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Remote acquisition tools vary in configurations and capabilities. Some require manual
intervention on remote suspect computers to initiate the data copy.
• There are some drawbacks in remote acquisition, if the investigator have access to the
same LAN as the suspect’s computer, data transfer speeds and routing table conflicts could
cause problems.
• And if suspects have administrator rights on their computers, they could easily install their
own security tools that trigger an alarm to notify them of remote access intrusions.
• So the required tool according to the network speed and the topology, the data needs to be
acquired.
• Tools used are:
– ProDiscovery
– EnCase
– R-Studio
– WetStone LiveWire
– F-Response

© Copyright IBM Corporation 2016

Validating Forensic Data IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Validation of digital evidence essential as it ensures the integrity of data collected by the
Digital Forensic Investigator which need to be presented as evidence in court.
• Initial validation can be done using the Hexadecimal Editors.

© Copyright IBM Corporation 2016

Analysis of the evidence IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Examining and analyzing digital evidence depend on the nature of the investigation and the
amount of data to process.
• State Criminal investigations are limited to finding data defined in the search warrant, and
civil investigations are often limited by court orders for discovery.
• Corporate investigators might be searching for company policy violations that require
examining only specific items, such as e-mail.
• As a standard practice, the digital forensic investigator should follow the basic steps for all
computer forensics investigations.
• It’s important to refine the investigation plan as much as possible by trying to determine what
the case requires.
• The list of analysis are done in most of the case:
– Hidden Data
– Bad Cluster
– Bit Shifting
– Encrypted Files
– Password Recovery

© Copyright IBM Corporation 2016

Reporting on the findings IBM ICE (Innovation Centre for Education)
IBM Power Systems

• A forensics report presents evidence in court, at an administrative hearing, or as an affidavit

used to support issuing an arrest or a search warrant.
• A report can also provide justification for collecting more evidence and be used at a probable
cause hearing, as evidence in a grand jury hearing, or at a civil motion hearing. Besides
presenting facts, reports can communicate expert opinion.
• All reports to the client should start by stating this mission or goal, which is usually to find
information on a specific subject, recover certain important documents, or recover certain
types of files or files with specific dates and times.
• Identify your audience and the purpose of the report to help you focus on specifics
• Computer forensics examiners are required to create different types of reports, such as a
formal report consisting of facts from your findings, a preliminary written or verbal report to
your attorney, and an examination plan for the attorney.

© Copyright IBM Corporation 2016

Testimony IBM ICE (Innovation Centre for Education)
IBM Power Systems

• When cases go to trial, you as a forensics examiner can play one of two roles: You are called
as a technical/scientific witness or as an expert witness.
• As a technical/scientific witness, you provide only the facts you have found in your
investigation—any evidence that meets the relevance standard and is more probative than
prejudicial.
• When you give technical/scientific testimony, you present this evidence and explain what it is
and how it was obtained. You don’t offer conclusions, only the facts.
• However, as an expert witness, you have opinions about what you have found or observed.
• You form these opinions from experience and deductive reasoning based on facts found
during an investigation. In fact, it’s your opinion that makes you an expert witness.

© Copyright IBM Corporation 2016

Checkpoint IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. The data collected by forensic collection tool is presented in the following formats
a. Raw Format, Proprietary Format & Advanced Forensic Format
b. Raw Format, Proprieter Format & Advanced Forensic Format
c. Real Format, Proprietary Format & Best Forensic Format
d. Raw Format, Proprietary Format & Good Forensic Format

2. Expert Witness Format is an example of

a. Raw Format
b. Advanced Forensic Format
c. Open Source Format
d. Proprietary Format

3. 3DES refers to
a. Triple Design Encryption Standard
b. Triple Data Encryption Standard
c. Triple Delight Entropy Standard
d. Three Desktop Encryption Standard

© Copyright IBM Corporation 2016

Checkpoint solutions IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. A
2. D
3. B

© Copyright IBM Corporation 2016

Unit summary IBM ICE (Innovation Centre for Education)
IBM Power Systems

Having completed this unit, you should be able to:

© Copyright IBM Corporation 2016

IBM ICE (Innovation Centre for Education)

Welcome to:
Legal aspects of Digital Forensics

© Copyright IBM Corporation 2016 9.1

Unit objectives IBM ICE (Innovation Centre for Education)
IBM Power Systems

After completing this unit, you should be able to:

• Understand Digital Forensics and its legal impact in the Indian context
• Understand Indian legal interpretations of Cyber Crime and related criminal activities
• Understand the legal aspects pertaining to Data Acquisition, Preservation, Analysis,
Presentation of evidence and Chain of Custody.

© Copyright IBM Corporation 2016

Definition of Cyber Crime in IT Act IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Chapter XI of the Act defines various cyber crimes and prescribes punishments for the same.
• It focuses on various offences such as Hacking, Cyber Stalking, Data Theft, and Introduction
of worms and viruses, obscenity and child pornography.
• But, Cyber Crime as such is not defined in Information Technology Act 2000 nor in the I.T.
Amendment Act 2008 nor in any other legislation in India.
• In a cyber crime, computer or the data itself the target or the object of offence or a tool in
committing some other offence, providing the necessary inputs for that offence. All such acts
of crime will come under the broader definition of cyber crime.
• With much of international trade being done through electronic communication and with email
gaining momentum, an urgent and imminent need was felt for recognizing electronic records
ie the data what is stored in a computer or an external storage attached thereto.

© Copyright IBM Corporation 2016

Structure of IT Act IBM ICE (Innovation Centre for Education)
IBM Power Systems

• IT Act totally has 13 chapters and 90 sections (the last four sections namely sections 91 to 94
in the ITA 2000 dealt with the amendments to the four Acts namely the Indian Penal Code
1860, The Indian Evidence Act 1872, The Bankers’ Books Evidence Act 1891 and the
Reserve Bank of India Act 1934).
• The Act begins with preliminary and definitions and from thereon the chapters that follow deal
with authentication of electronic records, digital signatures, electronic signatures etc.
• Rules and procedures mentioned in the Act have also been laid down in a phased manner.
• The Act extends to the whole of India and except as otherwise provided, it applies to also any
offence or contravention there under committed outside India by any person.
• The ITA-2000 defines many important words used in common computer parlance.

© Copyright IBM Corporation 2016

Adjudications and Criminal Provisions IBM ICE (Innovation Centre for Education)
IBM Power Systems

• IT Act has defined the remedy for Civil Cyber Offence in the form of Adjudication.
• Adjudication powers and procedures have been elaborately laid down in Sections 46 and
thereafter.
• The Central Government may appoint any officer not below the rank of a director to the
Government of India or a state Government as the adjudicator.
• Every adjudicating officer has the powers of a civil court and the Cyber Appellate Tribunal
has the powers vested in a civil court under the Code of Civil Procedure.
• The criminal provisions of the IT Act and those dealing with cognizable offences and criminal
acts follow from Chapter IX titled “Offences”.

© Copyright IBM Corporation 2016

Tampering with computer source documents and
Hacking IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Sec.65. Tampering with computer source documents.

– Whoever knowingly or intentionally conceals, destroy, or alter any computer source code used for a
computer, computer programme, computer system or computer network, when the computer source
code is required to be kept or maintained by law for the time being in force, shall be punishable with
imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
– Explanation - For the purposes of this section, "computer source code" means the listing of
programmes, computer commands, design and layout and programme analysis of computer resource
in any form.
• Sec.66. Hacking with computer system.-
– Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the
public or any person destroys or deletes or alters any information residing in a computer resource or
diminishes its value or utility or affects it injuriously by any means, commits hacking.
– Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which
may extend up to two lakh rupees, or with both.

© Copyright IBM Corporation 2016

Online Obscenity & Pornography IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Sec. 67. Publishing of information which is obscene in electronic form.

– Whoever publishes or transmits or causes to be published in the electronic form, any material which is
lascivious or appeal to the prurient interest or if its effect is such as to tend to deprave and corrupt
persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter
contained or embodied in it, shall be punished on first conviction with imprisonment of either
description for a term which may extend to five years and with fine which may extend to one lakh
rupees and in the event of a second or subsequent conviction with imprisonment of either description
for a term which may extend to ten years and also with fine which may extend to two lakh rupees.

© Copyright IBM Corporation 2016

Cyber Stalking IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Sec. 66A. Any person who sends, by means of a computer resource or a communication
device,—
– (a) any information that is grossly offensive or has menacing character; or (b) any information which
he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction,
insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such
computer resource or a communication device, (c) any electronic mail or electronic mail message for
the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or
recipient about the origin of such messages, shall be punishable with imprisonment for a term which
may extend to three years and with fine.
– Explanation.— For the purpose of this section, terms “electronic mail” and “electronic mail message”
means a message or information created or transmitted or received on a computer, computer system,
computer resource or communication device including attachments in text, images, audio, video and
any other electronic record, which may be transmitted with the message.

© Copyright IBM Corporation 2016

Theft of Identity IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Earlier data theft was forcibly brought under sec 66 of IT Act, which is meant for Hacking.
• But now, 2008 amendment to the IT Act introduced new offences in Sections 66A to 66F.
Section 66C is titled “Punishment for identity theft”, and Section 66D is titled ‘Punishment for
cheating by personation by using computer resource‘.

© Copyright IBM Corporation 2016

Cyber Defamation IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Sec. 499 defamation has three main aspects of:

– a) Making or publishing any imputation concerning any person,
– b) Such imputation must have been made by
• i) words, either spoken, or intended to be read; or
• ii) signs; or
• iii) Visible representation
– c) such imputation must be made with the intention of harming or with the knowledge or with reason
to believe that it will harm the reputation of that person.

© Copyright IBM Corporation 2016

Admissibility of Digital Evidence IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Section 65-B of the Evidence Act deals with admissibility of electronic records as evidence in
the court of law.
• The computer holding the original evidence does not need to be produced in court. A printout
of the record or a copy on a CDROM, hard disk, floppy, etc. can be produced in the court.
• However, some conditions need to be met and a certificate needs to be provided.

© Copyright IBM Corporation 2016

Checkpoint IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. Subject to the provisions of the Act, any subscriber may authenticate an electronic record
by
A. Affixing a digital signature
B. Affixing a finger print impression
C. Affixing a voice identification message

2. What is the punishment for publication of information which is obscene in electronic form?
A. Imprisonment for 10 years and also a fine which may extend to Two Lakh Rupees.
B. No punishment.
C. Only a fine which may extend to 25 Lakh Rupees.

3. What is the punishment for publication of information which is obscene in electronic form?
A. No punishment.
B. Only a fine which may extend to 25 Lakh Rupees.
C. Imprisonment for 10 years and also a fine which may extend to Two Lakh Rupees.

© Copyright IBM Corporation 2016

Checkpoint solutions IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. A
2. A
3. C

© Copyright IBM Corporation 2016

Unit summary IBM ICE (Innovation Centre for Education)
IBM Power Systems

Having completed this unit, you should be able to:

© Copyright IBM Corporation 2016

IBM ICE (Innovation Centre for Education)

Welcome to:
Mobile Forensics

© Copyright IBM Corporation 2016 9.1

Unit objectives IBM ICE (Innovation Centre for Education)
IBM Power Systems

After completing this unit, you should be able to:

• Understand Forensics for Mobile and Portable Devices
• Understand Data Extraction, Evidence Collection and Preservation for Mobile and Portable
Devices
• Understand techniques and trends in Mobile and Portable device forensics

© Copyright IBM Corporation 2016

Collecting and Analyzing Evidence IBM ICE (Innovation Centre for Education)
IBM Power Systems

• General principles of Digital forensics that concern classic evidence are also in effect for Cell
Phone or PDA evidence.
• During the seizure, the area and evidence are photographed and/or videotaped. It is very
important to photograph the mobile phone’s screen contents as it was found.
• All mobile devices have volatile memory, so make sure they don’t lose power before you can
retrieve RAM data is critical.
• Isolate the device from incoming signals by placing the device in the Paraben Wireless
StrongHold Bag which conforms to Faraday wire cage standards.
• In lab, evidence from the cell phone call be collected from the below mentioned storage
space.
– The internal memory
– The SIM card
– Any removable or external memory cards
– The system server
• The information that can be retrieved falls into four categories:
– Service-related data, such as identifiers for the SIM card and subscriber
– Call data, such as numbers dialled
– Message information
– Location information

© Copyright IBM Corporation 2016

Collecting and Analyzing Evidence (Cont…) IBM ICE (Innovation Centre for Education)
IBM Power Systems

• The SIM is a smart card with an embedded microprocessor and 16–256 Kbytes of nonvolatile
(EEPROM) memory.
• The examiner who wants to analyze data stored in the SIM gets access using
microprocessor commands, with the help of a smart card reader or by using the mobile
phone itself.
• The contacts catalog along with the stored messages form one of the most important pieces
of evidence of SIM Card.
• Beyond the current data, older or even deleted data can be found in the “depths” of the
mobile phone’s memory. They include text messages, pictures, MMS, simple notes and
calendar notes, contacts, and so on.
• The Blackberry is also known as a RIM device and is equipped with the RIM software
implementation of proprietary wireless-oriented protocols.
• To collect evidence from the Blackberry has to violate the traditional forensic methods by
requiring the investigator to record logs kept on the unit that will be wiped after an image is
taken.

© Copyright IBM Corporation 2016

Collecting and Analyzing Evidence (Cont…) IBM ICE (Innovation Centre for Education)
IBM Power Systems

• iPods have standard file systems of either Apple’s HFS+ or Microsoft’s FAT32
• These file systems are static because they are not continually transferring data like other
types of file systems, such as cell phones, for instance.
• Because of their static nature, performing forensics on iPods is not substantially different
from performing forensics on a regular computer hard drive.
• The difference between an iPod and a regular computer that makes an iPod an alternative
media device is that the primary function of an iPod is as a music player.
• Only recently have iPods evolved into photo storage and video player devices. Because they
are used for entertainment purposes, iPods might not be thought of as data repositories
containing evidence.
• Depending on the firmware and version of a particular iPod, there may be some variance in
this determination throughout an analysis.
• One of the files that forensic examiners note is the iTunes DB file, which provides information
about music files, including their file type, music category, and the location on the device.

© Copyright IBM Corporation 2016

Analyzing other Storage Devices IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Forensic Investigator must have two separate devices: a reliable Compact Disc - ReWritable
(CD-RW) drive and a recent DVD writer that can read both DVD+ and DVD– media.
• When an examiner is given a number of discs to be processed, it is reasonable to order them
in decreasing readability to get the most easily read discs processed, and then make the
results available as soon as possible.
• Take special precautions with discs that are cracked, because they may break, leading to
sharp pieces of polycarbonate that can puncture the skin.
• Examine a disc with CD/DVD Inspector while allowing it to continue for no more than five
minutes.

© Copyright IBM Corporation 2016

Digital Camera Forensics IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Modern digital cameras not only write the photo to the data file stored on the Storage Media (
usually memory cards ), but also additional information is stored in what is commonly
referred to as 'Exchangeable image file format' data or Exif data.
• The Exif Metadata can contain a tremendous amount of information including: The type of
camera, the version of the software on the camera, the resolution, the date and the time of
the photo, in some cases the camera actually writes the GPS coordinates to the photo and
more.
• This data is actually stored in the photo so when the photo is copied and moved the Exif
Metadata goes with the photo.
• More sophisticated cameras also have large hard disk drives to store large numbers of digital
photos. And therefore may have deleted photos that may be recoverable.

© Copyright IBM Corporation 2016

Recovering and Reconstructing
Deleted Data IBM ICE (Innovation Centre for Education)
IBM Power Systems

• There are different ways to delete files, depending on the file system and operating system a
computer is using.
• When a user deletes a file, the operating system does not actually erase the file. It marks the
file name in the master file table (MFT) with a special character that tells the processor that
the file has been deleted.
• The corresponding cluster of that file in FAT is marked as unused, though it will continue to
contain the information until it is overwritten.
• Low-level formatting (LLF), which physically defines where the tracks and sectors are on the
disk, does erase data.
• Even if a file has not been deleted and restored, the file may be corrupted from improperly
shutting down the application or computer, or records within a database may be deleted
accidentally.

© Copyright IBM Corporation 2016

Checkpoint IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Which of the following relies on a central database that tracks account data, location data,
and subscriber information?
A. BTS
B. MSC
C. BSC
D. None of the above
• Which of the following categories of information is stored on a SIM card?
A. Volatile memory
B. Call data
C. Service-related data
D. None of the above
• A JPEG file uses which type of compression?
A. WinZip
B. Lossy
C. Lzip
D. Lossless

© Copyright IBM Corporation 2016

Checkpoint solutions IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. A
2. D
3. B

© Copyright IBM Corporation 2016

Unit summary IBM ICE (Innovation Centre for Education)
IBM Power Systems

Having completed this unit, you should be able to:

© Copyright IBM Corporation 2016

IBM ICE (Innovation Centre for Education)

Welcome to:
Steganalysis - Data Hiding/Recovery

© Copyright IBM Corporation 2016 9.1

Unit objectives IBM ICE (Innovation Centre for Education)
IBM Power Systems

After completing this unit, you should be able to

• Understand Steganography
• Understand Steganalysis, its hierarchy, types and functions
• Learn the Tools for Steganography
• Understand Data Recovery Techniques

© Copyright IBM Corporation 2016

Introduction to Steganography IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. The purpose of steganography is covert communication to hide a message

from a third party.
2. This differs from cryptography,
3. Although steganography is separate and distinct from cryptography, we can
categorize steganography as a form of cryptography since hidden
communication is a form of secret writing
© Copyright IBM Corporation 2016
Steganography Background IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Steganography has become increasingly popular in the past years, due to the explosion of
the internet and multi-media use in general.
• Most of the attention has been drawn now because of the malicious use of the technique.
• It has become a threat not only to individuals and businesses, but to government agencies
across the world.

• Steganalysis is the detection of embedded data.

– There are so many methods to embed the information, it is hard to develop programs to distinguish
between the different types.

© Copyright IBM Corporation 2016

Steganography Functions IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Not only are there several programs that hide information, there are several different
methods for doing so.
• There are three basic ways:
– injection,
– substitution, and
– generation.

Steganography in Images
• Steganography in images is mainly classified into:
– >Least significant bit (LSB) insertion method.
– >Masking and filtering.
– >Algorithms and transformation.
• There are mainly three transformation techniques:
1. Fast Fourier transformation technique (FFT)
2. Discrete cosine transformation technique (DCT).
3. Discrete Wavelet transformation technique (DWT).

© Copyright IBM Corporation 2016

Robustness and Cryptography IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Steganography tools aim to ensure robustness against modern forensic methods, such as
statistical steganalysis.

• Such robustness may be achieved by a balanced mix of:

I. a stream-based cryptography process;
II. a data whitening process;
III. an encoding process.

© Copyright IBM Corporation 2016

Steganalysis IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Steganalysis is simply the detection of steganography by a third party.

• A relatively new field, since the new technology behind steganography is just becoming
popular.

• There are two main types of steganalysis:

– visual analysis
– statistical (algorithmic) analysis.

© Copyright IBM Corporation 2016

Steganography Hierarchy IBM ICE (Innovation Centre for Education)
IBM Power Systems

© Copyright IBM Corporation 2016

Image Steganalysis IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Algorithms for image steganalysis are primarily of two types:

– Specific and
– Generic.

• Palette Image Steganalysis

• Raw Image Steganalysis
• JPEG Image Steganalysis
• Generic Image Steganalysis Algorithms

© Copyright IBM Corporation 2016

Digital Image and Audio - 1 IBM ICE (Innovation Centre for Education)
IBM Power Systems

Figure1: RGB color Cube

Figure2:
This color selection dialogue box shows the red,
green, and blue (RGB) levels of this selected color.

© Copyright IBM Corporation 2016

Digital Image and Audio - 2 IBM ICE (Innovation Centre for Education)
IBM Power Systems

Figure3: Simple Pulse Code Modulation

Figure4: Some common digital formats. This
color selection dialogue box shows the red,
green, and blue (RGB) levels of this selected
color.

© Copyright IBM Corporation 2016

Audio Steganalysis IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Rapid advancement of the Voice over Internet Protocol (VoIP) and various Peer-to-Peer
(P2P) audio services offer numerous opportunities for covert communication.
• Minor alteration in the binary sequence of audio samples with existing steganography tools
can easily make covert communication, a reality.

• Audio signals have a characteristic redundancy and unpredictable nature

• Audio signals are ideal to be used as a cover for covert communications to hide secret
messages.

• Audio Steganography Algorithms

© Copyright IBM Corporation 2016

Video Steganalysis IBM ICE (Innovation Centre for Education)
IBM Power Systems

© Copyright IBM Corporation 2016

Tools for Steganography – Overview 1 IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Xiao Steganography

• Image Steganography

• Steghide

• Crypture

• SteganographX Plus

• rSteg

© Copyright IBM Corporation 2016

Tools for Steganography – Overview 2 IBM ICE (Innovation Centre for Education)
IBM Power Systems

• SSuite Picsel

• Our Secret

• Camouflage

• OpenStego

• SteganPEG

• Hide’N’Send

© Copyright IBM Corporation 2016

Tools for Steganography – Overview 3 IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Hydan

• Stegdetect (Provos 2004)

• StegFS

• FreeOTFE

• TrueCrypt

• Steghide

Data Hiding IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Data Hiding is an ancient art.

• Caesar cipher.
• Egyptians used symbolic language in their pyramids.
• Coded Language.
• Writing with invisible ink.
• With the dawn of the Digital World, now just the methods have changed, but the aim is still
the same.

Data Hiding Techniques and Proposed Advantage(s) for

• Still Image
• Audio Signal
• IPv4 Header

Data Hiding - Generic IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Generic Data Hiding

– Data can also be hidden in unallocated or otherwise unreachable locations that are ignored by the
current generation of forensic tools.

• Properties of Data Hiding

• There are several reasons to hide data as well.

• Current/future trends in the data hiding techniques domain

Data Hiding and Steganography IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Steganography is an effective way of secure communication.

• Sample technique for hiding data using steganography techniques involve using :
• System commands on a command prompt
• Using a software tool to hide data.

Alternate Data Stream (ADS) IBM ICE (Innovation Centre for Education)
IBM Power Systems

Alternate Data Stream (ADS) was implemented in order to allow compatibility

with the Hierarchical File System(HFS).
HFS stores its data in two parts;
– Resource fork.
– Data fork.
The Data fork is where the data is actually contained and the resource fork is
used to tell the operating system how to use the data portion.
Windows does the same thing through the use of extensions such as .bat,
.exe, .txt, etc.

Data Recovery IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Data loss can take many forms

– accidental deletion,
– hard drive failure,
– software bugs,
– data corruption,
– hacking,
– even a simple power failure can cause you to lose data.

• And, of course, there are more extreme cases, like when a hard drive is recovered from a
plane crash; amazingly, some data recovery specialists can retrieve data from storage media
that’s been almost completely destroyed.

• Tips for Data recovery: Do’s and Don’t’s

• Recuva, a tool for Data recovery.

Reasons Data Recovery IBM ICE (Innovation Centre for Education)
IBM Power Systems

The methods used to recover lost data depend on how the data was lost in the first place; let’s
take a look at some of the most common forms here.
• File Deletion
• File Corruption
• File System Format or Damage

• Physical Damage
– Physical damage may be dealt with by replacing old parts.
The process of repairing physical damages may allow the user to use the hard disk, though it may not
be sufficient for the computer to run in its entirety since Logical damage may be still be present.

• Logical Damage
– Logical damage means that the system or storage may be corrupted due to unintentional partition,
accidental formatting and deletions, power failure, virus attacks or memory overflow.

Data recovery chances IBM ICE (Innovation Centre for Education)
IBM Power Systems

The methods used to recover lost data depend on how the data was lost in the first place.
• To get the best possible data recovery result it is strongly recommended to stop any write
access to the storage and run data recovery software immediately.

Chances of data recovery for:

• Data loss caused by file deletion
• Recovery after file system formatting
• Recovery after file system damage
• Loss of information about partition
• Hardware failure
• Recovery of wiped/overwritten data

Data Recovery Technique IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. Use of software to recover data

2. Use of machines to recover data

• Scanning Probe Microscopy (SPM)

• Magnetic Force Microscopy (MFM)
• STM (Scanning Tunneling Microscopy)

Data Recovery – Scenario IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Electronic data is part of all of our lives, some is business and some is pleasure.
• The loss of either can devastate you financially, emotionally or both. There are several ways
that data can become inaccessible to you.
• Most of these failures are recoverable, some of them are not.

Recoverable failures and Unrecoverable scenarios involving.

1. The Individual
2. Business Critical Data
3. Post Failure
4. The Fatal Mistake

Data Loss prevention IBM ICE (Innovation Centre for Education)
IBM Power Systems

• The best way to address data loss is to prevent it from occurring in the first place.

• Data backup permits the user to restore any file or data if ever logical or physical damage
occurs.

• External protection must also be observed. Hard disk drives are sensitive.

• Not all data can be recovered. There may be cases where it is impossible to repair or retrieve
any data because of the severe damage obtained by the hard disk, particularly the platter.

Disk Imaging Technique IBM ICE (Innovation Centre for Education)
IBM Power Systems

• There is specialized software that can extract corrupt data with the exception to physically
damaged disc. Although it is no way complete, any data recovered can be reconstructed for
reference. Mostly, data recovery through Imaging involves the following:
– Access the hard drive directly instead of being dependent to the Operating System as set by its BIOS
configuration.
– Reading the Bad Sector instead of skipping it.
– Overriding resetting / restarting command when reading the disk.

• The imaging technique specializes on getting what can be "read" on the entire disk by
avoiding any command that will restart the process once an error is detected, after this data
reconstruction follows.

Checkpoint IBM ICE (Innovation Centre for Education)
IBM Power Systems
1. What is Steganalysis?
A. Steganalysis is analysis of Cryptography
B. Steganalysis is study of Bitcoins
C. Steganalysis is simply the detection of steganography by a third party.
D. Steganalysis is similar to Watermarking

2. What are common forms of loss of Data?

A. Traffic Loss
B. File Deletion, File Corruption, File System Format or Damage
C. Data Complexity
D. Data Duplicity

3. What is involved in data recovery through Imaging

A. Use Decryption tool to extract data
B. Access the hard drive as set by its BIOS configuration, Reading the Bad Sector, Overriding
resetting / restarting command when reading the disk.
C. Magnify the image
D. Use a Hashing tool

Checkpoint IBM ICE (Innovation Centre for Education)
IBM Power Systems

4. ____________ was implemented in order to allow compatibility with the Hierarchical File System(HFS).
A. Active Data System
B. Active Data System
C. Forensic Data System
D. Alternate Data Streams

5. Data hiding only hides _____________, whereas data encapsulation hides

_______________________.
A. class data parts and private methods
B. class data components, class data parts and private methods
C. class data components, class data parts
D. class data components, private methods

Checkpoint solutions IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. C
2. B
3. B
4. D
5. B

Unit summary IBM ICE (Innovation Centre for Education)
IBM Power Systems

Having completed this unit, you should be able to

• Understand Steganography
• Understand Steganalysis, its hierarchy, types and functions
• Learn the Tools for Steganography
• Understand Data Recovery Techniques

IBM ICE (Innovation Centre for Education)

Welcome to:
Memory Forensics

Unit objectives IBM ICE (Innovation Centre for Education)
IBM Power Systems

After completing this unit, you should be able to:

• Understand the meaning of Memory Forensics
• Understand the steps in extracting data from Memory Forensics
• Understand the specific precautions to be used in extraction and preservation of data from
Memory Forensics
• Understand the chain of Custody, Preservation and Presentation of evidence from Memory
Forensics

Memory Data Collection and Examination IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Data is considered volatile when it is likely to be lost when a machine is rebooted or

overwritten during the course of the machine’s normal use.
• The artifacts that can be recovered from volatile data are valuable in pushing the
investigation forward on all fronts, and many types of artifacts can only be recovered from
memory.
• It is readily apparent that acquiring and analyzing this type of data is more challenging and
perilous than dead-box analysis.
• When the user types in their password, or when data is decrypted, however, the password
and keys are necessarily loaded into and stored in memory; analysis of that memory can
allow the analyst to recover them.
• It is also possible for a suspect to hide data in memory, or for a remote attacker who has
compromised a system to store tools, data, and other artifacts there rather than on the
system's drive.
• And viruses, Trojans, and worms reside only in memory and do not write themselves to the
physical disk drive. Traditional forensic analysis of the disks will not reveal the code or allow
analysts to understand how the attack is being executed or how to mitigate it.

Data Found in Volatile Memory IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Process, information about open files and registry handles, network information, passwords
and cryptographic keys, unencrypted content that is encrypted on disk, hidden data, and
worm and rootkits written to run solely in memory.
• Processes that have been terminated may still be residing in memory because the machine
has not been rebooted since they were terminated and the space they reside in has not yet
been reallocated.
• The files that a process has open, as well as any registry handles being accessed by a
process, are also stored in memory.
• Information about network connections, including listening ports, currently established
connections, and the local and remote information associated with such connections can be
recovered from memory.
• Passwords and cryptographic keys are as a general rule never stored on hard disks without
some type of protection.
• In addition to hiding files in memory, attackers can also run malicious code from memory
instead of storing it on the disk, making it difficult for reverse engineers to obtain copies of
programs and figure out how they are working and how to mitigate the threats they pose.

Current Analysis Techniques IBM ICE (Innovation Centre for Education)
IBM Power Systems

• In order to acquire volatile memory and analyze it, first an analyst must have a technique for
acquiring memory.
• There are two methods of acquiring volatile memory: hardware-based acquisition, and
software-based acquisition.
• Hardware-based acquisition of memory involves suspending the computer’s processor and
using direct memory access (DMA) to obtain a copy of memory.
• Software-based acquisition is most often done using a trusted toolkit that the analyst brings
to the site, but it is also possible to collect volatile memory using tools built in to the operating
system.
• Volatile memory is accessed via different mechanisms depending on the operating system
being used, and the hardware in the machine itself.
• Processes are stored in Windows in a Virtual Address Descriptor (VAD) tree.
• This tree describes memory ranges used by currently-running processes, and allows a
process’s virtual address space to be reconstructed.

Current Tools IBM ICE (Innovation Centre for Education)
IBM Power Systems

• The tools used by forensic analysts for memory analysis are:

– Memdump
– KnTTools
– FATKit
– WMFT
– Procenum
– Idetect
– Volatility Framework
– VAD Tools
– Encase Enterprise
– F-Response
– HBGary Responder

Cautions and Considerations IBM ICE (Innovation Centre for Education)
IBM Power Systems

• One concern with performing memory analysis is that the act of acquiring memory can cause
changes to the system being analyzed.
• A related problem is that when this happens and information related to capturing the memory
is put into RAM, the analyst is mixing the results of the analysis with the data that was
previously stored on the system.
• Another concern is whether you can trust the operating system to tell the truth about what is
actually in memory.
• Even more worrisome is that an advanced attacker might alter the way the operating system
itself works to hide data from the analyst.
• Forensic analysis on volatile memory is by no means perfect.

Checkpoint IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. EFS can encrypt which of the following?

a. Files, folders, and volumes
b. Certificates and private keys
c. The global Registry
d. Network servers
2. To encrypt a FAT volume, which of the following utilities can you use?
a. Microsoft BitLocker
b. EFS
c. PGP Whole Disk Encryption
d. FreeOTFE
3. Which of the following tools from Sysinternals monitors Registry data in real time?
a. PsList
b. Handle
c. RegMon
d. PsUpTime

Checkpoint solutions IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. A
2. B
3. C

Unit summary IBM ICE (Innovation Centre for Education)
IBM Power Systems

Having completed this unit unit, you should be able to:

IBM ICE (Innovation Centre for Education)

Welcome to:
Malware Analysis

Unit objectives IBM ICE (Innovation Centre for Education)
IBM Power Systems

• After completing this unit, you should be able to:

• Understand Malware and its technical functioning
• Understand the various types of malware
• Understand the tools used for reversing malware for Digital Forensics
• Understand the various techniques used in creating malware and applying them for Digital
Forensic analysis

Analyzing Live Windows System for
Malware IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Dynamic analysis is an efficient way to identify malware functionality from a live windows
system.
• Although dynamic analysis techniques are extremely powerful, they should be performed
only after basic static analysis has been completed, because dynamic analysis can put your
network and system at risk.
• Usually it is simple enough to run executable malware by double-clicking the executable or
running the file from the command line, it can be tricky to launch malicious DLLs because
Windows doesn’t know how to run them automatically.
• Process Monitor, or procmon, is an advanced monitoring tool for Windows that provides a
way to monitor certain registry, file system, network, process, and thread activity.
• One way to recognize process replacement is to use the Strings tab in the Process
Properties window to compare the strings contained in the disk executable (image) against
the strings in memory for that same executable running in memory.
• Regshot is an open source registry comparison tool that allows you to take and compare two
registry snapshots.
• Wireshark is an open source sniffer, a packet capture tool that intercepts and logs network
traffic. Wireshark provides visualization, packet-stream analysis, and in-depth analysis of
individual packets.

Analyzing Live Linux System for Malware IBM ICE (Innovation Centre for Education)
IBM Power Systems

• The hard drive of a Linux computer can contain traces of malware in various places and
forms, including malicious files, configuration scripts, log files, Web browser history, and
remnants of installation and execution such as system logs and command history.
• Many intruders will use easily recognizable programs such as known rootkits, keystroke
monitoring programs, sniffers, and anti-forensic tools .
• Searching a forensic duplicate of a compromised system for hash values matching known
malware may identify other files with the same data but different names.
• Tools such as Rootkit Hunter1 and chkrootkit2 have been developed to look for known
malicious code on Linux systems.
• Using updated AntiVirus programs to scan files within a forensic duplicate of a compromised
system may identify known malware. To increase the chances of detecting malware, multiple
AntiVirus programs can be used with any heuristic capabilities enabled.
• Malware on Linux systems is often simply a modified version of a legitimate system binary,
making it more difficult to distinguish.
• Look in all available log files on the compromised system for traces of malicious execution
and associated activities such as creation of a new service.

Analyzing Physical and Process Memory
Dumps for Malware IBM ICE (Innovation Centre for Education)
IBM Power Systems

• The advancement in malware, rootkit detection and digital forensics in the commercial
products just discussed was due in large part to a resurgence of interest in a research area
that has been around the digital forensics community for some time.
• KNTList forensic tool can parse information from the memory dump, reconstruct evidence
such as process listings and loaded DLLs, and analyze the memory dump to decipher the
intrusion scenario.
• Volatility is a memory analysis environment with an extensible underlying framework of tools
based on research by Aaron Walters of Volatile Systems.
• Volatility provides basic information that it parses from the memory dump, including:
– Running processes and threads
– Open network sockets and connections
– Loaded modules in user and kernel mode
– The resources a process is using such as fi les, objects, registry keys and other data
– The capability to dump a single process or any binary in the dump & use for analysis

Discovering and Extracting Malware
from Windows Systems IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Malware often uses the registry for persistence or configuration data.

• Real malware code opens the Run key from the registry and adds a value so that the
program runs each time Windows starts.
• Malware commonly relies on network functions to do its dirty work, and there are many
Windows API functions for network communication.
• There are many ways that malware can transfer execution in addition to the jump and call
instructions .
• Malware authors find it more advantageous to store malicious code in a DLL, rather than in
an .exe file.
• Nearly all malware uses the basic Windows DLLs found on every system. The Windows
DLLs contain the functionality needed to interact with the OS.
• Malware can also execute code outside the current program by creating a new process or
modifying an existing one.
• Malware can use CreateThread to load a new malicious library into a process, with
CreateThread called and the address of LoadLibrary specified as the start address.
• Another way for malware to execute additional code is by installing it as a service.
• When analyzing malware that uses COM, you’ll need to be able to determine which code will
be run as a result of a COM function call.

Discovering and Extracting Malware
from Linux Systems IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Explore the file system for traces left by malware.

• Scour files associated with applications for traces of usage related to malware.
• Search for distinctive keywords each time such an item is uncovered during forensic
analysis.
• Performing a comprehensive forensic reconstruction can provide digital investigators with a
detailed understanding of the malware incident.
• Perform targeted remote scan of all hosts on the network for specific indicators of the
malware.

Rootkits and Rootkit Detection and
Recovery IBM ICE (Innovation Centre for Education)
IBM Power Systems

• The predecessor of the first rootkit was actually not a rootkit at all but a set of applications
that removed evidence of an intrusion from a machine.
• The first-generation served one major purpose—execute commands for an attacker without
being seen.
• With the ability to log back into a server with full administrative privileges, the attacker can
leverage the server for other attacks, store data, or host a malicious website. Rootkits
maintain access by installing either local or remote backdoors.
• Rootkits have the ability to conceal traces of their existence on the system
• Network-based rootkits do not run on the network but are accessible via the hacked system’s
web server.
• The two types of rootkits: user-mode and kernel-mode.
• One of the simplest and most used techniques, System Service Descriptor Table or SSDT
hooking is fairly easy to detect, and almost every tool available detects SSDT hooks.
• The method for detecting IRP hooking is the same as for detecting SSDT hooking. Each
driver exports a set of 28 function pointers to handle I/O request packets.

Reverse Engineering Tools and
Techniques IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Machine code is the form of code that the computer can run quickly and efficiently. When we
disassemble malware, we take the malware binary as input and generate assembly language
code as output, usually with a disassembler.
• Instructions are the building blocks of assembly programs. In x86 assembly, an instruction is
made of a mnemonic and zero or more operands.
• Each instruction corresponds to opcodes (operation codes) that tell the CPU which operation
the program wants to perform.
• All general registers are 32 bits in size and can be referenced as either 32 or 16 bits in
assembly code.
• The simplest and most common instruction is mov, which is used to move data from one
location to another.
• It is possible to read data from the stack without using the push or pop instructions.
• All programming languages have the ability to make comparisons and make decisions based
on those comparisons. Conditionals are instructions that perform the comparison.
• The Interactive Disassembler Professional (IDA Pro) is an extremely powerful disassembler
distributed by Hex-Rays.

Checkpoint IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. Which one of the following is not a malware?

A. Application software
B. Spam
C. Computer virus
D. Worm
2. What is the purpose of polyinstantiation?
A. To restrict lower-level subjects from accessing low-level information
B. To make a copy of an object and modify the attributes of the second copy
C. To create different objects that will react in different ways to the same input
D. To create different objects that will take on inheritance attributes from their class
3. Which of the following attack type best describes what commonly takes place to overwrite
a return pointer memory segment?
A. Traversal attack
B. UNICODE attack
C. URL encoding attack
D. Buffer overflow attack

Checkpoint solutions IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. A
2. B
3. D

Unit summary IBM ICE (Innovation Centre for Education)
IBM Power Systems

• After completing this unit, you should be able to:

Fdocuments - in - Computer Forensics 5584a063871ca
No ratings yet
Fdocuments - in - Computer Forensics 5584a063871ca
63 pages
Chapter 2 Digital Forensic Tools and Data Acquzation Process
No ratings yet
Chapter 2 Digital Forensic Tools and Data Acquzation Process
27 pages
Week3-Virtual Machine Forensics, Live Acquisitions
No ratings yet
Week3-Virtual Machine Forensics, Live Acquisitions
41 pages
FTK Imager Primer
No ratings yet
FTK Imager Primer
24 pages
Guide To Computer Forensics and Investigations Fourth Edition
No ratings yet
Guide To Computer Forensics and Investigations Fourth Edition
67 pages
Data Acquisition
No ratings yet
Data Acquisition
29 pages
TRL Computer Forensics PDF
No ratings yet
TRL Computer Forensics PDF
53 pages
07 - Computer Forensic
No ratings yet
07 - Computer Forensic
41 pages
SCI4201 Lecture 4 - Data Acquistion
No ratings yet
SCI4201 Lecture 4 - Data Acquistion
46 pages
S2-Digital Forensics Life Cycle
No ratings yet
S2-Digital Forensics Life Cycle
34 pages
WINSEM2024-25 BCSE322L TH VL2024250501658 2024-12-17 Reference-Material-I
No ratings yet
WINSEM2024-25 BCSE322L TH VL2024250501658 2024-12-17 Reference-Material-I
68 pages
Current Forensic Tools-Converted - 2024
No ratings yet
Current Forensic Tools-Converted - 2024
83 pages
Digital Forensic Science
100% (1)
Digital Forensic Science
42 pages
CF Unit4 Current Forensic Tools26042021
No ratings yet
CF Unit4 Current Forensic Tools26042021
74 pages
Lecture-5&6 Data Acquisition
No ratings yet
Lecture-5&6 Data Acquisition
66 pages
ICS443-Digital Forensics Week 6 (10-14 Nov 2024)
No ratings yet
ICS443-Digital Forensics Week 6 (10-14 Nov 2024)
11 pages
Unit-4 Part-1 CF
No ratings yet
Unit-4 Part-1 CF
61 pages
Good Forensic Practice
No ratings yet
Good Forensic Practice
38 pages
Data Acquisition: Paul Ssemaluulu (PHD)
100% (2)
Data Acquisition: Paul Ssemaluulu (PHD)
35 pages
Chapter 4 - Data Acquisition
No ratings yet
Chapter 4 - Data Acquisition
39 pages
Digital Forensics (Data Acquisition and Hashing)
100% (1)
Digital Forensics (Data Acquisition and Hashing)
48 pages
Computer Forensics Investigation
No ratings yet
Computer Forensics Investigation
46 pages
Digital Forensics Module 3
No ratings yet
Digital Forensics Module 3
24 pages
Digital Forensics Analysis
No ratings yet
Digital Forensics Analysis
24 pages
Computerforensics 130511062535 Phpapp02
No ratings yet
Computerforensics 130511062535 Phpapp02
63 pages
Computer Forensics
No ratings yet
Computer Forensics
41 pages
CF Lecture 04-Data Acquisition
100% (1)
CF Lecture 04-Data Acquisition
65 pages
FALLSEM2023-24 CSE4004 ETH VL2023240103594 2023-09-01 Reference-Material-I
No ratings yet
FALLSEM2023-24 CSE4004 ETH VL2023240103594 2023-09-01 Reference-Material-I
34 pages
Semi Final Lecture Part2
No ratings yet
Semi Final Lecture Part2
72 pages
Current Computer Forensics Tools
No ratings yet
Current Computer Forensics Tools
65 pages
CH 04
No ratings yet
CH 04
76 pages
Lec 2
No ratings yet
Lec 2
23 pages
Cyber Forensic YHK U1p5
No ratings yet
Cyber Forensic YHK U1p5
12 pages
Week 1 Digital Forensics Overview
No ratings yet
Week 1 Digital Forensics Overview
25 pages
CH 04 I C
No ratings yet
CH 04 I C
93 pages
Module 4-1 - Collecting-Evidence
No ratings yet
Module 4-1 - Collecting-Evidence
25 pages
Live Vs Dead Computer Forensic Image Acquisition
100% (1)
Live Vs Dead Computer Forensic Image Acquisition
3 pages
Forensic Science
No ratings yet
Forensic Science
14 pages
Guide For Digital Forensic
No ratings yet
Guide For Digital Forensic
69 pages
Forensic Data Acquisition Tools
100% (1)
Forensic Data Acquisition Tools
45 pages
Cybercrime Laboratory Manual
No ratings yet
Cybercrime Laboratory Manual
28 pages
Data Formats
No ratings yet
Data Formats
89 pages
Advances in Data Acquisition
No ratings yet
Advances in Data Acquisition
12 pages
Introduction To Computer Forensics and Hashing
No ratings yet
Introduction To Computer Forensics and Hashing
35 pages
Module 2 Webinar Slides - Powerpoint
No ratings yet
Module 2 Webinar Slides - Powerpoint
24 pages
DF Assignment-18bbtcs088 1
No ratings yet
DF Assignment-18bbtcs088 1
9 pages
Dr. Phil Nyoni: Digital Forensics Lecture 2: Acquiring Digital Evidence July 2021
No ratings yet
Dr. Phil Nyoni: Digital Forensics Lecture 2: Acquiring Digital Evidence July 2021
56 pages
Computer Forensic
No ratings yet
Computer Forensic
4 pages
Computer Forensics - 2
No ratings yet
Computer Forensics - 2
41 pages
DF Unit 1 My Notes
No ratings yet
DF Unit 1 My Notes
12 pages
03 27 08 Computer Forensics
No ratings yet
03 27 08 Computer Forensics
110 pages
Forensic Examination of Digital Evidence
No ratings yet
Forensic Examination of Digital Evidence
8 pages
1-Reference Material I Cse4004 Digital-Forensics Eth 1.1 47 Cse4004
No ratings yet
1-Reference Material I Cse4004 Digital-Forensics Eth 1.1 47 Cse4004
10 pages
Digital Forensics - Evidence Preservation
No ratings yet
Digital Forensics - Evidence Preservation
2 pages
Open SSL
No ratings yet
Open SSL
19 pages
Bassetti - A Digital Forensic Report
No ratings yet
Bassetti - A Digital Forensic Report
4 pages
NET 803 Review
No ratings yet
NET 803 Review
10 pages
Cs1028 Network Security
No ratings yet
Cs1028 Network Security
120 pages
CS409 Cryptography and Network Security
No ratings yet
CS409 Cryptography and Network Security
2 pages
IS Lab Mannual
No ratings yet
IS Lab Mannual
26 pages
Chapter 2 - Data Transmission
No ratings yet
Chapter 2 - Data Transmission
41 pages
29 Cryptographic Basic Concepts
No ratings yet
29 Cryptographic Basic Concepts
101 pages
Gold SDK
No ratings yet
Gold SDK
13 pages
Steps of Computer Forensic
No ratings yet
Steps of Computer Forensic
3 pages
CSC439 Sp2013 Module 3 E Mail Security
No ratings yet
CSC439 Sp2013 Module 3 E Mail Security
10 pages
Image Authentication Techniques Seminar Report
No ratings yet
Image Authentication Techniques Seminar Report
24 pages
Classical Encryption Techniques: Symmetric Ciphers (Class-L4 & L5)
No ratings yet
Classical Encryption Techniques: Symmetric Ciphers (Class-L4 & L5)
13 pages
Chapter-3.2 Cryptography and Encryption Techniques
No ratings yet
Chapter-3.2 Cryptography and Encryption Techniques
58 pages
Basic Terminologies: - Cryptography
No ratings yet
Basic Terminologies: - Cryptography
11 pages
Network Security and Cryptography: KSR College of Engineering
100% (1)
Network Security and Cryptography: KSR College of Engineering
11 pages
Introduction To Cryptography
No ratings yet
Introduction To Cryptography
13 pages
Sms Encryption System
No ratings yet
Sms Encryption System
41 pages
Classical Ciphers: Cryptography - CS 411 / 507 Erkay Savas Sabancı University
No ratings yet
Classical Ciphers: Cryptography - CS 411 / 507 Erkay Savas Sabancı University
52 pages
Set Up Public-Key Authentication Between An OpenSSH Client and An OpenSSH Server
No ratings yet
Set Up Public-Key Authentication Between An OpenSSH Client and An OpenSSH Server
3 pages
Chapter 3
No ratings yet
Chapter 3
14 pages
E Commerce P
No ratings yet
E Commerce P
43 pages
Cryptography Answer
No ratings yet
Cryptography Answer
4 pages
CSE 032 Syllabus
No ratings yet
CSE 032 Syllabus
4 pages
TLS Using Wireshark
No ratings yet
TLS Using Wireshark
9 pages
RSAandAESBasedHybridEncryptionTechniqueforEnhancing Rima Masters
No ratings yet
RSAandAESBasedHybridEncryptionTechniqueforEnhancing Rima Masters
13 pages
2018-CE-124 - Lab 6 - CE408
No ratings yet
2018-CE-124 - Lab 6 - CE408
7 pages
Efficient IoT Management With Resilience To
No ratings yet
Efficient IoT Management With Resilience To
21 pages
Azure Security Controls For ISO 27001 Compliance
No ratings yet
Azure Security Controls For ISO 27001 Compliance
7 pages
A Proxy Re-Encryption Approach To Secure Data Sharing in The Internet of Things Based On Blockchain
No ratings yet
A Proxy Re-Encryption Approach To Secure Data Sharing in The Internet of Things Based On Blockchain
12 pages
Mitigate Loc Tracking Vuln
No ratings yet
Mitigate Loc Tracking Vuln
9 pages
A Symmetric Variable-Key Stream (SVKS) Data Encryption Standard (DES) Model For Long Distance Communication
No ratings yet
A Symmetric Variable-Key Stream (SVKS) Data Encryption Standard (DES) Model For Long Distance Communication
5 pages
Assignment
No ratings yet
Assignment
2 pages
Computer Science: Learn about Algorithms, Cybersecurity, Databases, Operating Systems, and Web Design
From Everand
Computer Science: Learn about Algorithms, Cybersecurity, Databases, Operating Systems, and Web Design
Jonathan Rigdon
No ratings yet
Operating Systems: Concepts to Save Money, Time, and Frustration
From Everand
Operating Systems: Concepts to Save Money, Time, and Frustration
Jonathan Rigdon
No ratings yet
Apple Secure Enclave Processor
From Everand
Apple Secure Enclave Processor
Umair Akbar
No ratings yet