CYB 205

INTRODUCTION TO DIGITAL FORENSICS

Computer forensics and cyber security may seem similar, but these career paths both have their
own unique differences. Computer forensics deals with locating data that was compromised
during a cyberattack, while cyber security aims to prevent cyberattacks before they occur.

Forensic is the scientific tests or techniques used in connection with the detection of crime”.
Furthermore, forensic is the process of using scientific techniques during the identification,
collection, examination and reporting the evidence to the court.

Digital forensics is the science of locating; extracting and analyzing types of data from different
devices, which specialists then interpret to serve as legal evidence. Digital forensics is the art of
recovering and analysing the contents found on digital devices such as desktops, notebooks /
netbooks, tablets, smartphones, etc. The digital evidence can be found in computer hard disks,
cell phones, iPods, pen drives, digital cameras, CDs, DVDs, floppies, computer networks, the
Internet etc.

"Computer forensics is a science, emerging, which is responsible for ensuring, identify, preserve,
analyze and present data set, also called digital test, so that it can become accepted in a legal
process and / or judicial." It could be termed as a computer technique capable of capturing and
processing data for research purposes aimed to obtain digital evidence to be used in favor of
justice, greatly contributing to society.

Computer forensics is also the practice of collecting, analysing and reporting on digital data in a
way that is legally admissible. It can be used in the detection and prevention of crime and in any
dispute where evidence is stored digitally. It is the use of specialized techniques for recovery,
authentication and analysis of electronic data when a case involves issues relating to
reconstruction of computer usage, examination of residual data, and authentication of data by
technical analysis or explanation of technical features of data and computer usage.

Computer forensics involves recovering data from a device with the goal of revealing evidence
of criminal activity. It is a reactionary practice, meaning it usually takes place after a security
breach has already happened, and is not concerned with the prevention of cybercrime, like cyber
security is. However, while computer forensics professionals do not prevent cybercrime
themselves, the information they uncover can help inform cyber security professionals about
how to prevent cybercrimes in the future.

computer forensics is basically the use of computer analysis techniques and computer
investigations to help find probable legal evidence. Technically, the term computer forensics
refers to the investigation of computers. Digital forensics includes not only computers but also
any digital device, such as digital networks, cell phones, flash drives and digital cameras.

Computer forensics (also known as computer forensic science) is a branch of digital forensic
science pertaining to evidence found in computers and digital storage media. ... Evidence from

1
computer forensics investigations is usually subjected to the same guidelines and practices of
other digital evidence.

Digital forensics (sometimes known as digital forensic science) is a branch of forensic science
encompassing the recovery and investigation of material found in digital devices, often in
relation to computer crime. ... Digital forensics investigations have a variety of applications.

Computer crime, or cybercrime, is any crime that involves a computer and a network. The
computer may have been used in the commission of a crime, or it may be the target. Cybercrimes
as: "Offences that are committed against individuals or groups of individuals with a criminal
motive to intentionally harm the reputation of the victim or cause physical or mental harm, or
loss, to the victim directly or indirectly, using modern telecommunication networks such as
Internet (emails etc). Cyber crime can take two forms; computer-based crime and computer
facilitated crime:

Computer based crime

This is criminal activity that is conducted purely on computers, for example cyber-bullying or
spam. As well as crimes newly defined by the computing age it also includes traditional crime
conducted purely on computers (for example, child pornography).

Computer facilitated crime

Crime conducted in the "real world" but facilitated by the use of computers. A classic example of
this sort of crime is fraud: computers are commonly used to communicate with other fraudsters,
to record/plan activities or to create fraudulent documents. Not all digital forensics investigations
focus on criminal behaviour; sometimes the techniques are used in corporate (or private) settings
to recover lost information or to rebuild the activities of employees.

EVIDENCE & ITS TYPES

Evidence is the key to prove the case in the court, evidence from a legal point of view can be
divided into many types and each type do have its own characteristics in it. To keep the
characteristics in mind during evidence collection helps an investigator to make the case
stronger.

Let's discuss the multiple types of evidence:

1. Real / tangible evidence: As the name suggests, real evidence is consists of a tangible/physical
material e.g hard-drive, flash drive, etc. Apart from the material, human can also be treated as
real evidence e.g. an eye witness.

2. Original evidence: As law-pedia defines, “Evidence of a statement made by a person other

than the testifying witness, which is offered to prove that the statement was actually made rather
than to prove its truth.” This is generally an out of court statement.

2
3. Hearsay evidence: It is also referred as “out of court statement”, it is made in court, to prove
the truth of the matter declared.

4. Testimony: When a witness takes oath in a court and give his/her statement in front of the
court.

Digital evidence is defined as any data stored or transmitted using a computer that support or
refute a theory of crime. It is any probative information stored or transmitted in digital form that
a party to a court case may use at trial.

CHARACTERISTICS OF DIGITAL EVIDENCE

• Timing is one of the important characteristics of digital evidence, first responder has responded
immediately; otherwise, the data may be lost. For example, devices run on batteries may
shutdown and current network connection may be lost.

• Just like fingerprints or any other biometric evidence, digital evidence is also hidden or latent,
which requires a process to unearth.

• Digital evidence might be destroyed or damaged. Quick response and chain of custody is the
key in computer forensics, you need to act according to the situation otherwise the important data
might be damaged (intentionally or unintentionally).

RULES OF EVIDENCE

The five rules of evidence are:

1. Admissible

The first and the most important rule is that your evidence should be able to use in court as an
evidence.

2. Authentic

Evidence should be authentic and it should be related and relevant to the case, you need to prove
in front of the court that the collected evidence is authentic. Fail to do so, means the failure of the
investigation.

3. Complete or Whole

The court will not accept half evidence, you should be unbiased during your investigation and
your evidence should not show the one prospective of the incident. As Matthew says, “it is vital
to collect evidence that eliminates alternative suspects. For instance, if you can show the
attacker was logged in at the time of the incident, you also need to show who else was logged in
and demonstrate why you think they didn’t do it. This is called Exculpatory Evidence and is an
important part of proving a case. ”

3
4. Reliable

Reliability of the evidence is important, but the process is also important and it should not create
any doubt on the evidence.

5. Believable or Acceptable

The evidence presented in the court should be in layman’s language, clear and easy to
understand. You should present a well-crafted version of the document with the reference to the
technical document.

CHAIN OF CUSTODY

“Chain of Custody” is the process to acquire, secure, move and store the evidence until the time
it is presented in court. While seizing the electronic device, you should tag it with the date/time
of acquiring, case number and evidence numbers. This information is crucial while creating a
case in the court. Evidence custodian is responsible to collect, transfer and store the evidence in
the forensics lab. Anyone doing this job should understand its importance and he/she should not
waste the valuable time. Chain (strong metal use to connect or link between stuff) of custody, as
the name says, “chain of custody shows how the evidence is acquired, managed, transferred or
transported during the investigation process. “Chain of custody form” is the tool used to keep
record of every important aspect, here is the sample chain-of-custody form:

4
SOURCES OF EVIDENCE

These are a few sources from where the evidence might be collected:

1. Hard-drive 2. Firewall logs 3. System logs 4. Social networking websites

5. Website that was visited 6. Email 7. GPS devices 8. Security camera's

9. Networking equipment 10. PDA (personal digital assistant) 11. Chat room or chat server

There are generally two sets of data:

• Persistent

• Volatile

Persistent data:

Persistent data is stored in the nonvolatile storage devices, for example; hard-drive, USB,
CD/DVD and other external storage device. This type of data usually not lost after rebooting or
shutting down the machine. At the start of the investigation process, you need to differentiate
between persistent and volatile data. You should make a policy to get the volatile data first; else,
it may be lost. Persistent data is usually collected in the forensics lab.

Volatile Data:

Volatile data is stored in the system memory. This data will be lost if the system is rebooted or
shut down. OR Volatile data is any data stored in system memory that will be lost when the
machine loses power or is shut down. An example Order of Volatility would be:

• Registers and Cache

• Routing Tables

COMPUTER FORENSICS TIMELINE

Year Event

1835 Scotland Yard's Henry Goddard became the first person to use physical analysis to
connect a bullet to the murder weapon.

1836 James Marsh developed a chemical test to detect arsenic, which was used during a
murder trial.

1892 Sir Francis Galton established the first system for classifying fingerprints.

1896 Sir Edward Henry, based on the direction, flow, pattern and other characteristics in
fingerprints.

1920 American physician Calvin Goddard created the comparison microscope to help
determine which bullets came from which shell casings.
5
1930 Karl Landsteiner won the Nobel Prize for classifying human blood into its various
groups.

1970 Aerospace Corporation in California developed a method for detecting gunshot residue
using scanning electron microscopes.

1984 FBI Magnetic Media program, which was later renamed to Computer Analysis and
Response Team (CART), was created and it is believed to be the beginning of computer
forensic.

1988 International Association of Computer Investigative Specialists(IACIS) was formed.

1995 International Organization on Computer Evidence (IOCE) was formed.

1997 G8 nations declared that “Law enforcement personnel must be trained and equipped to
address hightech crimes”.

1998 G8 appointed IICE to create international principles, guidelines and procedures relating
to digital evidence.

• 1st INTERPOL Forensic Science Symposium was held.

2000 First FBI Regional Computer Forensic Laboratory established.

OBJECTIVES OF COMPUTER FORENSICS

The objectives of Computer forensics are to provide guidelines for:

• Following the first responder procedure and access the victim’s computer after incident.

• Designing procedures at a suspected crime scene to ensure that the digital evidence obtained is
not corrupted.

• Data acquisition and duplication.

• Recovering deleted files and deleted partitions from digital media to extract the evidence and
validate them.

• Provide guidelines for analyzing digital media to preserve evidence, analysing logs and
deriving conclusions, investigate network traffics and logs to correlate events, investigate
wireless and web attacks, tracking emails and investigate email crimes.

• Producing computer forensic report which provides complete report on computer forensic
investigation process.

• Preserving the evidence by following the chain of custody.

6
• Employing the rigorous procedures necessary to have forensic results stand up to scrutiny in a
court of law.

• Presenting digital forensics results in a court of law as an expert witness.

BENEFITS OF COMPUTER FORENSICS

With the ever-increasing rate of cyber crimes, from phishing to hacking and stealing of personal
information not only confined to a particular country but the globally at large, there is a need for
forensic experts to be available in public and private organizations. To be able to handle this, it’s
vital for network administrator and security staff of networked organizations to have this course
in practice making sure that they have the laws pertaining to this on their finger tips.

The survival and integrity of any given network infrastructure of any company or organization
strongly depends on the application of computer forensics. They should be taken as the main
element of computer and network security. It would be a great benefit for a company if it has
knowledge of all the technical and legal aspects of this field. Should the company’s network be
under attack and the intruder caught in the act, then an understanding about computer forensics
will be of help in provision of evidence and prosecution of the case in the court of law.

New laws aimed at the protection of customer’s data are continuously being developed. Should
they lose data, then naturally the liability goes to the company. Such cases, if they occur will
automatically result in the company or organization being brought to the court of law for failure
to protect personal data, this can turn out to be very expensive. But through the application of
forensic science, huge chunks of money can be saved by the firms concerned.

Software for vulnerability assessment and intrusion detection has passed the billion dollar mark,
this is according to experts. It simply means that there is a necessity in investment in either
employing an expert in computer forensic in the firms, or having part of their staff trained into
this venture so as to help in detection of such cases should they arise.

IMPORTANCE OF COMPUTER FORENSICS

1. Compensation for damage caused by criminals or intrudes

2. The pursuit and prosecution of criminals

3. Creation and implementation of measures to prevent similar cases.

USES OF COMPUTER FORENSICS

• Intellectual Property theft • Industrial espionage • Employment disputes

• Fraud investigations • Forgeries • Bankruptcy investigations

• Inappropriate email and internet use in the work place • Regulatory compliance

7
CHALLENGES OF DIGITAL FORENSICS

The exponential growth and advancements in the field of computing and network technologies
have made existing digital forensics tools and techniques ineffective. The swift development in
digital forensics resulted in a lack of standardization and training. Since every investigation is
unique, it is hard to create standard procedure for every forensic analysis. However, to meet the
need for standardization, various organizations such as the National Institute of Standards and
Technology (NIST) have published guidelines for digital forensics.

Analysing evidence stored on a digital computer is one of the greatest forensic challenges facing
law enforcement. Laws may restrict the abilities of analysts to undertake investigations since
national and international legislations can hinder how much information can be seized.

Another main challenge in digital forensics is the increasing volume of data that needs to be
analysed. With the emergence of big data, the way digital forensics investigations is carried out
must change. Big data is regarded as datasets that are too big and is characterized by the volume,
velocity, variety and variability of data..

Anti-forensic (or counter-forensic) techniques are becoming a formidable obstacle for the digital
forensic community. They are designed to hinder or circumvent forensic analysis. They are any
attempts to compromise the availability or usefulness of evidence to the forensics process.
People use anti-forensics to frustrate forensic tools, investigations, and investigators.

Before the digital evidence is accepted into court it must be proved that it is not tampered with.

Producing and keeping the electronic records safe are expensive.

Legal practitioners must have extensive computer knowledge.

Need to produce authentic and convincing evidence.

WHY STUDYING DIGITAL FORENSICS

•In legal cases. •To recover data. •To analyze a computer system after a break-in.

•To gather evidence against an employee. •The purpose of debugging.

ROLE OF FORENSICS INVESTIGATOR

Following are some of the important duties of a forensic investigator:

• Confirms or dispels whether a resource/network is compromised.

• Determine extent of damage due to intrusion.

• Answer the questions: Who, What, When, Where, How and Why.

• Gathering data in a forensically sound manner.

• Handle and analyze evidence.

8
• Prepare the report.

• Present admissible evidence in court.

COMPUTER FORENSICS TEAM

Law enforcement and security agencies are responsible for investigating a computer crime,
however every organization should have the capability to solve their basic issues and
investigation by themselves.

Even an organization can hire experts from small or mid-size computer investigation firms. Also
you can create your own firm that provides computer forensic services. To do so, you need a
forensics lab, permission from the government to establish a forensics business, the right tools
with the right people and rules/policies to run the business effectively and efficiently. As
discussed, an organization should have enough capability to handle and solve the basic issues by
their own people. Without this ability, it is very hard for an organization to determine the fraud,
illegal activities, policy, or network breach or even they will find it hard to implement the cyber
security rules in the organization. The need of such abilities may vary and it depends on the
nature of business, security threats and the possible loss.

Here are the key people that a computer investigation firm should have:

• Investigators: This is a group of people (number depends on the size of the firm) who handle
and solve the case. It is their job to use the forensic tools and techniques in order to find the
evidence against the suspect. They may call the law enforcement agencies, if required.
Investigators are supposed to act immediately after the occurrence of the event that is suspected
of criminal activity.

• Photographer: To record the crime scene is as important as investigating it. The

photographer’s job is to take photographs of the crime scene (IT devices and other equipment).

• Incident Handlers (first responder): Every organization, regardless of type, should have
incident handlers in their IT department. The responsibility of these people is to monitor and act
if any computer security incidence happen, such as breaching of network policy, code injection,
server hijacking or any other malicious code installation. They generally use the variety of
computer forensics tools to accomplish their job.

• IT Engineers & technicians (other support staff): This is the group of people who run the
daily operation of the firm. They are IT engineers and technicians to maintain the forensics lab.
This team should consist of network administrator, IT support, IT security engineers and desktop
support. The key role of this team is to make sure the smooth organizational functions,
monitoring, troubleshooting, data recovery and to maintain the required backup.

• Attorney: Since computer forensics directly deal with investigation and to submit the case in
the court, so an attorney should be a part of this team.

9
FIRST RESPONDER

The first responder and the function of the first responder is crucial for computer forensics and
investigation. The first responder is the first person notified, and take action to the security
incident. The first responder is a role that could be assigned to anyone, including IT security
engineers, network administrator and others. The person who is responsible to act as a first
responder should have knowledge, skills and the toolkit of first responders. The first responder
should be ready to handle any situation and his/her action should be planned and well
documented. Some core responsibilities are as follows:

• Figure out or understand the situation, event and problem.

• Gather and collect the information from the crime scene

• Discuss the collected information with the other team members

• Document each and everything

First responder or incident handlers should have first-hand experience of Information security,
different operating systems and their architectures.

RULES OF COMPUTER FORENSICS

There are certain rules and boundaries that should be keep in mind while conducting an
investigation.

1. Minimize or eliminate the chances to examining the original evidence:

Make the accurate and exact copy of the collected information to minimize the option of
examining the original. This is the first and the most important rule that should be considered
before doing any investigation, create duplicates and investigate the duplicates. You should make
the exact copy in order to maintain the integrity of the data.

2. Don't Proceed if it is beyond your knowledge

If you see a roadblock while investigating, then stop at that moment and do not proceed if it is
beyond your knowledge and skills, consult or ask an experienced to guide you in a particular
matter. This is to secure the data, otherwise the data might be damaged which is unbearable. Do
not take this situation as a challenge, go and get additional training because we are in the
learning process and we love to learn.

3. Follow the rules of evidence

The rule of evidence must be followed during the investigation process to make sure that the
evidence will be accepted in court.

10
4. Create Document

Document the behavior, if any changes occur in evidence. An investigator should document the
reason, result and the nature of change occurred with the evidence. Let say, restarting a machine
may change its temporary files, note it down.

5. Get the written permission and follow the local security policy

Before starting an investigation process, you should make sure to have a written permission with
instruction related to the scope of your investigation. It is very important because during the
investigation you need to get access or need to make copies of the sensitive data, if the written
permission is not with you then you may find yourself in trouble for breaching the IT security
policy.

6. Be ready to testify

Since you are collecting the evidence than you should make yourself ready to testify it in the
court, otherwise the collected evidence may become inadmissible.

7. Your action should be repeatable

Do not work on trial-and -error, else no one is going to believe you and your investigation. Make
sure to document every step taken. You should be confident enough to perform the same action
again to prove the authenticity of the evidence.

8. Work fast to reduce data loss

Work fast to eliminate the chances of data loss, volatile data may lost if not collected in time.
While automation can also be introduced to speed up the process, do not create a rush situation.
Increase the human workforce where needed. Always start collecting data from volatile
evidence.

9. Don't shut down before collecting evidence

This is a rule of thumb, since the collection of data or evidence itself is important for an
investigation. You should make sure not to shut down the system before you collect all the
evidence. If the system is shut down, then you will lose the volatile data. Shutdown and
rebooting should be avoided at all cost.

10. Don't run any program on the affected system

Collect all the evidence, copy them, create many duplicates and work on them. Do not run any
program, otherwise you may trigger something that you don't want to trigger. Think of a Trojan
horse.

DIFFERENT TYPES OF DIGITAL FORENSICS

Digital forensics is a constantly evolving scientific field with many sub-disciplines. Some of
these sub-disciplines are:
11
1) Computer Forensics: the identification, preservation, collection, analysis and reporting on
evidence found on computers, laptops and storage media in support of investigations and legal
proceedings.

2) Network Forensics: the monitoring, capture, storing and analysis of network activities or
events in order to discover the source of security attacks, intrusions or other problem incidents,
i.e. worms, virus or malware attacks, abnormal network traffic and security breaches.

3) Mobile devises Forensics: the recovery of electronic evidence from mobile phones,
smartphones, SIM cards, PDAs, GPS devices, tablets and game consoles.

4) Digital Image Forensics: the extraction and analysis of digitally acquired photographic
images to validate their authenticity by recovering the metadata of the image file to ascertain its
history.

5) Digital Video/Audio Forensics: the collection, analysis and evaluation of sound and video
recordings. The science is the establishment of authenticity as to whether a recording is original
and whether it has been tampered with, either maliciously or accidentally.

6) Memory forensics: the recovery of evidence from the RAM of a running computer, also
called live acquisition.

7) Cloud Forensics: Cloud Forensics is actually an application within Digital Forensics which
oversees the crime committed over the cloud and investigates on it.

COMPUTER FORENSICS PROCESS OR STAGES

Computer forensics work procedure or work process can be divided into 5 major parts:

Identification

The first process of computer forensics is to identify the scenario or to understand the case. At
this stage, the investigator has to identify the purpose of investigation, type of incident, scope of
the investigation, parties that involved in the incidence, and the resources that are required to
fulfill the needs of the case.

Collection

The collection (chain of custody) is one of the important steps because your entire case is based
on the evidence collected from the crime scene. Collection is the data acquisition process from
the relevant data sources while maintaining the integrity of data. Timely execution of the
collection process is crucial in order to maintain the confidentiality and integrity of the data.
Important evidence may lost if not acted as required. Gather, protect, and preserve the original
evidence.

12
Examination

The aim of third process is to examine the collected data by following standard procedures,
techniques, tools and methodology to extract the meaningful information related to the case.

Analysis

Since all five processes are linked together, the analysis is the procedure to analyze the data
acquired after examination process. At this stage, the investigator search for the possible
evidence against the suspect, if any. Use the tools and techniques to analyze the data. Techniques
and tools should be justified legally, because it helps you to create and present your report in
front of the court.

Reporting

This is the final, but the most important step. At this step, an investigator needs to document the
process used to collect, examine and analyze the data. The investigation report also consists the
documentation of how the tools and procedures were being selected. The objective of this step is
to report and present the findings justified by evidences. Every step mentioned above can be
further divided into many parts and every part has its own standard operating procedures, we
look into them in detail in the coming chapters.

STAGES IN IDENTIFICATION AND COLLECTION PHASE

At the time that the computer attack is known, it should reach the source of the device, to collect
and identify the physical characteristics of the element in which forensic analysis will be done,
so that it can preserve.

• What information is needed? • How to take advantage of the information presented?

• In what order I place the information? • Shares necessary to follow for forensic analysis?

Stage 1: Initial Survey information

Perform forensic application the affected computer administrator notifies the execution of the
incident and therefore requests the monitoring. Since the first phase should be document
everything is done for forensic analysis. The information must be in the document should be as
follows.

a) Description of computer crime

• Date of Incident • Duration of the incident • Incident details

b) General Information

• Area • Name of dependency • Responsible for the affected system

• Name and surname • Position • Phone • Extension

• Cell phone • Fax

13
c) Information on the affected computer

• IP address • Name of the team • Brand and model • RAM Capacity

• Hard Disk Capacity • Processor Model • Operating system (name and version)

• Computer role • Type of information processed by the computer

• All information on the incident, digital evidence, copies or images of the crime scene

Stage 2: Ensure the scene

It should identify the evidence in our crime scene, so we need trained personnel and understand
the methodology used. The evidence is classified as follows.

a) Device Type

• Information systems • Wireless networks • Mobile devices

• Embedded Systems • Other devices

STAGES IN EXAMINATION AND VALIDATION PHASE

The information gained in the previous phase validates and protects it through an image shown
element, assigning a unique code corresponding to a unique combination of bytes. The code is
difficult to decipher to avoid vulnerabilities redeemed only legally qualified and authorized
information can manipulate and copy the code for the protection of the element.

Stage 1: Copies of evidence

At this stage two backups of the evidence collected above is done, MD5 or SHA1 signatures
included on the label of each copy to distinguish them from the original. Should also include the
time of extraction equipment, data of the person, date, time and place where the evidence was
stored.

Stage 2: Chain of custody

Here a document where you have to register the responsibility and control of each of the persons
handling the evidence, since they were taken to storage thereof is prepared. The document must
contain the following:

• Where, when and who examined the evidence, including your name, title, its identification
number, dates and times, etc.

• Who was guarding the evidence for how and where time is stored.

• When custody of evidence also should document is changed when and how the transfer
occurred and who carried it.

14
STAGES IN ANALYSIS PHASE

According to the backup validated in the previous phase, we proceed to make a collection of
evidence. Should be examined thoroughly and find information. Here the attack when analyzing
suspected unauthorized tampering is detected, which has been the deletion of information which
involves a person or information that may have been hidden or stored in unconventional media
such as floppy disks, CD-ROM , dvd-rom, flash drive.

Stage 1: Preparing for analysis

• It must be conditioned workplace, according to what is to be done.

• Working with copies of the images for assembly as it were in the compromised system.

• There have sufficient workspace for better comfort, in which at least two hard drives will be
provided.

• Install an operating system which is suitable for the study of the evidence. On the same
computer and install the second hard disk images to maintain the structure of partitions and file
system as they were on the target machine.

• In another computer to install an operating system identical to attack, for testing and checking
as they arise hypotheses about the attack.

Stage 2: Reconstruction of attack

• With the images already installed you should create a timeline of events with its complete path,
size in bytes and type of files, access permissions, if it was deleted or not.

• Sort files according to the dates, the idea is to find files that have been created, modified or
deleted programs or facilities that are in unusual routes.

• Call your methodically starting with deleted or inspecting log files and records were examined
during the search for signs of attack files.

Stage 3: Determination and identification of attack

• Must verify which was the gateway to the system, knowing that the attacker actions performed
by reviewing services and open processes that were collected as evidence, such as TCP ports and
connections that were open.

• Finding what the vulnerability was should search the internet a malicious program that has been
used by the attacker or also by information submitted by a corrector vulnerabilities as it is:
www.packetstormsecurity.org

• Reinforce the hypotheses above using a cause and effect. Try on the computer prepared by
specialists to reproduce and verify the fact that affected the attacked computer.

15
• Try to find out the IP address of the attacker, checking network connections, it could also locate
through the evidence: virtual memory or temporary files and deleted, failed connections, remains
email, etc.

• Obtained the suspect IP, check to whom it belongs in the register of ICANN, which aims to
ensure that the Internet is secure, stable and interoperable nonprofit. Although many hackers
falsify their IP spoofing techniques, known as the creation of TCP / IP frames faking IP.

STAGES IN PRESENTATION PHASE

In this phase a detailed report in clear language is presented and the technical time, which the
most notable of what happened in the analyzed system will expose facts. It should be informed
team managers and so the technical and executive reports as shown in Table 1 are presented.

Stage 1: Using the incident registration forms

The forms must be completed by the departments concerned or by the computer administrator.
Some forms to be submitted are:

• Document custody of evidence • Form identification of equipment and components

• Form typified incidents • Form of publication of incident • Form evidence collection

• Form HDDs.

Stage 2: Technical Report

This report provides a more detailed presentation on the analysis done. Background should
describe the methodology, techniques and findings of the team, and contain at least the following
items.

• Introduction • Background incident • Data collection

• Description of evidence • Environment analysis • Tools Description

• Analysis of evidence • Information system analyzed • Operating System Features

• Applications • Services • Vulnerabilities • Methodology

• Description of the findings • Traces of the intrusion • Tools used by the attacker

• Scope of intrusion • The source of the attack • Chronology of intrusion

• Conclusions • Specific recommendations • References • Annexes

Stage 3: Executive Report

Here is a summary of the analysis performed is performed, using non-technical language, where
the most important facts will be explained in the analyzed system. It should consist of a few
pages, three to five, the same that will be led by non-specialists in computer science.

16
• Introduction • Analysis • Summary of the incident • Key findings of the analysis

• Solution to the incident • Final Recommendations

TECHNIQUES OF DIGITAL FORENSIC ANALYSIS

The goal of the investigator is to find, every single evidences stored in devices. More the
suspected user is skilled, more difficult it would be to accomplish to this task. It is also possible
for an investigator to make errors while performing specific actions, or omitting clues while
looking for digital evidence. Digital forensic techniques have been developed to achieve the
goals of locating data & capturing data and then analyze the data. It is the computer forensics
investigator to analyze the case to select a set of tools and techniques needed to process the
evidence discovery. Manually searching for the evidence in a digital device will take more time,
to avoid this, many hardware and software tools have been developed to help the investigator. To
achieve the goal, a computer forensics specialist must handle with the obstacles of the forensic
investigator. Some of the obstacles are:

 Normally in a computer system large number of files will be stored. The investigator has to
identify which one is related to the crime.

 It is possible that the information related to the crime has been deleted. In this case the
investigator has to search, which is wastage of time.

 If the files are protected by passwords, the investigators should find a way to read protected
data in unauthorized ways.

 The data needs to be stored in a broken device but by assumption the investigator search the
data in working devices.

 The basic obstacle is that, each and every case is different. To identify the techniques and
tools it take more time.

 The digital data found should be protected from being altered. It is very difficult to prove that
the data under investigation is unaltered.

The common methods to achieve the goal of finding digital evidences could be summarized in
locating data, capturing data by recovering the hidden or deleted data.

A. Locating Data

Physical devices are full of data, searching the contents of the whole physical device could result
in wasting lot of time. Data locating is the process of discovering sensible data stored in hard
disks or other devices. To locate data it is necessary to know, how O.S use storage devices for
data management. Normally the data location will be carried out in the following area of a
computer system.

1. File Slacks
17
Blocks are the logical entries of the operating system which divide the space used by a partition;
clusters are physical entities of a hard disk. Hard disk is usually divided into cylinders and
cylinders are divided into clusters. Most HDD come from the factory with a low level format
where, block size = 512 bytes. The NTFS file system can create cluster sizes of a multiple of 512
with a default of 8 blocks for each cluster. Size of a block is multiple of size of cluster, so that in
a logical block will fit an exact number of physical clusters “one file one cluster. That is, in each
cluster will be inserted information belonging at most to a single file. As a consequence, when
writing a file in a hard disk, some cluster remains partially filled or fully unused. As the
operating system can only write a full block, it follows that the unused space should be fit with
some sequence of bytes that can be used by any one. Keeping in mind that these data are stored
in a disk because of the operating system limits to write only a full block, they could be located
by looking for an end-of-character and then reading whatever follows.

2. Free Space

Since the file system should insert new files inside the storage device, it has to know if a
particular block is free or not. Once again, the way in which this functionality is provided
depends from file system to file system. The operating system uses the free space only to store
new data, since if there is no file associated to that block then there will be no information to
handle. Data contained in the free space will be transparent to almost all the applications. It is
important to notice that operating systems provide functionality to read arbitrary blocks from the
file system, whether they are marked as free space or not, so data stored in free space are not
transparent to the operating system. A skilled user could hide sensible information inside blocks
considered as free space by the file system; these data are not associated with any files, so they
cannot be found by a file searching utility.

3. Windows Registry

It acts as a storage location for system configurations and it provides lots of information to
investigators. The Windows registry stores a wide variety of information, including core system
configurations, user-specific configuration, information on installed applications, and user
credentials. The important aspect of the registry is that, it records a time stamp when modified
which can aid in event reconstruction. The system registry is physically stored inside the storage
device, precisely it uses two files: user.dat and system.dat. The database which constitutes the
system registry follows a hierarchical model: the main entities are keys, denoted by a string
representing the name of the key. Each key can be linked to other keys and with other entities
called values. Values consist of three fields: a name representing the value, a type field which
specifies what kind of data is represented in the value, and finally data associated with the value.
This hierarchical model is similar to file organization into directories; as for files, every key and
every value have a unique path associated to them, which is the ordered list of keys to walk
through for reaching the key and value, and which the last node of the list is the key or value
itself. Almost all the operation in the windows operating system involves reading from and
writing to the system registry. Searching for data through the registry is a good way to redevelop
the history of actions taken by users of the computer system. The physical organization of the
two files mentioned above in quite intricate, and it would be virtually impossible to read data
18
without using specific applications; fortunately, windows provide specific software to
accomplish this task, which is called Regedit.

4. Browser History & Temporary Files

Normally the website visited will be stored by the browser in the web history. From the web
history content the recent web site visited and the date of visit can be traced for investigation.
Applications usually provide special functionalities to provide easy recovery of unsaved data
after a boot crash. The way in which applications accomplish this task is by saving temporary
files periodically; if a system crash occurs, the most recent temporary files will contain the most
part of the lost data. Temporary files are also useful in internet applications; users commonly
visit some web site more frequently than others. Storing information about these web sites, such
as images or hypertext documents, will speed up a browser, since data are present locally and
should not be requested to the web site for transfer. It is then obvious that temporary files may
help in redeveloping the history of a computer system: visited web documents revisions, visited
web sites, and so on.

B. Capture Data

Data could be made in custody from the suspected user. This includes passwords stealing, mail
interception and computer monitoring. The data capture depends on many factors: what kind of
data is to be captured, where it has been stored, when the data can be captured. Some of the
techniques for data capturing is explained below.

1. Keystroke loggers

Key-logger is an application, which is used to keep record of user's activities on the computer in
various ways like keyboard logging, screen logging, mouse logging and voice logging,
completely in imperceptible mode. The types of key-loggers are Software & Hardware. Software
based key logging is a familiar constituent of Trojan horses, that are often installed by gaining
physical access to the computer or by downloaded programs. Hardware key-loggers are to be
attached or placed inside the keyboard. Most of the key-loggers initiate their process execution
using the name of any system service routine. In this way user can't distinguish between key-
logger processes and any other system routine. Most of key-loggers provide some means of
remote installation in completely hush mode. Once a key-logger gets installed, then one can
imagine that all of the typed keys become unsecured. It is not necessary for the investigator to
have physical access of a system both for installation and key-log viewing.

2. Wiretapping

A common technique used to seize data is to monitor network connections and traffic, also called
as wiretapping. Wiretapping comes in different forms, which differ from the network
environment of the computer system which network traffic wants to be monitored; common
features that determine how wiretapping should be performed are the kind of connection of the
computer system, the medium used for data transmissions, local network topology and the nature
of the connection to be monitored, which could be encrypted or not. The goal of wiretapping is

19
to read incoming and outgoing data, which should be sensible for investigation. In every case the
wiretapping requires a physical access to the connection media from the computer system to the
checkpoints (ISP or gateway), and hardware for data monitoring should be provided. The
common obstacles are:

 The data flow may result in error. In that case it should be requested for retransmission

 The data may be encoded. In that case some software’s are used to find the original data.

 The connection itself is encrypted, it is most important to find the session key which is bit
difficult.

3. Spyware

Since wiretapping cannot handle encrypted connections, other ways should be used to track
online activities of users. A useful technique is to use software like spyware. A spyware is a
utility which, once installed on a computer system, monitors the online activities of the users of
that computer, it seize data such as password or e-mails, and then sends the collected information
to the investigator. In case of wiretapping the encrypted data are seized, which is very difficult to
decrypt. In case of spyware the data before encryption is seized by the investigators. The main
obstacle is to install the spyware before the data seizing starts. The tricky method to install
spyware inside a computer system is to exploit browser vulnerabilities to build a web page which
when visited, which provoke the spyware to be installed.

SYSTEM PROFILING

An investigator has to get the profile of the system. It is the job of the network administrator to
maintain the profile of every system. However, the system profile can be created in the run time.
Typically, the following information should collected to compile the system profile:

1. OS type and version 2. total amount of physical memory

3. system installation date 4. pagefile location

5. registered owner 6. installed physical hardware and configurations

7. system directory 8. installed software applications

Systeminfo.exe

The mentioned command is for Windows OS, and it allows you to collect some important
information about the system.

In case of a Linux machine, you can use the following commands:

cat /proc/meminfo

cat /proc/cpuinfo

LEGAL PROCESS
20
The legal process depends on your local laws and rules. Somehow, we can make a standard
process because every case should have the following in it:

• Complaint • Investigation • Prosecution

The aforementioned steps are actually the stages of a case. In the first stage, a complaint
received, the investigator will investigate the complaint, and with the help of prosecutor, collect,
analyze and report to build a case. You can't start a criminal investigation by yourself. A criminal
investigation requires evidence of an illegal act. If evidence is not found, then the criminal
investigation cannot be started. Someone should inform the local police about the crime that has
been committed and based on receiving the complaint the further investigation would be started.
At the very first step, the local police investigate the crime. They report the type of the case to
the top management and then a specialist will be assigned to look after the case. Not every
policeman is a computer expert. Sometimes they only know the basics about digital devices.
During the seizure process, they might damage the critical evidence. To avoid any mishaps,
CTIN has defined levels of law enforcement expertise. Bill Nelson, Amelia & Christopher
Steuart have also mentioned in their book:

1. The Police officer is responsible for acquiring and seizing the digital evidence on the crime
scene.

2. Managing high-tech investigations, teaching investigators what to ask for, and understanding
computer terminology and what can and can’t be retrieved from digital evidence. The assigned
detectives usually handle the case.

3. Specialist training in retrieving digital evidence, normally conducted by a data recovery or

computer forensics expert, network forensics expert, or Internet fraud investigator. This person
might also be qualified to manage a case, depending on his or her background.

You, as an investigator should have knowledge and expertise of computer forensics, and how to
handle cyber-crime cases. You have to judge the level of expertise of the other team members
and assign their roles, responsibilities and the expected performance. Follow the systematic
approach discussed, look for the evidence and then create a strong case supported by the
evidences.

LIMITATION OF DIGITAL FORENSIC INVESTIGATION

Digital forensic investigation offers certain limitations listed below

• Need to produce convincing evidences

One of the major setbacks of digital forensics investigation is that the examiner must have to
comply with standards that are required for the evidence in the court of law, as the data can be
easily tampered. On the other hand, computer forensic investigator must have complete
knowledge of legal requirements, evidence handling and documentation procedures to present
convincing evidences in the court of law.

21
• Investigating Tools

The effectiveness of digital investigation entirely lies on the expertise of digital forensics
examiner and the selection of proper investigation tool. If the tool used is not according to
specified standards then in the court of law, the evidences can be denied by the judge.

• Lack of technical knowledge among the audience

Another limitation is that some individuals are not completely familiar with computer forensics;
therefore, many people do not understand this field. Investigators have to be sure to
communicate their findings with the courts in such a way to help everyone understand the
results.

• Cost

Producing digital evidences and preserving them is very costly. Hence this process may not be
chosen by many people who cannot afford the cost.

FORENSICS READINESS

Forensic readiness is the ability of an organisation to maximise its potential to use digital
evidence whilst minimising the costs of an investigation. In a business context there is the
opportunity to actively collect potential evidence in the form of logfiles, emails, back-up disks,
portable computers, network traffic records, and telephone records, amongst others. This
evidence may be collected in advance of a crime or dispute, and may be used to the benefit of the
collecting organisation if it becomes involved in a formal dispute or legal process.

GOALS OF FORENSIC READINESS

Some of the important goals of forensics readiness are:

• to gather admissible evidence legally and without interfering with business processes;

• to gather evidence targeting the potential crimes and disputes that may adversely impact an
organisation;

• to allow an investigation to proceed at a cost in proportion to the incident;

• to minimise interruption to the business from any investigation; and

• to ensure that evidence makes a positive impact on the outcome of any legal action.

BENEFITS OF FORENSIC READINESS

Forensic readiness can offer an organisation the following benefits:

• evidence can be gathered to act in an organisation's defence if subject to a lawsuit;

• comprehensive evidence gathering can be used as a deterrent to the insider threat (throwing
away potential evidence is simply helping to cover the tracks of a cybercriminal);
22
• in the event of a major incident, an efficient and rapid investigation can be conducted and
actions taken with minimal disruption to the business;

• a systematic approach to evidence storage can significantly reduce the costs and time of an
internal investigation;

• a structured approach to evidence storage can reduce the costs of any courtordered disclosure or
regulatory or legal need to disclose data (e.g. in response to a request under data protection
legislation);

• forensic readiness can extend the scope of information security to the wider threat from cyber
crime, such as intellectual property protection, fraud, extortion etc;

• it demonstrates due diligence and good corporate governance of the company's information
assets;

• it can demonstrate that regulatory requirements have been met;

• it can improve and facilitate the interface to law enforcement if involved;

• it can improve the prospects for a successful legal action;

• it can provide evidence to resolve a commercial dispute; and

• it can support employee sanctions based on digital evidence (for example to prove violation of
an acceptable use policy)

STEPS FOR FORENSIC READINESS PLANNING

The following ten steps describe the key activities in forensic readiness planning:

1. Define the business scenarios that require digital evidence;

2. Identify available sources and different types of potential evidence;

3. Determine the evidence collection requirement;

4. Establish a capability for securely gathering legally admissible evidence to meet the
requirement;

5. Establish a policy for secure storage and handling of potential evidence;

6. Ensure monitoring is targeted to detect and deter major incidents;

7. Specify circumstances when escalation to a full formal investigation (which may use the
digital evidence) should be launched;

8. Train staff in incident awareness, so that all those involved understand their role in the digital
evidence process and the legal sensitivities of evidence;

9. Document an evidence-based case describing the incident and its impact; and
23
10. Ensure legal review to facilitate action in response to the incident.

BRIEF DESCRIPTION OF EACH OF THE TEN STEPS.

1. Define the business scenarios that require digital evidence: The first step in forensic
readiness is to define the purpose of an evidence collection capability. The rationale is to look at
the risk and potential impact on the business from the various types of crimes and disputes. What
is the threat to the business and what parts are vulnerable? This is, in effect, a risk assessment,
and is performed at the business level. The aim is to understand the business scenarios where
digital evidence may be required and may benefit the organisation the event that it is required. In
general the areas where digital evidence can be applied include:

• reducing the impact from computer-related crime;

• dealing effectively with court orders to release data;

• demonstrating compliance with regulatory or legal constraints;

• producing evidence to support company disciplinary issues;

• supporting contractual and commercial agreements; and

• proving the impact of a crime or dispute.

In assessing these scenarios, this step provides an indication of the likely benefits of being able
to use digital evidence. If the identified risks, and the potential benefits of forensic readiness,
suggest a good return on investment is achievable, then an organisation needs to consider what
evidence to gather for the various risk scenarios.

2. Identify available sources and different types of potential evidence: The second step in
forensic readiness is for an organisation to know what sources of potential evidence are present
on, or could be generated by, their systems and to determine what currently happens to the
potential evidence data. Computer logs can originate from many sources. The purpose of this
step is to scope what evidence may be available from across the range of systems and
applications in use. Some basic questions need to be asked about possible evidence sources to
include.

• Where is data generated? • What format is it in? • How long is it stored for?

• How is it currently controlled, secured and managed? • Who has access to the data?

• How much is produced? • Is it archived? If so where and for how long?

• How much is reviewed? • What additional evidence sources could be enabled?

• Who is responsible for this data? • Who is the formal owner of the data?

• How could it be made available to an investigation? • What business processes does it

relate to? • Does it contain personal information?

24
Email is an obvious example of a potential rich source of evidence that needs careful
consideration in terms of storage, archiving & auditing and retrieval. But this is not the only
means of communication used over the internet, there is also instant messaging, web-based email
that bypasses corporate email servers, chat-rooms and newsgroups, even voice over the internet.
Each of these may need preserving and archiving. The range of possible evidence sources
includes:

• equipment such as routers, firewalls, servers, clients, portables, embedded devices etc;

• application software such as accounting packages etc for evidence of fraud, erp packages for
employee records and activities (e.g. in case of identity theft), system and management files etc;

• monitoring software such as intrusion detection software, packet sniffers, keyboard loggers,
content checkers, etc;

• general logs such as access logs, printer logs, web traffic, internal network logs, internet traffic,
database transactions, commercial transactions etc;

• other sources such as: cctv, door access records, phone logs, pabx data etc; and

• back-ups and archives

3. Determine the Evidence Collection Requirement: It is now possible to decide which of the
possible evidence sources identified in step 2 can help deal with the crimes and disputes
identified in step 1 and whether further ways to gather evidence are required. This is the
evidence collection requirement. The purpose of this step is to produce an evidence requirement
statement so that those responsible for managing the business risk can communicate with those
running and monitoring information systems through an agreed requirement for evidence. One of
the key benefits of this step is the bringing together of IT with the needs of corporate security. IT
audit logs have been traditionally configured by systems administrators independently of
corporate policy and where such a policy exists there is often a significant gap between
organisational security objectives and the ‘bottom-up’ auditing actually implemented. The
evidence collection requirement is moderated by a cost benefit analysis of how much the
required evidence will cost to collect and what benefit it provides. The critical question for
successful forensic readiness is what can be performed cost effectively. By considering these
issues in advance and choosing storage options, auditing tools, investigation tools, and
appropriate procedures it is possible for an organisation to reduce the costs of future forensic
investigations.

4. Establish a capability for securely gathering legally admissible evidence to meet the
requirement: At this point the organisation knows the totality of evidence available and has
decided which of it can be collected to address the company risks and within a planned budget.
With the evidence requirement understood, the next step is to ensure that it is collected from the
relevant sources and that it is preserved as an authentic record. At this stage legal advice is
required to ensure that the evidence can be gathered legally and the evidence requirement can be
met in the manner planned. For example, does it involve monitoring personal emails, the use of

25
personal data, or ‘fishing trips1 ’ on employee activities? In some countries, some or all of these
activities may be illegal. Relevant laws, in the areas of data protection, privacy and human rights,
will inevitably constrain what can actually be gathered. Some of the guidelines are:

• monitoring should be targeted at specific problems.

• it should only be gathered for defined purposes and nothing more; and

• staff should be told what monitoring is happening except in exceptional circumstances.

Physical security of data such as back-up files or on central log servers is important from the data
protection point of view, and also for secure evidence storage. As well as preventative measures
such as secure rooms and swipe card access it is also prudent to have records of who has access
to the general location and who has access to the actual machines containing evidence. Any
evidence or paperwork associated with a specific investigation should be given added security
by, for example, storing in a safe. Additional security of logs can also be achieved through the
use of WORM storage media.

5. Establish a policy for secure storage and handling of potential evidence: The objective of
this step is to secure the evidence for the longer term once it has been collected and to facilitate
its retrieval if required. It concerns the long-term or off-line storage of information that might be
required for evidence at a later date. A policy for secure storage and handling of potential
evidence comprises security measures to ensure the authenticity of the data and also procedures
to demonstrate that the evidence integrity is preserved whenever it is used, moved or combined
with new evidence. In the parlance of investigators this is known as continuity of evidence (in
the UK) and chain of custody (in the US). The continuity of evidence also includes records of
who held, and who had access to, the evidence (for example from swipe control door logs). A
significant contribution to the legal collection of evidence is given by the code of practice on the
legal admissibility and weight of information stored electronically, published by the British
Standards Institution. This document originated from a perceived need for evidence collection in
the paperless office. The problem it addressed is if all paper documents are scanned, can the
paper sources be thrown away without loss of evidential usability? The current edition broadens
the scope to all information management systems, Ad hoc opportunistic searches, without
justification, for potentially incriminating activities or communication such as those where
information is transmitted over networks such as email systems for example. It points out that
methods of storage, hardware reliability, operation and access control, and even the programs
and source code, may be investigated in order to determine admissibility. A closely related
international standard is being developed as ISO 15801. The required output of this step is a
secure evidence policy. It should document the security measures, the legal advice and the
procedural measures used to ensure the evidence requirement is met. Upon this document rests
the likely admissibility and weight of any evidence gathered.

6. Ensure monitoring and auditing is targeted to detect and deter major incidents: In
addition to gathering evidence for later use in court, evidence sources can be monitored to detect
threatened incidents in a timely manner. This is directly analogous to Intrusion Detection
Systems (IDS), extended beyond network attack to a wide range of behaviours that may have
26
implications for the organisation. It is all very well collecting the evidence. This step is about
making sure it can be used in the process of detection. By monitoring sources of evidence we can
look for the triggers that mean something suspicious may be happening. The critical question in
this step is when should an organisation be suspicious? A suspicious event has to be related to
business risk and not couched in technical terms. Thus the onus is on managers to explain to
those monitoring the data what they want to prevent and thus the sort of behaviour that IDS
might be used to detect for example. This should be captured in a ‘suspicion’ policy that helps
the various monitoring and auditing staff understand what triggers should provoke suspicion,
who to report the suspicion to, whether heightened monitoring is required, and whether any
additional security measures should be taken as a precaution. Each type of monitoring should
produce a proportion of false positives. The sensitivity of triggers can be varied as long as the
overall false positive rate does not become so high that suspicious events cannot be properly
reviewed. Varying triggers also guards against the risk from someone who knows what the
threshold on a particular event is and makes sure any events or transactions he wishes to hide are
beneath it.

7. Specify circumstances when escalation to a full formal investigation (which may use
digital evidence) is required: Some suspicious events can be system generated, such as by the
rule-base of an IDS, or the keywords of a content checker, and some will be triggered by human
watchfulness. Each suspicious event found in step 6 needs to be reviewed. Either an event will
require escalation if it is clearly serious enough, or it will require enhanced monitoring or other
precautionary measures, or it is a false positive. The purpose of this step is to decide how to react
to the suspicious event. The decision as to whether to escalate the situation to management will
depend on any indications that a major business impact is likely or that a full investigation may
be required where digital evidence may be needed. The decision criteria should be captured in an
escalation policy that makes it clear when a suspicious event becomes a confirmed incident. At
this point an investigation should be launched and policy should indicate who the points of
contact are (potentially available on a 24x7 basis) and who else needs to be involved. As with
steps 3 and 6, the network and IT security managers and the non-IT managers need to understand
each other’s position. What level of certainty or level of risk is appropriate for an escalation?
What strength of case is required to proceed? A preliminary business impact assessment should
be made based on whether any of the following are present:

• evidence of a reportable crime

• evidence of internal fraud, theft, other loss

• estimate of possible damages (a threshold may induce an escalation trigger)

• potential for embarrassment, reputation loss

• any immediate impact on customers, partners or profitability

• recovery plans have been enacted or are required; and

• the incident is reportable under a compliance regime.

27
8. Train staff, so that all those involved understand their role in the digital evidence process
and the legal sensitivities of evidence: A wide range of staff may become involved in a
computer security incident. The aim of this step is to ensure that appropriate training is
developed to prepare staff for the various roles they may play before, during and after an
incident. It is also necessary to ensure that staff is competent to perform any roles related to the
handling and preservation of evidence. There will be some issues relevant to all staff if they
become involved in an incident. The following groups will require more specialised awareness
training for example:

• the investigating team; • corporate HR department;

• corporate PR department (to manage any public information about the incident);

• 'owners' of business processes or data; • line management, profit centre managers;

• corporate security; • system administrators; • IT management;

• legal advisers; and • senior management (potentially up to board level).

At all times those involved should act according to ‘need to know’ principles. They should be
particularly aware whether any staff, such as ‘whistle blowers’ and investigators, need to be
protected from possible retaliation by keeping their names and their involvement confidential.
Training may also be required to understand the relationships and necessary communications
with external organisations that may become involved.

9. Present an evidence-based case describing the incident and its impact: The aim of an
investigation is not just to find a culprit or repair any damage. An investigation has to provide
answers to questions and demonstrate why those answers are credible. The questions go along
the lines of who, what, why, when, where and how. Credibility is provided by evidence and a
logical argument. The purpose of this step is to produce a policy that describes how an evidence-
based case should be assembled. A case file may be required for a number of reasons:

• to provide a basis for interaction with legal advisers and law enforcement;

• to support a report to a regulatory body;

• to support an insurance claim;

• to justify disciplinary action;

• to provide feedback on how such an incident can be avoided in future;

• to provide a record in case of a similar event in the future (supports the corporate memory so
that even if there are changes in personnel it will still be possible to understand what has
happened); and

• to provide further evidence if required in the future, for example if no action is deemed
necessary at this point but further developments occur.

28
10. Ensure legal review to facilitate action in response to the incident: At certain points
during the collating of the cyber-crime case file it will be necessary to review the case from a
legal standpoint and get legal advice on any follow-up actions. Legal advisers should be able to
advise on the strength of the case and suggest whether additional measures should be taken; for
example, if the evidence is weak is it necessary to catch an internal suspect red handed by
monitoring their activity and seizing their PC? Any progression to a formal action will need to be
justified, cost-effective and assessed as likely to end in the company’s favour. Although the
actual decision of how to proceed will clearly be post-incident, considerable legal preparation is
required in readiness. Legal advisors should be trained and experienced in the appropriate
cyberlaws and evidence admissibility issues. They need to be prepared to act on an incident,
pursuant to the digital evidence that has been gathered and the case presented in step 9. Legal
advice should also recognise that the legal issues may span legal jurisdictions e.g. states in the
US, member states in the EU. Advice from legal advisers will include:

• any liabilities from the incident and how they can be managed;

• finding and prosecuting/punishing (internal versus external culprits);

• legal and regulatory constraints on what action can be taken;

• reputation protection and PR issues;

• when/if to advise partners, customers and investors;

• how to deal with employees;

• resolving commercial disputes; and

• any additional measures required.

COMPUTER FORENSICS TOOLS

Computers are getting more powerful day by day, so the field of computer forensics must rapidly
evolve. Previously, we had many computer forensic tools that were used to apply forensic
techniques to the computer. However, we have listed a few best forensic tools that are promising
for today’s computers:

➢ SANS SIFT

➢ ProDiscover Forensic

➢ Volatility Framework

➢ The Sleuth Kit (+Autopsy)

➢ CAINE (Computer Aided Investigative Environment)

➢ Xplico

➢ X-Ways Forensics
29
Others include:

A. WinHex

It is made by X-Ways Software Technology AG of Germany, is a powerful tool for data analysis,
editing, and recovery. WinHex is compatible with Windows 95 through Windows XP. The
features of WinHex which are used in the investigation process are

 Highlight the slack space and free space

 Recover the deleted file which is not yet replaced by any other data

 Search inside the file content for hidden data

 Track the steganography content

 Compute hash code for disk/file to check the reliability

 Check the mounted devices

 Create cone of a disk

This is one the most efficient and effective software which is used in many crime investigation in
the current world.

B. Regedit

30
It is a windows tool which allows reading the contents of the windows registry; due to the vast
amount of information stored in windows registry, the registry can acts as a wealth for an
investigator. Windows 2000 and XP Registry Editor have an implementation flaw that allows
hiding registry information, preventing users by viewing and editing them, regardless of their
access privilege. The registry is a log which will store information about Autorun Locations
MRU Lists UserAssist Wireless Networks LAN Computers USB Devices
Mounted Devices Internet Explorer Opera, Netscape, and Firefox.

C. WinSpy

WinSpy is an application that can find Internet activities and Windows activities as it records and
logs keystrokes, the location bar history, cookies, Internet cache, Internet history, URLs in
hidden index.dat file, recent documents history, Windows search files and computer history, start
menu run history, and open/save dialog box history with Super WinSpy, it is easy to find what
the others have done on a computer, including what web sites they have visited, what text,
images, movies they have seen and also what files they opened/saved, what kind of search they
have done and what they ran at the start menu. The figure below shows the different features of
winSpy.

31
32