UNIT 4

Understanding Computer Forensics

UNIT IV
Understanding Computer Forensics: Historical Background of Cyberforensics, Digital
Forensics Science, The Need for Computer Forensics, Cyberforensics and Digital Evidance,
Forensics Analysis of Email, Digital Forensics Lifecycle, Chain of Custody Concept, Network
Forensics, Approaching a Computer Forensics Investigation, Setting of a Computer Forensics
Laboratory: Understanding the Requirements, Computer Forensics and Steganography,
Relevance of the OSI 7 Layer Model to the Computer Forensics and Social Networking Sites:
The Security/Privacy Threats, Forensics Auditing, Anti Forensics.
● Cyber forensics plays a key role in investigation of cybercrime. “Evidence” in the case of
“cyber offenses” is extremely important from legal perspective.
● There are legal aspects involved in the investigation as well as handling of the digital
forensics evidence. Only the technically trained and experienced experts should be
involved in the forensics activities.
 Historical Background of Cyber forensics
 The Florida Computer Crimes Act was the first computer crime law to address computer
fraud and intrusion. It was enacted in Florida in 1978. “Forensics evidence” is important
in the investigation of cybercrimes.
 The computer forensics is the identification, preservation, collection, analysis and
reporting on evidence found on computers, laptops and storage media in support of
investigations and legal proceedings.
 There are two categories of computer crime: one is the criminal activity that involves using
a computer to commit a crime, and the other is a criminal activity that has a computer as a
target.
 Digital Forensics Science
● Digital forensics (sometimes known as digital forensic science) is a branch of forensic
science includes the recovery and investigation of material found in digital devices, often
in relation to computer crime.
● Computer forensics Definition: It is the application of investigation and analysis
techniques to gather and preserve evidence from a particular computing device in a way
that is suitable for presentation in a court of law. In other words, it is the collection of
techniques and tools used to find evidence in a computer.
● The role of digital forensics is,
1. Discover document evidence.
2. Authenticated evidence discovered in other ways.
 3. Connect attack and victim computers.
4. Extract data that may be hidden, deleted or otherwise not directly available.
● The typical scenarios involved are:
1. Employee Internet abuse.
2. Data leak/data breach.
3. Industrial espionage.
4. Criminal fraud and deception cases;
5. Criminal cases and Copyright violation.
● The following fig shows the kind of data you “see” using forensic tools.

 Using digital forensics techniques, one can:

1. Confirm and clarify evidence.
2. Provide help to verify an intrusion hypothesis.
3. Eliminate incorrect assumptions.
 The Need for Computer Forensics
● The merging of Information and Communications Technology (ICT) advances and the
persistent use of computers worldwide together have brought about many advantages.
● At the same time, this tremendously high technical capacity of modern
computers/computing devices provides opportunities for misuse as well as opportunities
for committing crime.
● The media on which evidence/clue resides would vary case to case. There are challenges
for the forensic investigator because storage devices are getting shrank due to advances in
technology.
● Chain of custody is also used in most evidence situations to maintain the integrity of the
evidence by providing documentation of the control, transfer and analysis of evidence.
 Cyberforensics and Digital Evidence
● Cyber forensics can be divided into two domains:
1. Computer forensics.
2. Network forensics.
● The network forensics the monitoring, capturing, storing and analysis of network activities
or events in order to discover the source of security attacks, intrusions or other problem
incidents, i.e. worms, virus or malware attacks, abnormal network traffic and security
breaches.
● As compared to the “physical” evidence, “digital evidence” is different in nature because
it has some unique characteristics. First of all, digital evidence is much easier to
change/manipulate. Second, “perfect” digital copies can be made without harming original.
● The evidences reside on computer systems, user created files, user protected files, computer
created files and on computer networks.
 Forensics Analysis of Email
● It was mentioned how criminals can use fake mails for various cybercrime offenses. There
are tools available that help create fake mails. Forensics analysis of Emails is an important
aspect of cyber forensics analysis it helps establish the authenticity (truth) of an Email
whensuspected.
● E-mail forensic analysis is used to study the source and content of Email message as
evidence, identifying the actual sender, recipient and timestamp to collect reliable evidence
to bring criminals to justice.
● E-mail forensics refers to the study of email details including: source and content of e-mail,
in order to identify the actual sender and recipient of a message, date/time of transmission,
detailed record of e-mail transaction as well as the intent of the sender. Therefore, e-mail
forensic investigation often involves analysis of metadata, keyword searching as well as
port scanning, for authorship attribution and identification of cyber-crime.
● An e-mail system is composed of several, both, software and hardware control the flow of
Email. There are two main components, Email server and Email Gateways.
● Email servers are components that forward, collect, store and deliver Email their clients
and Email gateways are connections between Email servers.
● E-mails are made of two main parts; they are the message header and message body.
● The header part contains routing information about the e-mail and other information such
as the source and destination of the Email, the IP address of the sender and time related
information. The message body contains the actual message of the Email message subject
and body.
● E-Mail tracing is done by examining the header information contained in E-Mail messages
to determine their source. Header information is included with Emails either at the
beginning or the end of Email messages.
● Information contained in the header can aid investigators in tracing the sender of the Email.
● A thorough investigation of Email headers should include examination of the sender’s
Email address and IP address, examination of the message ID as well as the messaging
initiation protocol (HTTP or SMTP).
 Digital Forensics Life Cycle
● As per FBI’s (Federal Bureau of Investigation) view, digital evidence is present in nearly
every crime scene. That is why law enforcement must know how to recognize, grab,
transport and store original digital evidence to preserve it for forensics examination.
● The Digital Forensics Process: The digital forensics process needs to be understood in
the legal context starting from preparation of the evidence to testifying.
● The process involves the following activities:
1. Preparing for the Evidence and Identifying the Evidence
Evidence must first be identified as evidence. There is a huge amount of potential evidence
available for a legal matter, and it is also possible that the majority of the potential evidence
may never get identified.
●
2. Collecting and Recording Digital Evidence
Digital evidence can be collected from many sources. Obvious (Understandable) sources
include computers, cell phones, digital cameras, hard drives, CD
CD-ROM,
ROM, USB memory
devices and so on. Non-obvious
obvious sources include settings of digital thermometers, black
boxes
xes inside automobiles and web pages (which must be preserved as they are subject to
change).
3. Storing and Transporting Digital Evidence
• The following are specific practices that have been adopted in the handling of digital
evidence:
1. Image (Copy) computer media using a write-blocking tool to ensure that no data is
added to the doubtful device;
2. Establish and maintain the chain of custody.
3. Document everything that has been done.
4. Only use tools and methods that have been tested and evaluated to validate their
accuracy and reliability.
• Digital forensics evidence can generally be transported by making exact duplicates of the
original document. Some of the most valuable information obtained in the course of a
forensics examination will come from the computer user. An interview with the user can
yield valuable information about the system configuration, applications, encryption keys
and methodology.
4. Examining/Investigating Digital Evidence
• As a general rule, one should not examine digital information unless one has the legal
authority to do so. Amateur forensics examiners should keep this in mind before starting
any unauthorized investigation.
• For the purpose of digital evidence examination, “imaging of electronic media” (on which
the evidence is believed to be residing) becomes necessary. The process of creating an
exact duplicate of the original evidentiary media is often called as “Imaging”.
• Computer forensics software packages make this possible by converting an entire hard
drive into a single searchable file- this file is called as “image”. Example for imaging tools
are DCFLdd, IXimager.
5. Analysis, Interpretation and Attribution
• Analysis, interpretation and attribution of evidence are the most difficult aspects
encountered by most forensics’ analysts.
• Examples of common digital analysis types include:
a) Media Analysis: It is analysis of the data from a storage device.
b) Media Management Analysis: It is analysis of the management system used to
organize media.
c) File System Analysis: It is analysis of file system data inside a partition or disk.
d) Application Analysis: It is analysis of data inside a file. Files are created by users
and applications.
e) Network Analysis: It is analysis of data on a communication network.
f) OS Analysis: An OS is application of which runs first when computer starts. This
analysis examines the configuration files and output data of the OS.
g) Image Analysis: This type of analysis looks for information about where the picture
was taken and who or what is in the picture.
h) Video Analysis: This type of analysis examines the video for the identification of
objects in the video and the location where it was shot.
6. Reporting
• Once the analysis is completed, a report is generated. The report may be in written form or
an oral statement or it may be a combination of the two.
• The following are the broad-level elements of the report.
1.Identity of the reporting agency.
2. Case identifier or submission number.
3. Case investigator.
4. Identity of the submitter.
5. Date of receipt.
6. Date of report.
7. Identity and signature of the examiner.
8. Brief description of steps taken during examination, such as string searches, graphics
image searches and recovering erased files.
9. Results/conclusions.
7. Testifying
• This phase involves presentation and cross-examination of expert witnesses. Depending on
the country and legal frameworks in which a cybercrime case is registered, certain
standards may apply with regard to the issues of expert witnesses.
 Chain of Custody Concept:
• Chain of custody is the central concept in cyber forensics/digital forensics investigation.
• Chain of custody, in legal contexts, is the chronological documentation or paper trail that
records the sequence of custody, control, transfer, analysis, and disposition of physical or
electronic evidence.

 Network Forensics
● Wireless forensics is a discipline included within the computer forensics science, and
specifically, within the network forensics field. The goal of wireless forensics is to provide
the methodology and tools required to collect and analyse (wireless) network traffic that
can be presented as valid digital evidence in a court of law.
● The evidence collected can correspond to plain data or with the broad usage of VoIP
technologies can include voice conversations.
● The wireless forensics process involves capturing all data moving over Wi-Fi network and
analysing network events to uncover network anomalies, discover the source of security
attacks and investigate holes on computers and wireless networks to determine whether
they are or have been used for illegal or unauthorized activities.
 Approaching a computer forensics Investigation
● Computer forensics investigation is a detailed science. The broad phases involved in the
investigation.
● The phases involved are as follows:
1. Secure the subject system (from unauthorized changes during the investigation);
2. take a copy of hard drive/disk (if applicable and appropriate);
3. identify and recover all files (including deleted files);
 4. access/view/copy hidden, protected and temp files;
5. study “special” areas on the drive (e.g., the remainder from previously deleted files);
6. investigate the data from applications and programs used on the system;
7. create detailed and considered report, containing an assessment of the data and
information collected.
 Typical Elements Addressed in a Forensics Investigation Engagement Contract
● Typically, the following important elements are addressed before while drawing up a
forensics investigation engagement contract.
1. Authorization:
● The customer will be asked to authorize the computer forensics laboratory or its agents to
conduct an evaluation of the data/media/equipment onsite or offsite to determine the nature
and scope of the engagement.
● The customer will be asked to authorize the computer forensics laboratory, its employees,
independent contractors and agents to securely receive and transport the
media/equipment/data.
2. Confidentiality:
● The concerned computer forensics is supposed to use any information contained in the
data, media or equipment provided to the company by the customer only for the purpose
fulfilling the engagement and is expected to hold such customer information in the strictest
confidence.
3. Payment:
● Customers agrees to pay the computer forensics laboratory all sums authorized from time
to time by customer, which will typically include charges for computer forensics laboratory
services, Reasonable travel expenses for onsite work, Shipping and insurance and actual
expenses, Media or off-the-shelf software used in the forensics service engagement.
4. Consent and acknowledgment:
● Any consent(agreement) required of either party becomes effective only if provided in a
commercially reasonable manner; Customers’ needs to acknowledge that the
equipment/media/data may be damaged prior to computer forensics laboratory receipt.
5. Limitation of liability:
● The computer forensics laboratory will not consider itself to be legally responsible for any
claims regarding the physical functioning of the equipment /media or the condition or
existence of data stored on the media supplied before during or after services.
6. Legal aspects/the law side:
● Both the parties need to agree that the agreement shall be governed by existing law in every
particular way in the country where the contract is signed.
7. Data protection:
● The computer forensics laboratory (engaged in the investigation) will hold the information
that the customer has given verbally, electronically or in any submitted form for the
purpose of the forensics investigation to be carried out as per contracted services from the
forensics laboratory.
 Solving a Computer Forensics Case
These are just some broad illustrative steps and they may vary depending on the specific
case in hand.
1. Prepare for the forensics examination.
2. Talk to key people to find out what you are looking for and what is the surrounding
environment of the case.
3. If you are convinced that the case has a sound foundation, start assembling your tools to
collect the data in question. Identify the target media.
4. Collect the data from the target media. You will be creating an exact duplicate image of
the device in question. To do this, you will need to use an imaging software application.
5. To extract the contents of the computer in question, connect the computer you are
investigating to a portable hard drive or other storage media and then boot the computer
under investigation according to the directions for the software you are using.
6. When collecting evidence, be sure to check Email records as well. Quite often, these
messages yield a great deal of information.
7. Examine the collected evidence on the image you have created. Document anything that
you find and where you found it.
8. Analyse the evidence you have collected by manually looking into the storage media
and, if the target system has a Windows OS, check the registry.
9. Report your findings back to your client. Be sure to provide a clear, concise report; this
report may end up as evidence in a court case.
 Relevance of the OSI 7 Layer Model to Computer Forensics
The OSI 7 Layer Model is useful from computer forensics perspective because it
addresses the network protocols and network communication processes.
 Steps to hack network by attacker:

Step 1: Foot Printing

● Foot printing includes a combination of tools and techniques used to create a full profile
of the organization’s security position. These include its domain names, IP addresses
and network blocks.
 ● Once the IP address and domain names are known a hacker will typically perform a
series of scans to gather more information about individual machines for the purpose of
gaining unauthorized access to the system. The tool called “Metasploit” was developed
to provide useful information to people who perform penetration testing.
Step 2: Scanning and Probing
● The hacker will typically send a ping echo request packet to a series of target IP
addresses. As a result of this, the machines assigned to one of these IP address will send
out echo response thereby confirming that there is a live machine associated with that
address.
● Similarly, a TCP scan sends a TCP synchronization request to a series of ports and to
the machines that provide the associated service to respond. Finally, using tool like
Nmap, the hackers can determine device type and OS details by interpreting the
responses.
Step 3: Gaining Access
● The hacker’s ultimate goal is to gain access to your system so that he/she can perform
some malicious action, such as stealing credit card information, downloading
confidential files or manipulating critical data.
Step 4: Privilege
● When a hacker gains access to the system, he will only have the privileges granted to
the user.
Step 5: Exploit
● Gaining root access gives the hacker full control on the network. Every hacker seems
to have his/her own reasons for hacking. Some hackers do it for fun or a challenge,
some do it for financial gain.
Step 6: Retracting
● There are many reasons that drive cybercriminals to hacking. The next step is to
covering tracks. The attacker will modify logs to hide his/her actions.
Step 7: Installing Backdoors
● Finally, most hackers will try creating provisions for entry into the network/hacked
system for later use. They will do by installing a backdoor to allow them access in the
future. A backdoor is a security hole purposely left in place to allow access form an
uncommon/unobvious path. These can be easily detected by a skilled security
professional.
 Challenges in Computer Forensics
 Cybercrime investigators are faced by the challenge of how to collect the specific,
probative and case related information from very large groups of files.
 The current set of computer forensics tools will not be able to handle the real time and
data size/volume and the increasing volume of potential data to examine can create
problem for law enforcement.
 The Technical Challenges: Understanding the Raw Data and its Structure
● There are two aspects of the technical challenges faced in digital forensics
investigation.
1. Complexity problem.
2. Quantity problem.
● A digital forensics investigator often faces the “complexity problem” because
acquired data is typically at the lowest and most raw format. Non-technical people
may find it too difficult to understand such format.
● For resolving the complexity problem, tools are very useful; they translate data
through one or more “layers of abstraction” until it can be understood.
● Digital forensics is also challenged by the “quantity problem”- it involves the
hugeness of digital forensics to analyze. It is inefficient to analyze every single piece
of it. Data reduction techniques need to be used to solve this. Data reduction is done
by grouping data into one larger event or by removing known data.
● Digital forensics analysis tools aim at accurately presenting all data at an appropriate
layer of abstraction and format, so that the tools can be effectively used by an
investigator to identify evidence. The required level of abstraction is dependent on
investigators skill level as well as the investigation requirements.
● ASCII is one basic example of abstraction. Every letter of the English alphabet is
assigned to a number between 32 to 127.
 The legal Challenges in Computer forensics and Data privacy issues
 Evidence, to be admissible in court, must be relevant, and capable to prove the case.
 Digital evidence can be easily duplicated and modified; often it can be without even
leaving any traces; it can present social problems related to ability to handle the case.
There are many types of personnel involved in digital forensics/computer forensics:
a. Technicians
b. Policy makers
c. professionals
 Detection and recovery are the heart of computer forensics. The goal of detection
and recovery is to recognize the digital objects that may contain information about
the incident and document them.
 “Acquisition” is to copy and preserve the state of data that could be evidence.
Completeness and accuracy of acquisition process is required.
 It is difficult to perform a complete decomposition and logging of all materials, so a
“scratch and sniff” approach might be used to yield promising information.
  Special Tools and Techniques
The main principles of Tools in forensics are,
1. Creating forensics quality or sector by sector images of media;
2. Locating deleted/old partitions;
3. Determining date/time stamp information;
4. Obtaining data from floppy space;
5. Recovering files and directories, “carving” or recovering data based on file
headers/file footers;
6. Recovering internet history information;

Data Recovery Tools

Name of Tool Description
HD Doctor Suite It is set of professional tools used to fix firmware problem.
BringBack This tool offers easy to use, inexpensive highly successful data recovery
for windows and Linux.
RAID Reconstructor It will reconstruct RAID level 0 and RAID level 5 drivers.

e-ROL Allows you to recover through the internet files erased by mistake.
Recuva Windows tool that recovers accindentally deleted files

Restoration Windows tool that recovers deleted files

Undelete Plus Recovery tool that works for all versions of windows

R - Studio Data recovery software suit that can recover files from FAT (12 to 13),
NTFS, NTFS5 etc.

Steller Phoenix Data recovery software services and tools recover lost data from hard drive

Adroit photo Photo recovery tool able to recover high-definition raw images from
recovery Cannon Nikon etc.
Partition Recovery Tools
Name of tool Description
Partition Table Doctor Types recover deleted or lost partitions (FAT16/FAT32/NTFS/NTFS5)

NTFS Recovery Automatic utility that recovers data from damaged or formatted disks.
Gpart It is tool which tries to gets the primary partition table of a PC type hard disk
incase the primary partition table sector 0 is damaged, incorrect or deleted.

Test Disk This is an OSS tool

 Partition recover software Examines lost windows partition of damaged corrupted hard drive.
File Carving Tools
Name of tool Description

DataLifter Data carving tool runs on multiple threads

Simple carver Collection of tools designed for a number of purposes including data recovery, forensics
suite computing and E-discovery.
Foremost Console program to recover files based on their headers, footers and internal data
structures.
Scalpel Fast file carver that reads database of header and footer definitions and extracts
matching files from a set of image files or raw device files.
PhotoRec File data recovery software designed to recover lost files including video, documents
and archives from hard disks and CDROM.
Revlt It is an experimental carving tool, initially developed for the DFRWS.
Magic Rescue File carving tool that uses “magic bytes” in file contents to recover data.

FTK FTK2 includes some file carvers.

SmartCarving File carving techniques to recover fragmented files.
GuidedCarving Technique to recover fragmented files introduced in Adroit Photo Forensics.
Adroit Photo Supports data carving of popular image formats.
Forensics

 Special Technique: Data Mining used in Cyberforensics

• Data mining is extraction of useful information from bulk of data or data warehouses.
• Data Mining Techniques:
1. Entity Extraction:
• The technique used to identify particular patterns from data such as text, images or
personal characteristics. It has been used to automatically identify persons, addresses,
vehicles and personal characteristics from police reports.
• In computer forensics, the extraction of software information such as data structure,
program flow can facilitate further investigation by grouping similar programs written
by hackers and tracing their behaviour. This technique provides basic information for
crime analysis.
2. Clustering Techniques
• This involves grouping data items into classes with similar characteristics to maximize
or minimize intraclass similarity. The technique of clustering crime incidents can
automate a major part of crime analysis.
3. Association rule mining
• This technique discovers frequently occurring item sets in a database and presents the
patterns as rules. This technique has been applied to detect network intrusion.
• Forensics auditing also known as “forensics accounting”. It includes steps needed to
detect and prevent fraud. Forensic auditors make use of the latest technology to examine
financial documents and investigate white collar crimes. ex, identity theft, security fraud
etc.
• Forensics accounting is specialized form of accounting; it uses accounting, auditing and
investigative techniques. Forensics accounting professionals are assigned some special
tasks like analyzing and tracking evidence of financial transactions. In some cases, they
are asked to present this evidence to a court of law.
• The Rules of Evidence will have following attributes;
i. Accuracy
ii. Authentication
iii. Non-repudiation