Unit – 1

Introduction to Computer Forensics

Introduction to Traditional Computer Crime

Cyber-crime is any criminal activity involving computers and networks. The

cyber space includes computer systems, computer networks and Internet. LAN and
WAN is also part of cyber space. Cybercrime incorporates anything from
downloading illegal music files to stealing millions of rupees from online bank
accounts.

Cyber-crime is defined as a crime in which a computer is the object of the

crime (hacking, phishing, spamming) or is used as a tool to commit an offense
(child pornography, hate crimes). Internet connected activities are as vulnerable to
crime.

Computer crime is any illegal activity that is perpetrated through the use of a
computer.

If a person without the permission of owner or any other person in charge of

a computer, computer system or computer network, accesses or secures access to
such computer, computer system or computer network, the said acts are torts and
crimes under the Indian cyber law.

There is no standard definition for “CYBER”. This word is used to describe

the virtual world of computers e.g. an object in cyberspace refers to a block of data
floating around a computer system or network.

The word “cyberspace” is credited to William Gibson, who used it in his

book, Neuromancer, written in 1984.

Cyber space: The impression of space and community formed by computers,

computer networks, and their users; the virtual “world” that Internet users inhabit
when they are online.
 The term 'cyber' is derived from the word 'cybernetics' which means science
of communication and control over machine and man. Cyberspace is the new
horizon which is controlled by machine for information and communication
between human beings across the world. Therefore, crimes committed in
cyberspace are to be treated as cyber-crimes. In wider sense, cyber-crime is a crime
on the Internet which includes hacking, terrorism, fraud, gambling, cyber stalking,
cyber theft, cyber pornography, flowing of viruses etc.

Over the past few years, the global cyber-crime landscape has changed
dramatically, with criminals employing more sophisticated technology and greater
knowledge of cyber security. Until recently, malware, spam emails, hacking into
corporate sites and other attacks of this nature were mostly the work of computer
'geniuses' showcasing their talent.

Three Categories of Cybercrime

A. Cyberpiracy: Using cyber-technology in unauthorized ways to

reproduce copies of proprietary software and proprietary information,
or distribute proprietary information (in digital form) across a
computer network.

Example: Distributing proprietary MP3 files on the Internet via

peer-to peer (P2P) technology

B. Cybertrespass: Using cyber-technology to gain or to exceed

unauthorized access to an individual's or an organization's computer
system, or a password-protected Web site.

Example: Unleashing the I LOVEYOU computer virus

C. Cyber vandalism: Using cyber-technology to unleash one or more

programs that disrupt the transmission of electronic information
across one or more computer networks, including the Internet, or
destroy data resident in a computer or damage a computer system's
resources, or both.

Example: Launching the denial-of-service attacks on

commercial web sites.
Elements of Cyber Crime:

1. Location/Place: Where offender is in relation to crime.

2. Victim: Target of offense - government, corporation, organization,
individual.
3. Offender: Who the offender is in terms of demographics, motivation, level
of sophistication.
4. Action: What is necessary to eliminate threat?

Cyber criminals are now moving beyond computers, and attacking

mobile handheld devices, such as smart phones and tablet personal
computers. In 2010, the number of malicious software programs specifically
targeting mobile devices, rose 46 %, according to information technology
security group McAfee.

Cybersquatting is generally bad faith registration of another's

trademark in a domain name. Cybersquatting refers to using an Internet
domain name with the intent of profiting from someone else's name
recognition. It generally is associated with the practice of buying. up domain
names that are similar to the names of existing businesses with the intent to
sell these names back to the owners. Many organizations have to buy all
related domain names to prevent cybersquatting.

Cyber-crime example: Child pornography, which includes the

creation, distribution, or accessing of materials that sexually exploit
underage children. Contraband to include transferring illegal items via the
Internet.

Online fraud and hacking attacks are just some examples of computer-
related crimes that are committed on a large scale every day.

Types of Cybercrime

There are many types of cyber-crimes and the most common ones are
explained below:

1. Hacking: This is a type of crime wherein a person's computer is broken so

that his personal or sensitive information can be accessed.
 2. Theft: This crime occurs when a person violates copyrights and downloads
music, movies, games and software.
3. Cyber stalking: This is a kind of online harassment wherein the victim is
subjected to a barrage of online messages and emails.
4. Identity theft: This has become a major problem with people using the
Internet for cash transactions and banking services. In this cyber-crime, a
criminal accesses data about a person's bank account, credit cards, debit card
and other sensitive information to siphon money or to buy things online in
the victim's name.
5. Malicious software: These are Internet-based software or programs that are
used to disrupt a network. The software is used to gain access to a system to
steal sensitive information or data or causing damage to software present in
the system.
6. Child soliciting and abuse: This is also a type of cyber-crime wherein
criminals solicit minors via chat rooms for the purpose of child pornography.

Example of cyber-crime:

a) Online banking fraud

b) Fake antivirus
c) Stranded traveller scams
d) Fake escrow' scams
e) Advanced fraud
f) Infringing pharmaceuticals
g) Copyright-infringing software
h) Copyright-infringing music and video
i) Online payment card fraud
j) In-person payment card fraud
k) Industrial cyber-espionage and extortion3
l) Welfare fraud

The trafficking, distribution, posting, and dissemination of

obscene material including pornography, indecent exposure, and child
pornography, constitutes one of the most important Cybercrimes
known today. Stealing the significant information, data, account
number, credit card number transmit the data from one place to
 another. Hacking and cracking are amongst the gravest Cybercrimes
known till date.

Recognizing and Defining Computer Crime

First computer crime really unknown. As no written or formal

communications were enough at the time. Certainly, had to be the theft or
destruction of an abacus. First documented case is in early 19th Century in
which the sabotage of a computer system developed by textile manufacturer,
Joseph Jacquard. This machine, designed to introduce automated tasks, was
attacked by individuals fearful of losing employment to computers.

Prior to the 1980s, computer crime was considered a non-issue.

However, three incidents shook American complacency to its core.

a) Compromising of Milnet
b) The Morris Worm
c) Crash of AT and T.

Robert Morris created a worm to impress his friends, but did not
recognize the potentiality for destruction. It was attempted to warn victims
and instructing them on how to remove the worm prior to massive
destruction. But it is too late. It caused millions of dollars in damage and
crippled 10 % of all computers connected to the Internet. First person
convicted under the new computer fraud and abuse act.

AT&T crashes due to their own failures but blame shifted to legion of
doom.

India owes a lot to the exponential growth of the Information

Technology service industry over the last 15 years. In India we have
substantially or fully adopted law as first codified act in the Information
Technology Act (“IT Act), in the year 2000.

Clarification of Terms

Crimes motivated by profit are different from those driven by passion,

peer pressure or simple perversity of human nature. The profit-driven
 criminal can be assumed to behave in a way analogous to the profit-
maximizing corporation.

Computer crime has been traditionally defined as any criminal act

committed via computer. Cybercrime has traditionally encompassed abuses
and misuses of computer systems which result in direct and/or concomitant
losses.

Computer-related crime has been defined as any criminal act in which

a computer is involved, usually peripherally devices.

Traditional Problems Associated with Computer Crime

Individuals seeking a crime have always displayed a remarkable

ability to adapt to changing technologies, environments, and lifestyles.
Computer crime poses a daunting task for law enforcement agencies because
they are highly technical crimes.

Law enforcement agencies must have individuals trained in computer

forensics in order to properly investigate computer crimes. Additionally,
countries must update and create legislation, which prohibits computer
crimes and outlines appropriate punishments for those crimes.

Computer crimes will likely become more frequent with the advent of
further technologies. It is important that civilians, law enforcement officials,
and other members of the criminal justice system are knowledgeable about
computer crimes in order to reduce the threat they pose.

The earliest computer crimes were characterized as non-technological

specific. Theft of computer components and software piracy were particular
favourites. Hacking and technologically complicated computer crime came
later.

Introduction to Identity Theft and Identity Fraud

Identity theft is the crime of using someone else's personal

information, such as an account number, driver's license, health insurance
card or Social Security number, to commit fraud.
 ID Theft is a form of fraud. Identity thieves may use a variety of low
and high-tech methods to gain access to your personally identifying
information.

Once an identity has been stolen it can be used to withdraw money,

open new bank accounts, apply for loans or credit cards, and purchase
vehicles or property. In some cases, the thief may even use the stolen
identity to engage in criminal activity.

Identity theft occurs when someone wrongfully acquires and uses a

consumer's personal identification, credit, or account information. Identity is
a set of attributes of a person or company in a specific domain. An entity has
multiple digital Identities.

Fraud is an intentional effort to deceive another individual for

personal gain

Information is used in following purposes:

1. To apply for a new driver's license.

2. To open new bank accounts.
3. To apply for credit cards.
4. To apply for loan.
5. To get a job.
6. To rent an apartment
7. To make retail purchases
8. Staying in the hotel
9. For cyber crime

Common ways Identity Theft occurs:

1. Defrauding businesses or institutions.

2. Stealing records from their employer
3. Bribing an employee who has access to the records
4. Conning information out of employees
5. Hacking into the organization's computers
6. Rummaging through your trash, the trash of businesses, or
dumps in a practice known as “dumpster diving.”
 Identity theft generally involves three stages: acquisition, use, and
discovery.

Evidence suggests that the longer it takes to discover the theft, the
greater the loss incurred and the smaller the likelihood of successful
prosecution. Older persons and those with less education are less likely to
discover the identity theft quickly and to report it after discovery.

There are a lot of ways that thieves can steal an identity. One way is to
get possession of a person's debit card (ATM card) and their Personal
Identification Number (PIN).

Another way thieves steal information is by “phishing.” Phishing

involves sending an email to a user falsely claiming to be a legitimate
business or organization in an attempt to scam the user into disclosing
private information. Usually, there is an HTML link within the e-mail that
you are asked to click on. Once you click on the link you are taken to a
fraudulent Web site and asked to provide personal information.

Three main areas of vulnerability to identity theft:

1. Practices and operating environments of document-issuing

agencies that allow offenders to exploit opportunities to
obtain identity documents.
2. Practices and operating environments of document-
authenticating agencies that allow offenders access to
identity data, subsequently used for financial gain, avoiding
arrest, or remaining anonymous.
3. The structure and operations of the information systems
involved with the operational procedures of agents in (1) and
(2).

Identity theft has become a major problem with people using the
Internet for cash transactions and banking services. In this cyber-crime, a
criminal accesses data about a person's bank account, credit cards, debit card
and other sensitive information to siphon money or to buy things online in
the victim's name.
 Four approaches used by identity thieves

1. Create a data breach

2. Purchase personal data
3. Use phishing to entice users to give up data
4. Install spyware to capture keystrokes of victims

How Thieves Steal Your Identity:

1. Phishing: Phishing scams are spam emails sent by

cybercriminals that pretend to be from a legitimate person or
organization with the intent of tricking you into revealing
personal information.
2. Spim: Spim is spam sent via instant messaging (IM). The
IMs could include spyware, keyloggers, viruses, and links to
phishing sites.
3. Spyware: This is software that a hacker surreptitiously
installs on your computer to collect personal information. It
can also be used to direct you to fake websites, change your
settings, or take control of your computer in other ways.
4. Pharming: In a pharming attempt, a hacker installs
malicious code on your personal computer to direct you to
fake websites without your knowledge.
5. Keyloggers: A keylogger is a form of spyware that records
keystrokes as you type.
6. Trojan horse: A Trojan horse is a malicious program that
appears to be harmless.

How You Can Protect Yourself

1. Keep personal data private. When a person, website, or

email asks for your personal information, ask yourself if it is
standard practice for such information to be requested.
2. Use strong passwords.
3. Practice safe surfing on public hotspots: If you are using a
public computer or accessing the Internet from a public
 hotspot or an unsecured wireless connection, do not log in to
banking and credit card sites.
4. Secure your wireless network.
5. Review your financial statements promptly.

Types of Computer Forensics Techniques

Computer forensics is the science of locating, extracting and

analyzing types of data from difference devices, which specialists then
interpret to serve as legal evidence.

Digital forensics is the scientific acquisition, analysis and

preservation of data contained in electronic media whose information can be
used as evidence in a court of law.

Computer Forensics is a four-step process:

1. Acquisition: Physically or remotely obtaining possession of

the computer, all network mappings from the system, and
external physical storage devices.
2. Identification: This step involves identifying what data
could be recovered and electronically retrieving it by
running various computer forensic tools and software suite.
3. Evaluation: Evaluating the information/data recovered to
determine if and how it could be used again the suspect for
employment termination or prosecution in court.
4. Presentation: This step involves the presentation of
evidence discovered in a manner which is understood by
lawyers, non-technically staff/management, and suitable as
evidence as determined by United States and internal laws.

Need for computer forensic techniques:

1. Legal cases: computer forensic techniques are frequently

used to analyze computer systems belonging to defendants.
2. To recover data: In the event of software failure or hardware
failure.
 3. To analyze: computer system must be analysed after a break-
in.
4. To gather evidence against an employee that an organization
wish to terminate

Forensics techniques for finding, preserving and preparing evidence.

Finding evidence is a complex process as the forensic expert has to

determine where the evidence resides. Evidence may be in files, evidence
may be in disks, evidence may be on paper. Need to track all types of
evidence.

Preserving evidence includes ensuring that the evidence is not

tampered with proof. It involves pre-incident planning and training in
incident discovery procedures' If the machine is turned on, leave it on; do
not run programs on that particular computer. Preparing evidence will
include data recovery, documentation, etc.

When files are deleted, usually they can be recovered. The files are
marked as deleted, but they are still residing in the disk until they are
overwritten. Files may also be hidden in different parts of the disk. The
challenge is to piece the different part of the file together to recover the
original file.

Incident and Incident Response Methodology

An incident is an unexpected event occurring when an attack,

whether natural or humanmade, affects information resources and/or assets,
causing actual damage or disruption to a business's assets.

Incident response is a set of procedures that commence when an

incident is detected.

Some common types of computer incidents include the following:

1. Employee misuse of systems (for example, violations of

Internet use policies)
2. Malicious code (for example, viruses, worms, or Trojan
horse programs)
 3. Intrusions or hacking.
4. Unauthorized electronic monitoring (sniffers, keyloggers,
and so on)
5. Web site defacement or vandalism
6. Unauthorized access to confidential information
7. Automated scanning tools and probes
8. Insider sabotage (via espionage or disgruntled employees)

When a threat becomes a valid attack, it is classified as an information

security incident if:

a) It is directed against information assets.

b) It has a realistic chance of success
c) It threatens the confidentiality, integrity, or availability of
information assets

It is important to understand that IR is a reactive measure, not a

preventative one. Incident response planning (IRP) focuses on immediate
response.

IT security incidents have three faces

a) Data: An attempted or successful unauthorized access, use,

disclosure, modification, or destruction of information
b) Resources: Its interference with IT operation
c) People: violation of explicit or implied policy

Impact is not all incidents are equal. Cyber security incidents are
associated with malicious attacks or Advanced Persistent Threats.

Computer security incident as any unlawful, unauthorized, or

unacceptable action that involves a computer system or a computer network.
Such an action can include any of the following events:

1. Theft of trade secrets

2. Email spam or harassment
3. Unauthorized or unlawful intrusions into computing systems
4. Embezzlement
 5. Possession or dissemination of child pornography
6. Denial-of-service attacks
7. Extortion
8. Any unlawful action when the evidence of such action may
be stored on computer media such as fraud, threats, and
traditional crimes.

Responding to computer security incidents can involve intense

pressure, time, and resource constraints. Incident response helps personnel to
minimize loss or theft of information and disruption of services caused by
incidents.

Goals of Incident Response

In incident response methodology, it emphasized the goals of

corporate security professionals with legitimate business concerns, but it
also takes into the concerns of law enforcement officials.

1. Confirms or dispels whether an incident occurred.

2. Establishes controls for proper retrieval and handling of
evidence.
3. Minimizes disruption to business and network operations.
4. Provides accurate reports and useful recommendation.
5. Provides rapid detection and containment.
6. Education senior management.

Incident response is a multifaceted discipline. It demands a myriad of

capabilities that usually require resources from several different operational
units of an organization.

Computer Security Incident Response Team (CSIRT), to respond to

any computer security incident.

A significant incident meets one or more of the following criteria:

1. The incident has impacted the confidentiality, integrity, or

availability of a critical system or sensitive data.
 2. There is a high probability of public disclosure of the
incident and consequent embarrassment of the company.

The impact of the incident results in company users losing access to a

critical service (for example, email, network access, Internet access).

An Incident Response Plan (IRP) is a detailed set of processes that

anticipate, detect, and mitigate the effects of an unexpected event that might
compromise information resources and assets.

Then, the set of procedures, policies, and guidelines that commence at

the detection of an incident is the Incident Response (IR).

A Computer Security Incident is an adverse event that negatively

impacts the confidentiality, integrity and availability of information that is
processed, stored and transmitted using a computer. Although they may not
always be readily apparent, a computer incident has the following
characteristics:

a) The attacker or attack origin;

b) The tool used;
c) The vulnerability exploited;
d) The actions performed;
e) The intended target;
f) The unauthorized result

After incident, the procedures for handling an incident are drafted,

planners develop and document the procedures that must be performed
immediately after the incident has ceased. Separate functional areas may
develop different procedures.

Once an actual incident has been confirmed and properly classified,

the IR team moves from detection phase to reaction phase. In the incident
response phase, a number of action steps taken by the IR team and others
must occur quickly and may occur concurrently.
 These steps include notification of key personnel, the assignment of
tasks, and documentation of the incident. As soon as incident is declared, the
right people must be immediately notified in the right order.

When incident violates civil or criminal law, it is organization's

responsibility to notify proper authorities

Incident Detection

It is the responsibility of the IR team to determine if an incident is a

valid incident or is just the product of “normal” system use.

Incident candidates can be detected and tracked by end-users through

several means; intrusion detection systems (IDS), host- and network-based
virus detection software, and systems administrators.

It is essential end-users, help desk staff, and all security personnel are
properly trained in incident reporting, so in the event of an actual incident
the IR team is properly notified and can effectively execute IRP procedures.

Overloaded networks, computers, or servers, misbehaving computers

systems or software packages may be hard to distinguish from an actual
incident. Therefore, managers must ensure IT professionals receive training
to detect possible, probable, and definite indicators.

Components of Incident Response

1. Pre-incident preparation
2. Detection of incidents
3. Initial response
4. Formulate response strategy
5. Investigate the incident
6. Reporting
7. Resolution

Pre-incident preparation: Take actions to prepare the organization and

the CSIRT before an incident occurs.

Detection of incidents: Identify a potential computer security incident.

 Initial response: Perform an initial investigation, recording the basic
details surrounding the incident, assembling the incident response
team, and notifying the individuals who need to know about the
incident.

Formulate response strategy: Based on the results of all the known

facts, determine the best response and obtain management approval.
Determine what civil, criminal, administrative, or other actions are
appropriate to take, based on the conclusions drawn from the investigation.

Investigate the incident: Perform a thorough collection of data.

Review the data collected to determine what happened, when it happened,
who did it, and how it can be prevented in the future.

Reporting: Accurately report information about the investigation in a

manner useful to decision makers.

Resolution: Employ security measures and procedural changes, record

lessons learned, and develop long-term fixes for any problems identified.

Forensic Duplication and Investigation

Forensic analysis includes reviewing all the data collected. This

includes reviewing log files, system configuration files, trust relationships,
web browser history files, email messages and their attachments, installed
applications, and graphic files.

You perform soft-ware analysis, review time/date stamps, perform

keyword searches and take any other necessary investigative steps.

Forensic analysis also includes performing more low-level tasks, such

as looking through information that has been logically deleted from the
system to determine if deleted files, slack space, or free space contain data
fragments or en-tire files that may be useful to the investigation.

Investigative process of digital forensics can be divided into several

stages. Four major’s stages are: preservation, collection, examination and
analysis.
 Computer forensics activities commonly include:

a) The secure collection of computer data

b) The identification of suspect data
c) The examination of suspect data to determine details such as
origin and content.
d) The presentation of computer-based information to courts of
law
e) The application of a country's laws to computer practice.

Digital evidence can be useful in a wide range of criminal

investigations including homicides, sex offenses, missing persons, child
abuse, drug dealing, fraud, and theft of personal information. Digital
information is all information in digital form and can be divided into the
content itself.

Forensics analysis

Hard copy print outs of digital information are not digital evidence in
the strict sense of this definition; it is considered a starting point for applying
digital evidence gathering in the future.
 Forensics is the application of investigative and analytical techniques
that conform to evidentiary standards used in or appropriate for a court of
law or another legal context.

There are three basic and essential principles in digital forensics:

1. The evidence is acquired without altering it;

2. Demonstrably so;
3. Analysis is conducted in an accountable and repeatable way.

Digital forensic processes, hardware and software have been designed

to ensure compliance with these requirements. The process of digital
forensics is typically as follows:

1. Preservation of the state of the device

2. Survey and analysis of the data for evidence
3. Event reconstruction

Following are the principles must be followed when a person conducts

the Computer Forensic Investigation.

1. Data stored in a computer or storage media must not be

altered or changed, as those data may be later presented in
the court.
2. A person must be competent enough in handling the original
data held on a computer or storage media if it is necessary.
3. An audit trail or other documentation of all processes
applied to computer-based electronic evidence should be
created and preserved.
4. A person who is responsible for the investigation must have
overall responsibility for accounting that the law.

The scopes of the forensic investigations are as follows:

1. To identify the malicious activities

2. To identify the security lapse in their network.
3. To find out the impact if the network system was
compromised.
 4. To identify the legal procedures, if needed.
5. To provide the remedial action in order to harden the system.

Stages of Investigative Process of Digital Forensics

1. Preservation: Preservation stage corresponds to freezing the

crime scene. It involves operations such as preventing
people from using computers during collection, stopping
ongoing deletion processes, and choosing the safest way to
collect information.
2. Collection: Collection stage consists in finding and
collecting digital information that may be relevant to the
investigation. Collection of digital information means
collection of the equipment containing the information, or
recording the information on some medium.
3. Examination: It is search of digital evidence. The output of
examination is data objects found in the collected
information which includes log and data files containing
specific phrases, times-tamps etc.
4. Analysis: The aim of analysis is to draw conclusions based
on evidence found.

Computer Language

Software that may be used for gathering and analyzing digital

information are as follows:

1. Boot Software: Computer is booted by using boot software

for imaging and / or analysis without making changes to the
hard disk.
2. Computer Forensic Software: This type of software is used
for imaging and analyzing digital information.
3. Forensic software write blockers are used to allow
acquisition of digital information on a hard drive without
changing and altering the contents.
4. Hash Authentication Software is used to validate that a copy
of digital information is identical to the original information.
 5. Analysis Software helps for analyzing digital information.
6. Bit stream imaging software is used to create an image of all
areas of a data carrier. A bit stream image is an exact replica
of each bit contained in the data carrier.

Network Language

It is essential that computer investigators understand the language

behind the technology.

1. TCP/IP (Transmission Control Protocol/Internet Protocol) :

It is connection-oriented protocol. TCP is a method of
communication between programs which enables a
bitstream transfer of information.
2. IMAP (Internet Message Access Protocol: You can access
mail using IMAP. IMAP does not copy e-mail to the user's
personal machine because the user may have several. An
IMAP client connects to a server by using TCP. IMAP
supports the following modes for accessing e-mail
messages: Offline, Online and Disconnected mode.

Offline mode

A client periodically connects to the server to download e-mail

messages. After downloading, messages are deleted from the server. POP3
support this mode.

Online mode

Client process e-mail messages on the server. The e-mail messages are

stored on the server itself but are processed by an application on the client's end.

Disconnected mode

In this mode, both offline and online modes are supported.

Post Office Protocol 3 (POP3) is used to transfer e-mail messages

from a mail server to mail client software. POP3 begins when the user agent
opens a TCP connection to the mail server on port 110. After TCP
 connection established, POP3 progresses three phases: Authorization,
Transaction and Update. In authorization phase, user agent sends a user
name and a password to authenticate the user downloading the mail. In
transaction phase, the user agent retrieves messages. In this phase, user agent
can also mark messages for deletion, remove deletion marks. In update
phase, it occurs after the client has issued the quit command, ending the
POP3 session.

POP3 has two modes:

Delete mode and the keep mode. In the delete mode, mail is deleted
from the mailbox after each retrieval. In the keep mode, the mail remains in
the mailbox after retrieval.

Routers are defined as special-purpose computers or software

packages that handle the connection between two or more networks. Routers
spend all their time looking at the destination addresses of the packets
passing through them and deciding which route to send them on.

Internet crime is defined as any illegal activity involving one or more

components of the Internet, such as websites, chat rooms and e-mail Internet
crime involves the use of the Internet to communicate false or fraudulent
representations to consumers.

To track an e-mail message back to the sender you simply retrace the
route that the e-mail travelled by reading through the e-mail's received
headers. Killers, online sex offenders, cyber stalkers, computer intruders and
fraudsters use the Internet as an instrument to commit their crimes.

When the Internet plays a less active role in a crime, it is more useful
to categorize it as “information as evidence.” For example, digital evidence
on the Internet can simply indicate that a crime has occurred and provide
investigative leads.

To locate offenders and missing persons, Internet play very important

role.
 Identity theft is one of the fastest growing crimes in the world.
Identity theft occurs when enough information about an individual is
obtained to open a credit card account in their name and charge items to that
account. Examples of information needed are name, address, social security
number and other personal information.

Law enforcement officers use online anonymity when investigating

questionable or illegal websites, to conduct online undercover operations
and receive anonymous tips from informers about criminals or terrorists. In
these situations, the law enforcement authorities and their contacts should
have online anonymity for successful completion of investigation. If the
suspects become aware of their being tracked, that could hamper the
investigations.

Military communications require maximum security. Today's Internet

hackers are so smart that they are sometimes even able to crack or decipher
encrypted communications.

Preparation for IR: Creating Response Tool Kit and IR Team

In a large business or organization, the delegation of tasks is essential

to maintaining effective operations. When looking at the makeup of an
Incident Response Plan (IRP), a company's assumes responsibility for the
creation of it.

With the aid of other managers and systems administrators on the

contingency planning (CP) team, the company should select members from
each community of interest to form an independent IR team, which executes
the IRP.

The CP team creates three sets of incident-handling procedures:

1. During the incident: The planners develop and document

the procedures that must be performed during the incident.
2. After the incident: Once the procedures for handling an
incident are drafted, the planners develop and document the
procedures that must be performed immediately after the
incident has ceased.
 3. Before the incident: The planners draft a third set of
procedures which are tasks that must be performed to
prepare for the incident.

Once an actual incident has been confirmed and properly classified,

the IR team needs to be directed to move from the detection phase to the
reaction phase.

An IR is designed to first stop the incident (if still continuing),

mitigate its effects, and provide information for the recovery from the
incident.

Three key steps include:

a) Notification of key personnel

b) Documentation of an Incident
c) Incident containment strategies

Incident Recovery

The recovery process includes the following steps:

1. Identify and resolve vulnerabilities that allowed the incident

to occur and spread.
2. Address the safeguards that failed to stop or limit the
incident - install, replace, or upgrade them.
3. Evaluate monitoring capabilities - improve detection and
reporting methods, or instal new monitoring capabilities
4. Restore systems backups

Incident Response Team

The Incident response team is established to provide a quick, effective

and orderly response to computer related incidents such as virus infections,
hacker attempts and break-ins, improper disclosure of confidential
information to others, system service interruptions, breach of personal
information, and other events with serious information security implications.
 Team provides services and support, to a defined consistency, for
preventing, handling and responding to computer security incidents.

Every organization should have an incident response team. This team

may consist of one person in an organization or several persons. In the event
of suspected computer crime or violations of user policies, the team should
be activated.

The team should have written procedures for incident response,

including what conditions warrant calling in local and/or federal law
enforcement authorities. Violations of user policies may result in
administrative actions whereas suspected computer crimes may require that
law enforcement authorities be called in.

Incident response team members are as follows:

Each of the following members will have a primary role in incident

response.

a) Information Technology Director

b) Information Technology Assistant Director
c) Vice President Finance and Administration
d) Qualified Member of Information Technology
e) Network Engineer
f) Security Analyst

Name and responsibility of the team member will change according to

organization.

(Following set of services provided by team:)

Services Alters

1. Alerts ad warning

Reactive service 2. Incident handling

3. Vulnerability handling

Proactive service 1. Announcements

Security quality 1. Security Consulting

management service 2. Awareness building

Types of Incidents

There are many types of computer incidents that may require IR team
activation. Some examples include:

1. Breach of Personal Information

2. Denial of Service / Distributed Denial of Service
3. Excessive Port Scans
4. Firewall Breach
5. Virus Outbreak

A security breach is defined as unauthorized acquisition of data that

compromises the security, confidentiality, or integrity of personal
information maintained by organization.

Forensic Software Tools are used for

1. Data imaging
2. Data recovery
3. Data integrity
4. Data extraction
5. Forensic analysis
6. Monitoring
Understanding Computer Investigation

Investigation: is a process that develops and tests hypotheses to

answer questions about events that occurred. In general, computer forensics
investigates data that can be retrieved from a computer's hard disk or other
storage media.

Computer forensics is also different from data recovery, which

involves recovering information from a computer that was deleted by
mistake or lost during a power surge or server crash, for example. In data
recovery, typically you know what you're looking for.

Computer forensics is the task of recovering data that users have

hidden or deleted, with the goal of ensuring that the recovered data is valid
so that it can be used as evidence.

The computer investigations group manages investigations and

conducts forensic analysis of systems suspected of containing evidence
related to an incident or a crime. For complex casework, the computer
investigations group draws on resources from those involved in vulnerability
assessment, risk management, and network intrusion detection and incident
response. This group resolves or terminates all case investigations.

Digital Forensic Investigation: A process that uses science and

technology to examine digital objects and that develops and tests theories,
which can be entered into a court of law, to answer questions about events
that occurred.

IT Forensic Techniques are used to capture and analyze electronic data

and develop theories.

Following steps are applied to the network to investigate the proof.

1. Preparation and authorization

2. Identification
3. Documentation, collection and preservation
4. Filtering and data reduction
5. Class/Individual characteristics and evaluation of source
 6. Evidence recovery
7. Investigative reconstruction
8. Reporting result

Digital Evidence on the Internet

Internet crime is defined as any illegal activity involving one or more

components of the Internet, such as websites, chat rooms and e-mail.
Internet crime involves the use of the Internet to communicate false or
fraudulent representations to consumers.

To track an e-mail message back to the sender you simply retrace the
route that the e-mail travelled by reading through the e-mail's received
headers. Killers, online sex offenders, cyber stalkers, computer intruders and
fraudsters use the Internet as an instrument to commit their crimes.

When the Internet plays a less active role in a crime, it is more useful
to categorize it as “information as evidence.” For example, digital evidence
on the Internet can simply indicate that a crime has occurred and provide
investigative leads.

To locate offenders and missing persons, Internet play very important

role.

Identity theft is one of the fastest growing crimes in the world.

Identity theft occurs when enough information about an individual is
obtained to open a credit card account in their name and charge items to that
account. Examples of information needed are name, address, social security
number and other personal information.

An investigative analyst can find information that is hidden from

traditional search engines. Most investigations start online. The investigator
first gathers as much information as possible from Internet searches and
databases because it's cheap, easy and can be done quickly.

Like any piece of traditional evidence, Internet information too must

be relevant, authentic and admissible. Most of the current case law
 surrounding Internet information gleaned from social media sites and other
web pages is focused on the issue of authenticity.

Digital evidence must follow the following rules of evidence:

a) Admissible: it must conform to certain legal rules before it

can be put before a court.
b) Authentic: it must be possible to positively tie evidentiary
material to the incident.
c) Complete: it must tell the whole story.
d) Reliable: there must be nothing about how the evidence was
collected and subsequently handled that casts about its
authenticity.

Digital Forensic Principles

When dealing with digital evidence, all of the general forensic and
procedural principles must be applied.

Upon seizing digital evidence, actions taken should not change

that evidence.

When it is necessary for a person to access original digital

evidence, that person should be trained for the purpose that person
should be trained for the purpose.

All activity relating to the seizure, access, storage or transfer of

digital evidence must be fully documented, preserved and available
for review.

An Individual is responsible for all actions taken with respect to

digital evidence whilst the digital evidence is in their possession.

Any agency, which is responsible for seizing, accessing, storing

or transferring digital evidence is responsible for compliance with
these principles.
Difference between Direct Evidence and Indirect Evidence

Evidence comes in many forms, such as eyewitnesses, participants,

prior statements by the defendant, documents, physical evidence, and
scientific evidence, like fingerprints or DNA. No matter the form, there are
two basic kinds of evidence that may be admitted in court - direct evidence
and circumstantial evidence.

Direct evidence does not require any reasoning or inference to arrive

at the conclusion to be drawn from the evidence. Circumstantial evidence,
also called indirect evidence, requires that an inference be made between the
evidence and the conclusion to be drawn from it.

A common example used to illustrate the difference between direct

and circumstantial evidence is the determination of whether it rained. On the
one hand, if a person testified that he or she looked outside a window and
saw rain falling, that is direct evidence that it rained. If, on the other hand, a
witness testified that he or she heard distant pitter patter, and later walked
outside and saw that the ground was wet, smelled freshness in the air and felt
that the air was moist, those sensations would be circumstantial evidence
that it had rained.

Circumstantial evidence is often discussed as if it carries less weight

than direct evidence. Under the law - and in life - that is not necessarily true.
The example above demonstrates that both direct and circumstantial
evidence may be equally reliable. In both scenarios, there would be strong
proof of rain. Any piece of evidence, whether direct or circumstantial, must
be evaluated in terms of whether the source of the evidence is reliable.

Major challenges to investigation are violent crimes. In such cases

information is key in determining and then understanding the victim-
offender relationships and to developing ongoing investigative strategy.

More violent offenders and their victims are using computers and
networks, therefore digital evidence are to be fully exploited.
 For any investigation the key is information about the circumstances.
The information obtained has value only when it is properly recognized and
collected.

The information is usually stored in digital form such as cell phones,

laptops and Tabs. In this case, the most informative and objective witnesses
in violent crime investigations are computers and networks.

Digital investigators use information from various digital evidences

to:

a) Identify probable suspects,

b) Uncover previously unknown crimes,
c) Develop leads,
d) Cuild a more complete timeline
e) Reconstruction of events,
f) Check the accuracy of witness statements and
offender statements.

Case Study of Computer Investigations

Role of computer forensics professional is to collect evidence from a

suspect's desktop and determine whether the suspect committed a crime or
despoiled a company policy.

If the evidence shows that crime or company policy violation happens

then case is prepared against suspect. It contains collection of all evidence
and investigator shows to the court or at a corporate inquiry.

Chain of custody: Route the evidence takes from the time you find it
until the case is closed or goes to court.

Taking a Systematic Approach

Steps for problem solving

1. Make an initial assessment about the type of case you are

investigating
2. Determine a preliminary design or approach to the case
 3. Prepare detailed checklist
4. Find out resources which require for investigation
5. Obtain and copy an evidence disk drive
6. Find the possible risks
7. Try to minimize the risks
8. Test the design
9. Digital evidence is analysis and if possible, recovers.
10. Investigate the information which recover
11. Prepare the case report
12. Evaluation the case

Assessing the Case

Following factors are consider for case details

1. Situation
2. Nature of the case
3. Specifics of the case
4. Evidence type
5. Operating system
6. Known disk format
7. Evidence location

Guides for securing digital evidence at the scene.

1. Photograph all items before they are moved or disconnected.

2. Disconnect the power supply and the modem connection.
Secure the computer as evidence
a) If computer is “OFF”, do not turn “ON”.
b) If computer is “ON”
For Stand-alone computer
a) Photograph screen, then disconnect all power sources;
unplug from the wall AND the back of the computer.
b) Place evidence tape over each drive slot.
c) Photograph/diagram and label back of computer
components with existing connections.
 d) If the screen is active, photograph the item that
appears on the screen.
e) Label all connectors/cable end to allow reassembly as
needed.
f) If transport is required, package components and
transport/store components as fragile cargo.
g) Keep away from magnets, radio transmitters and
otherwise hostile environments.
h) Do not do normal shut down procedures. Windows
95, 98x, NT, 2000, XP computers can be shut down
by unplugging power plug from behind system.

Networked or business computers

a) Consult a computer specialist for further assistance

b) If specialist is not available

Seize all software and hardware manuals:

These are often needed by the forensic technician for

technical reference during the examination. Be sure to record
their location in reference to the computer.

Seize notes, scribbles, and notebooks:

Notes may have references to software passwords and

other computer accounts the suspect uses. Suspects who dial
into other computers often use different passwords on the
various systems they access. They have been known to keep
notebooks listing the computer accounts they access and their
login and passwords.

Method for Corporate High-Tech Investigations

Develop formal procedures and informal checklists. To cover all

issues important to high-tech investigations.
Employee termination cases:

After investigation, employee is terminated because of abuse of

corporate assets. Employee normally make mis-use of Internet and computer
resources. It includes watching adult movies, sending personal email,
chatting with friends, taking color printout, browsing Internet.

Internet abuse investigations:

To conduct an investigation for Internet abuse, following things are

considered:

1. Organization's Internet proxy server logs

2. Suspect computer's IP address
3. Suspect computer's disk drive
4. Your preferred computer forensics analysis tool

For Internet abuse investigations following steps are followed:

a) Make use of standard forensic analysis techniques and tools.

b) Use proper tools to pull out all Web page URL information
c) Collect proxy server log from firewall administrator
d) Compare the data recovered from forensic analysis to the proxy
server log
e) Continue analyzing the computer's disk drive data

Attorney-Client Privilege Investigations

The attorney-client privilege protects the functioning of the attorney

and client relationship and, in essence, requires an attorney; a client; a
relationship between the attorney and the client for the purpose of rendering
and receiving legal advice; and a communication between the attorney and
the client; and the intent that the communication be confidential.

The attorney-client privilege allows a client to seek and receive legal

advice from an attorney in confidence. The purpose is to promote adherence
to the law, by encouraging a client to seek legal advice in the first instance
and by fostering full and frank discussions in the course of the attorney-
client relationship.
 First, internal investigations are necessary to ensure a company's
compliance with laws and regulations.

The attorney-client privilege, in turn, is critical to the integrity of

internal investigations. Companies simply cannot conduct prompt, efficient
and accurate investigations without this protection.

Privilege creates a zone of confidentiality in which a company's in-

house lawyers and outside counsel can fully assess the facts, reach accurate
conclusions about potential wrongdoing, and make informed decisions about
disclosures to regulators, law enforcement authorities and shareholders.

Steps for conducting an Attorney-Client Privilege case

a) Request a memorandum from the attorney directing you to start the

investigation.
b) Request a list of keywords of interest to the investigation
c) Initiate the investigation and analysis
d) For disk drive examinations, make two bit-stream images using
different tools
e) Compare hash signatures on all files on the original and re-created
disks
f) Methodically examine every portion of the disk drive and extract
all data
g) Run keyword searches on allocated and unallocated disk space
h) For Windows OSs, use specialty tools to analyze and extract data
from the Registry
i) For binary data files such as CAD drawings, locate the correct
software product
j) For unallocated data recovery, use a tool that removes or replaces
nonprintable data
k) Consolidate all recovered data from the evidence bit-stream image
into folders and subfolders.
Attorney-Client Privilege: Requirements

Protects communications that are:

a) Between the corporation/client and the attorney

b) When the attorney is acting as an attorney
c) For the purpose of seeking legal advice, and in confidence

The Attorney-Client privilege does not protect communications when

the privilege is waived. Privilege is the clients to assert and invoke. The
form of communication is irrelevant. Merely stamping “privileged” or
“confidential” on a document does not alone establish privilege.

The attorney work-product doctrine protects from disclosure

confidential work product prepared by or for attorneys in anticipation of
litigation.

Data Acquisition

Forensic data acquisition is a process that involves the identification

of a digital source, such as a hard disk, a memory card or any other form of
media and data storage, and the copying of the identified data to some
accessible destination object, such as an image file, a clone or a bit-stream
duplicate, performed in a complete and accurate manner.

Hence, completeness and accuracy are the two most important

features that any data acquisition tool must demonstrate, in order for the tool
to be considered of a forensic standard of quality.

During data acquisition an exact (typically bitwise) copy of storage

media is created. A dead acquisition copies the data without the assistance of
the suspect's (operating) system.

A live acquisition copies the data using the suspect's (operating)

system.

Live Data Acquisition: Real-time forensic acquisition from computers,

servers, database and email server applications that can't be taken offline or
leave your site. When time is of the essence, systems are constantly running
 or you have a limited time-frame to capture evidence from a suspect
computer our live data acquisition meets your deadlines and ensures
electronic evidence maintains evidentiary status by validating MD5 hash
values.

Write Blockers

Allow acquisition of data from a storage device without changing the

drive's contents. Here write commands are blocked. Only read commands
are allowed to pass the write blocker.

Types of blockers: Hardware Write Blocker and Software Write Blocker

Hardware Write Blockers:

The device sits in between investigator's PC and storage device. It

supported storage interfaces are ATA, SCSI, USB or SATA. The controller
cannot write values to the command register, which writes or erases data on
the storage device.

Software Write Blockers (SWB):

A software layer that sits in between the OS and the device driver for
the storage device. It prevents all disc requests that use system calls to write
data to the storage device. The SWB should not modify a read-only disk.
The SWB is designed to prevent any operations on data storage media that
are not write protected.

Data acquisition methods are as follows:

1. Disk-to-image file
2. Disk-to-disk copy
3. Logical disk-to-disk or disk-to-data file
4. Sparse data copy
Data acquisition methods Remarks

• Most common method

• Can make more than one copy

Disk-to-image file • Copies are bit-for-bit replications of the original

drive

• ProDiscover, EnCase, FTK, SMART, Sleuth

Kit,X-Ways, iLook

• When disk-to-image copy is not possible

Bit-stream disk-to-disk • Consider disk’s geometry configuration

• EnCase, SafeBack, SnapCopy

• When your time is limited

Logical disk-to-disk or disk-
to-data file • Logical acquisition captures only specific files of
interest to the case

• Sparse acquisition also collects fragments of

unallocated (deleted) data
Sparse data copy
• For large disks

• PST or OST mail files, RAID servers

You can remotely connect to a suspect computer via a network

connection and copy data from it

Remote acquisition tools vary in configurations and capabilities

Drawbacks

a) LAN's data transfer speeds and routing table conflicts could cause
problems.
b) Gaining the permissions needed to access more secure subnets
 c) Heavy traffic could cause delays and errors
d) Remote access tool could be blocked by antivirus

With ProDiscover Investigator you can:

a) Preview a suspect's drive remotely while it's in use

b) Perform a live acquisition
c) Encrypt the connection
d) Copy the suspect computer's RAM
e) Use the optional stealth mode

ProDiscover Incident Response additional functions

a) Capture volatile system state information

b) Analyze current running processes
c) Locate unseen files and processes
d) Remotely view and listen to IP ports
e) Run hash comparisons
f) Create a hash inventory of all files remotely

PDServer remote agent

a) ProDiscover utility for remote access

b) Needs to be loaded on the suspect

PDServer installation modes

a) Trusted CD
b) Preinstallation
c) Pushing out and running remotely

PDServer can run in a stealth mode and it can change process name
to appear as OS Function.

Acquiring Data with a Linux Boot CD

A bootable Linux CD is a complete Linux operating system that can

boot from an optical disc, USB stick or Preboot eXecution Environment
(PXE).
 It runs in the computer's memory and allows an operating system to
run without installing or making changes to the computer's original
configuration and files.

There are many live image of known Linux distributions. Well-known

live images are KNOPPIX and Ubuntu which can be used for various
purposes.

Live images can be adjusted to run special (start-up) scripts and

contain special drivers and software. The process of adjusting the contents of
a live image is called re-mastering.

Linux can read hard drives that are mounted as read-only. Windows
OSs and newer Linux automatically mount and access a drive

Windows will write to the Recycle Bin, and sometimes to the NTFS
Journal, just from booting up with a hard drive connected

Linux kernel 2.6 and later write metadata to the drive, such as mount
point configurations for an ext2 or ext3 drive. All these changes corrupt the
evidence

Forensic Linux Live CDs mount all drives read-only, which eliminates
the need for a write blocker.

Forensic Linux Live CDs contain additional utilities.

It is configured not to mount, or to mount as read-only, any connected

storage media. Well-designed Linux Live CDs is used for computer
forensics.

Preparing a target drive for acquisition in Linux, the modern Linux

distributions can use Microsoft FAT and NTFS partitions.

Use of fdisk command lists, creates, deletes, and verifies partitions in

Linux. The mkfs.msdos command formats a FAT file system from Linux.

Acquiring data with dd (“data dump”) command in Linux, can read

and write from media device and data file. It creates raw format file that
most computer forensics analysis tools can read.
 The dd command requires more advanced skills than average user and
does not compress data. The dd command combined with the split command
and segments output into separate volumes

The dd command is intended as a data management tool and is not

designed for forensics acquisitions.

The “dcfldd” additional functions specify HEX patterns or text for

clearing disk space. It logs errors to an output file for analysis and review.

It uses several hashing options. Referring to a status display indicating

the progress of the acquisition in bytes.

Split data acquisitions into segmented volumes with numeric

extensions and verify acquired data with original disk or media data.

Although live images run almost fully in the computer's memory,

running an operating system from an optical disc is slower than running
from a flash or hard disk drive.

A live image provides the digital forensic investigator a working

environment that doesn't change the computer's original configuration and
files, especially when the live image doesn't mount the storage devices
automatically.

Thus, forensic images of storage devices can be made without

disassembling the computer.

An attack has taken place. You, the investigator has just arrived on the
scene. It is expected that the attacker uses encrypted disk volumes.

In any case, the machine contains memory-resident information that

will be lost after a power cycle.
 Shows Live analysis scenario.

Set up the scene for data acquisition

Suspect host (Linux):

1. Load Helix CD-ROM into drive.

2. Ensure that your tools do NOT modify the disk.
3. Use IP addresses instead of hostnames.
4. Used trusted CD-ROM binaries only.
5. Send acquired data over encrypted network.
 UNIT – II
EVIDENCE COLLECTION AND FORENSICS
TOOLS
Processing Crime and Incident Scenes

Digital evidence can be any information stored or transmitted in

digital form. Digital data is a tangible object. General tasks investigators
perform when working with digital evidence:

1. Identify digital information or artifacts that can be used as

evidence
2. Collect, preserve and document evidence
3. Analyze, identify and organize evidence
4. Rebuild evidence or repeat a situation to verify that the
results can be reproduced reliably

Collecting computers and processing a criminal or incident scene

must be done systematically

Crime scene refers to the location where a crime occurred or where

evidence of a crime exists. For the purposes of this set of directives, crime
scene will also refer to the scene of an incident that may not be criminal in
nature, but where common crime scene methods are used to gather evidence.

“Evidence” is any substance or material found or recovered in

connection with a criminal investigation.

“Evidence processing” refers to the specific actions taken at a crime

scene or collision scene to identify, locate, document, preserve and collect
evidence and/or known standards.

“Software” refers to programs that have been or can be installed in a

computer. “Storage media” refers to digital storage devices include, but may
not be limited to, computer disks, flash cards, thumb drives and magnetic
tape used to store computer data and/or images captured via a digital camera.
Understanding Rules of Evidence

1. Consistent practices help verify your work and enhance your

credibility.
2. Comply with your state's rules of evidence or with the federal rules
of evidence.
3. Evidence admitted in a criminal case can be used in a civil suit and
vice versa.
4. Keep current on the latest rulings and directives on collecting,
processing, storing and admitting digital evidence.
5. Data you discover from a forensic examination falls under your
state's rules of evidence.
6. Digital evidence is unlike other physical evidence because it can
be changed more easily.
7. Most federal courts have interpreted computer records as hearsay
evidence.

Computer records are usually divided into:

1. Computer-generated records
2. Computer-stored records

Computer and digitally stored records must be shown to be

authentic and trustworthy. Computer-generated records are considered
authentic if the program that created the output is functioning
correctly. Collecting evidence according to the proper steps of
evidence control helps ensure that the computer evidence is authentic.

Authorization:

Before gathering digital evidence relating to an investigation,

computer security professionals should obtain instructions and written
authorization from their attorneys.

Usually, the employer can search its employee's computers, e-mail

and other data. For accessing personal and private data a search warrant is
needed. In such case it may be permissible to seize the computer and secure
it from alteration until the police arrive.
 A valid search warrant must describe particular property to be seized
and probable cause for seizing it. Warrant should contain each item to be
seized and the types of evidence that will be to prevent mistakes or misuse
such as searching the wrong home or seizing items that are outside of the
scope of the warrant.

Digital investigators are authorized to collect and examine that is

directly pertinent to the investigation.

The following shall establish evidentiary-related guidelines and

procedures used for collecting evidence in the field:

1. The first officer to arrive at any incident scene shall be responsible

for securing the area and preserving all observable evidence.
Evidence technician work should not begin work until the entire
area has been secured and declared safe.
2. Evidence encountered at a scene shall be handled with care to
preserve it for future processing. Discretion should be used when
determining what evidence to process at the scene. Such decisions
shall be based upon the seriousness of the offense, officer expertise
and the processing materials available.
3. The progression of evidentiary-related tasks shall generally be as
follows:
a) Secure the scene
b) Photograph and/or videotape evidence;
c) Develop potential evidence for latent prints;
d) Sketch the scene;
e) Label and collect evidence;
f) Transport and appropriately store evidence;
g) Analyze evidence.
4. Officers seizing evidence shall be responsible for notifying the
property team of the need for laboratory examinations. Evidence
technicians and/or other experts should be consulted when deemed
appropriate.
 5. Each item of evidence shall be inventoried using the department
property documentation system. The system contains provisions
for recording the following: Agency case number; offense;
property invoice number; date seized; owner/suspect identifiers;
current location; item descriptions; disposition recommendation;
and chain of custody information. The property manager or
designee should review property cards upon the submission of
evidence. Improperly completed property cards may be returned to
the officer completing the card. The officer's supervisor may also
be notified.

6. As per the ACT, police officers are required to provide receipts to

persons from whom they have seized items of evidence or
contraband.

Computer Equipment Seizure

The following shall establish procedures for the seizure of computer

equipment:

1. Officers should exercise extreme caution when seizing and/or

examining computer equipment so as not to cause severe damage
or the loss of valuable data.
2. Persons possessing specialized knowledge of computers and
computer security should be consulted during the preparation and
execution of search warrants when necessary.
3. A person skilled in computer operation should be used to examine
such equipment prior to startup.
4. Whenever possible, a copy of the hard drive should be made before
examination. The original should then be placed in secure storage
and the copy used for examination purposes.
5. When computer equipment is in operation at the time of seizure,
the CPU should be disconnected from the power source. This
procedure will ensure that all contents stored on the hard drive
remain intact. However, data cached in memory will be lost when
the computer is powered down.
 6. Strong consideration should be given to photographing and/or
videotaping on-screen images before operating computer
equipment is disconnected from the power source. This procedure
will ensure that pertinent evidence will be captured when cached
memory and/or embedded scripts are involved.
7. Non-operating computers, disks, drives and related peripherals
should be considered fragile. Such equipment should be
appropriately packaged, handled, and transported.
8. Special care must be taken to avoid exposing removable media to
magnetic fields, static electricity and physical force.

Forensic analysis function is sometimes broken into two parts:

1. Examination
2. Analysis

Examination phase involves the use of forensic tools to recover deleted files
and retrieve and characterize operating system artifacts and other relevant material.
Analysis phase uses those materials to answer the questions that gave rise to the
investigation.

Analysis function is also responsible for reporting and presenting the

investigation's findings.

Public sector authorization may take the form of a search warrant;

seizure of the relevant items containing the information

Private sector authorization is specified by the organization's policy;

many uses affidavit; more common to authorize the collection of images of
digital information.

Private section includes private corporations and government agencies

not involved with law enforcement. They must comply with state public
disclosure and federal freedom of information act and make certain
documents available as public records. Law enforcement is called if needed.

Private organization wishing to search an employee's computer must

generally meet the following conditions:
 1. Employee made aware of organizational policy that search may
occur
2. Search must be justified at its inception
3. Search must be permissible in its scope
4. Organization has clear ownership over container that material was
discovered in
5. Search must be authorized by the responsible manager or
administrator

Incident response policy must spell out the procedures for initiating
investigative process. Particularly critical in private sector, as private
organizations do not enjoy the broad immunity accorded to law enforcement
investigations

Digital evidence collection a four-step methodology:

I. Identify sources of evidentiary material

II. Authenticate the evidentiary material
III. Collect the evidentiary material
IV. Maintain a documented chain of custody

Document Evidence

Documentary evidence is any evidence that is, or can be, introduced

at a trial in the form of documents, as distinguished from oral testimony.
Documentary evidence is most widely understood to refer to writings on
paper (such as an invoice, a contract or a will), but the term can also apply to
any media by which information can be preserved, such as photographs; a
medium that needs a mechanical device to be viewed, such as a tape
recording or film; and a printed form of digital evidence, such as emails,
spreadsheets, etc.

Evidence contained in or on documents can be a form of real

evidence. For example, a contract offered to prove the terms it contains is
both documentary and real evidence. When a party offers a document into
evidence, the party must authenticate it the same way as any other real
 evidence, either by a witness who can identify the document or by witnesses
who can establish a chain of custody for the document.

Digital evidence is useful in a wide range of criminal investigations

such as homicides, sex offences, missing persons, cpersons, child abuse,
fraud and theft.

Digital evidence helps in tracing how a crime was committed, provide

investigative leads, disapprove or support witness statements and identify
likely suspects.

Digital evidence is defined as information stored or transmitted in

binary form that may be relied upon in court.

For considering multiple sources of digital evidence, computer

systems can be categorised in to three groups:

1. Open Computer systems

2. Communication systems
3. Embedded computer systems.

Ways to Challenge Documentary Evidence

When people deal with documentary evidence, it is a good idea to

consider these four potential pitfalls, which could be used to challenge a
document's admissibility in court:

a) Parol evidence
b) Authentication
c) Best evidence
d) Hearsay.

The parol evidence rule prohibits the admission of certain evidence

concerning the terms of a written agreement. It operates on the assumption
that whatever is included in a signed agreement contains the final and
complete agreement of the parties.
 Authentication is essentially showing the court that a piece of
evidence is what it claims to be and documentary evidence can be
authenticated similar to other real evidence.

The best evidence rule can be used to deny the admissibility of copies
or replications of certain documents. Under this rule, when the contents of a
written document are offered in evidence, the court will not accept a copy or
other proof of the document's content in place of the original document
unless an adequate explanation is offered for the absence of the original.

Hearsay: Documents can be considered hearsay if they contain

statements made out of court (and not under oath) and where they are being
used in court to prove the truth of those statements.

Documenting Evidence in the Lab

After collecting digital evidence at the scene, send it to a forensics lab,

which should be a controlled environment that ensures the security and
integrity of digital evidence.

In any investigative work, be sure to record investigator activities and

findings as you work. To do so, investigator can maintain a journal to record
the steps as taken as for processing evidence.

Main goal is to be able to reproduce the same results when you or

another investigator repeat the steps you took to collect evidence.

If you get different results when you repeat the steps, the credibility of
your evidence becomes questionable. At best, the evidence's value is
compromised; at worst, the evidence will be dis-qualified. Because of the
nature of electronic components, failures do occur.

For example, you might not be able to repeat a data recovery because
of a hardware failure, such as a disk drive head crash. Be sure to report all
facts and events as they occur. Besides verifying your work, a journal serves
as a reference that documents the methods you used to process digital
evidence. You and others can use it for training and guidance on other
investigations.
Processing and Handling Digital Evidence

Must maintain the integrity of digital evidence in the lab, when

collecting it in the field. The first task is to preserve the disk data. If you
have a suspect computer that hasn't been copied with an imaging tool, you
must create a copy.

It is necessary to do the suspect drive read-only and document this

step. If the disk has been copied with an imaging tool, you must preserve the
image files. With most imaging tools, you can create smaller, compressed
volume sets to make archiving your data easier.

Steps to create image files:

1. Copy all image files to a large drive.

2. Start forensics tool to analyze the evidence.
3. Run an MD5 or SHA-1 hashing algorithm on the image files to get
a digital hash.
4. When finish copying image files to a larger drive, secure the
original media in an evidence locker. Don't work with the original
media; it should be stored in a locker that has an evidence custody
form. Be sure to fill out the form and date it.

Preparing to Acquire Digital Evidence

The evidence you acquire at the scene depends on the nature of the
case and the alleged crime or violation.

Following questions are asked to supervisor or senior forensics

examiner:

a) Do you need to take the entire computer and all peripherals

and media in the immediate area?
b) How are you going to protect the computer and media while
transporting them to your lab?
c) Is the computer powered on when you arrive?
d) Is the suspect you're investigating in the immediate area of
the computer?
 e) Is it possible the suspect damaged or destroyed the
computer, peripherals, or media?
f) Will you have to separate the suspect from the computer?

Digital forensics is the discipline that deals with all the process that
includes collecting digital materials from the crime scene, examining,
analyzing and reporting them according to certain standards and methods.

Digital forensics consists of four main steps: preparation, collection,

analysis and reporting.

Collection is about accumulating digital evidence related with

information technologies from the crime scene.

Digital devices store the data in internal and external storage devices.
The stored data has to be taken with certain methods. Shadow copying only
the criminal part of the stored data or all of it from a device is named as
image acquisition

Direct analysis of digital evidences isn't considered appropriate

because the data storage unit of the related device can break down and
investigator can make a change on the evidence. For the forensics
investigator, in order to assure the integrity of the evidence, a forensic copy
must be taken.

Working with Windows and DOS Systems

Now days, majority of digital forensics tools operate over standard

operating systems components, for example, standard file systems and
caching mechanisms.

In attempting to better understand the workings of a computer system

at its core level, it is necessary to understand the difference between a file
system and an operating system and the functionality of each.

Examples of different file systems include the following: FAT12,

FAT16, FAT32 and NTFS which are implemented on Windows OS.
 When trying to understand the mechanics of how computers actually
manage data, it is necessary to delve into the physics of how a computer's
OS uses the file system architecture.

A file system defines the structure and the rules used to read, write
and maintain information stored on a disk.

File System

File systems are abstraction that enables users to read, manipulate and
organize data. Typically, the data is stored in units known as files in a
hierarchical tree where the nodes are known as directories.

The file system enables a uniform view, independent of the underlying

storage devices which can range between anything from floppy drives to
hard drives and flash memory cards. Since file systems evolved from stand-
alone computers the connection between the logical file system and the
storage device was typically a one-to-one mapping.

The DOS and Windows file systems use fixed-size clusters. Even if
the actual data being stored requires less storage than the cluster size, an
entire cluster is reserved for the file. This unused space is called the slack
space.

A cluster, also known as an allocation unit, consists of one or more

sectors of storage space and represents the minimum amount of space that an
operating system allocates when saving the contents of a file to a disk.

File system must be mounted before it can be available to processes

on the system. Procedure for mounting file system is as follows.

1. Mount point is an empty directory at which the mounted file

system will be attached.
2. Name of the device and location within the file structure at
which to attach the file system is required.
3. Operating system verifies that the device contains a valid
file system.
 4. Device driver is used by operating system for these
verifications.
5. Finally, operating system mounts the file system at a
specified mount point.

File Allocation Table

A table that the operating system uses to locate files on a disk. Due to
fragmentation, a file may be divided into many sections that are scattered
around the disk. The FAT keeps track of all these pieces.

The FAT system for older versions of Windows 95 is called FAT16

and the one for new versions of Windows 95 and Windows 98 is called
FAT32.

FAT file systems are commonly found on floppy disks, flash memory
cards, digital cameras and many other portable devices because of their
relative simplicity.
 File and folders are organized on FAT formatted volume which uses
directory and file allocation table. The (C:\ or D:\) is the root folder at a per
defined location on the volume. Folder contains a list of file and
subdirectories. Fig. shows the folder view of the file system.

Folder view

Folder view contains starting cluster, date, time associated with each
file. FAT file system shows only last accessed date not time. At command
line, “dir” command is used to gate the information about files and directory.

The FAT shows only a list with one entry for each cluster in a volume.
Each entry in the FAT indicates what the associated cluster is being used for
the following Fig. 2.2.1 shows output from Norton disk editor on file
allocation table.

Free allocation is marked by zero in the cluster. If it contains some

value (i.e. Greater than zero) then that number is given to the next cluster for a
given file or folder. EOF means end of file. Where file end, FAT marked it as EOF.
 Subdirectories are a special type of file. It contains information such as
names, attributes, dates, times, sizes and the first cluster of each file on the system.

When a file is deleted, the file system will perform one of two tasks
on the allocation table. The file's entry on the file allocation table marked as “free
space” or the file's entry on the list is erased and then the space is marked as free.

If a file needs to be placed on the storage unit, the operating system

will put the file in the space marked as empty. After the new file is written to the
“empty space”, the deleted file is now gone forever. When a deleted file is to be
recovered, the user must not manipulate any files because if the “empty space” is
used, then the file can never be retrieved.
 Floppy diskette uses FAT12 file system. Each entry contains 12 bits in
the FAT. FAT16 uses 16-bit fields to identify a cluster. Hard disk uses FAT32 and
28 bits plus 4-bit reserved field used to identify the cluster.

Network File System

Master file table is the heart of NTFS. The MFT is an array of file
records. Each record is 1024 bytes. The first record in the MFT is for the MFT
itself. The name of the MFT is $MFT. The first 16 records in the MFT are reserved
for metadata files.

An MFT can be too big if a volume used to have lots of files that were
deleted. The files that were deleted cause internal holes in the MFT. These holes
are significant regions that are unused by files. It is impossible to reclaim this
space. This is at least true on a live NTFS volume.
 Fig shows NTFS Partition.

NTFS partition

As files are added to an NTFS volume, more entries are added to the
MFT and so the MFT increases in size. When files are deleted from an NTFS
volume, their MFT entries are marked as free and may be reused, but the MFT
does not shrink. Thus, space used by these entries is not reclaimed from the disk.

Directories are treated in NTFS as index entries and store folder entries
in a B-Tree to accelerate access and facilitate resorting when entries are deleted.
NTFS uses an encoding scheme called Unicode.

The attribute places INDX records in a B+ tree, where the key is the file
name. A B+ tree is a data structure where arbitrary records are organized by a sort
able key value, such as a number or a string. For a forensic investigator, the effect
of the B+ tree is that INDX records associated with a node are stored as a chunk in
alphanumeric order.

The size of a B+ node is 4096 bytes. When a file is added to a directory, a

new record is added to the INDX attribute of the directory. Within the B+ tree,
NTFS finds the appropriate node and inserts the new record, shifting records down,
if necessary.
 Fig. shows the file with a logical size that is larger than its valid data
length, leaving un- initialized space.

Fig shows the behaviour of the Microsoft NTFS driver as an INDX

record is deleted. When the driver removes INDX record “F”, it shifts the records
“G” and “H” to fill the space. As the contents of record “H” shift, a recoverable
copy (inactive record “H' “) remains in the newly expanded slack space.

NTFS captures the difference between logical file size and valid data
length in two MFT fields.

NTFS creates MFT entries whenever required. When a file is deleted,

NTFS simply marks the associated MFT entry as deleted and available for a new
file. It is possible to recover all of the information about a deleted file from the
MFT entry, including the data for resident files and the location of data on disk for
non-resident files.
 Recovery of deleted files in the NTFS is complicated. when a file is
deleted, the next file that is created may overwrite the MFT entry for the deleted
file.

NTFS Data Streams

NTFS data stream is a unique set of file attributes. NTFS supports

multiple data streams per file: one main stream plus an optional set of alternate
data streams.

A data stream can be created in an existing file on an NTFS volume.

NTFS supports multiple data streams, where the stream name identifies a new data
attribute on the file. A handle can be opened to each data stream.

A data stream is a unique set of file attributes. Streams have separate

opportunistic locks file locks, and sizes, but common permissions.

A data stream does not appear when a file is opened in a text editor. The
only way to see if a data stream is attached to a file is by examining the MFT entry
for the file.

In NTFS, a data stream becomes an additional file attribute. It allows

the file to be associated with different applications. You can only tell whether a file
has a data stream attached by examining that file's MFT entry.

Alternate data stream: The stream in any data attribute on a file or directory other
than the default, unnamed stream.

NTFS Compressed Files

NTFS is capable of compressing individual files, all files within a

folder, all files/folders on the volume. Compression is executed within NTFS.

Any Windows program can read/write compressed files without

considering the extent of the compression. When a compressed file is opened, only
a part of the file is decompressed while being read.

Data already in memory is uncompressed. Modified and new data is

compressed again, when written to the compressed file on disk.
 NTFS compression algorithms support cluster sizes of up to 4 kB.

The best use of compression is for files which are repetitive, written
seldom, usually accessed sequentially: log files are an ideal example.

Compression works in blocks of 16 clusters. Data is compressed using a

modified LZ77 algorithm, named LZNT1.

Each block is compressed independently. If compressed block does not

become less than the original 16 clusters, it is left uncompressed.

Compressing a file adds serious complexity to the way the file is stored.
The MFT is the only place that contains information about what parts are
compressed and by how much. If MFT is corrupted there is little hope retrieving
the data

Each NTFS data stream contains information that indicates whether any
part of the stream is compressed.

NTFS provides real-time access to a compressed file, decompressing

the file when it is opened and compressing it when it is closed.

When writing a compressed file, the system reserves disk space for the
uncompressed size. The system gets back unused space as each individual
compression buffer is compressed.

If the compressed information takes up less space than the source file,
then the rest of the space is labeled as sparse space and no space on the volume is
allocated to it. Because the compressed data often doesn't have a size exactly that
of the cluster, the end of each of these blocks stays as unusable space of significant
size.

Most computer forensics tools can uncompress and analyze compressed

Windows data.
NTFS Encrypting File System (EFS)

NTFS files can be encrypted to protect the information from

unauthorized users. It is valuable form of protection for local file access. Digital
encryption keys from each user are implemented to encrypt and decrypt the file.

As a first step to encrypt file, NTFS creates a log file called “Efs0.log”
in System Volume Information folder on the same drive, as encrypted file. Then
EFS acquires access CryptoAPI context. EFS generate File Encryption Key (FEK).

The next step is to get public/private key pair; if it does not exist at this
stage, EFS generate a new pair. EFS uses 1024-bit RSA algorithm to encrypt FEK.

EFS create Data Decryption Field (DDF) for the current user, where it
places FEK and encrypts it with public key. If recovery agent is defined by system
policy, EFS creates also Data Recovery Field (DRF) and places there FEK
encrypted with public key of recover agent.

A separate DRA is created for every recovery agent defined. Now a

temporary file Efs0.tmp is created in the same folder as the file being encrypted.

The contents of original file (plain text) are copied into temporary file,
after that the original is overwritten with encrypted data.

By default, EFS uses DESX algorithm with 128-bit key to encrypt file
data, but Windows could be also configured to use stronger 3DES algorithm with
168-bit key. After encryption is done, temporary and log files are deleted.

After file is encrypted, only users who has correspondent DDF or DRF
can access the file. This mechanism is separate from common security meaning
that beside rights to access file, the file must have its FEK encrypted with user's
public key.

Only user who can decrypt FEK with his own private key, can access
the file. The consequence is, that user, who has access to the file, can encrypt it
thus preventing the owner to access his own file.
 The decryption process is opposite to encryption: First, system checks if
user has a private key used by EFS. If yes, it reads EFS attributes and walk through
the DDF ring looking for DDF for current user.

If DDF is found, user's private key is used to decrypt FEK extracted

from DDF. Using decrypted FEK, EFS decrypts file data. It should be noticed that
file never decrypted in whole but rather by sectors when upper-level module
requests particular sector.

Date and Time

Changing the date or time on a computer is relatively

easy; simply right click on the date in the Windows task bar and you can adjust the
date on the computer.

One defendant who was on notice that his computer

would be examined on a given date sought to obscure evidence of his crime.

He turned the computer clock back two months, deleted

the incriminating files and returned the computer clock back to the correct time.

It is necessary to understand the how date and time are

stored and converted in the OS.

Here is an example from a formatted FAT12 floppy

diskette. With reference to Fig. 2.2.8 shows, at offset 39 (0x27), the hex values 25
14 1D F4 is the volume serial number.

With FAT32 volumes, the volume serial number is stored in the boot
sector at offset 67 (0x43). When formatted, this floppy diskette returned the
volume serial 2514 - 1DF4. The disk was formatted on Sunday, 19th October 2003
at 22:33:27.01.
Calculation of volume serial number is as follows:

Fig: Serial number calculation

Data Recovery

Data recovery from FAT and NTFS is done in two ways:

Recovering deleted data from unallocated space

Recovering data from slack space.

Unallocated space is searched for recovering deleted directory.

Tools EnCase and X-Ways uses this method for data recovery. Undelete\File
recovery software searches unallocated space and makes found files available.

Windows-Based Recovery Tools

Windows bases recovery tools are EnCase, FTK and X-

Ways. These tools use a bit-stream copy of a disk to display a virtual reconstruction
of the file system. It also displays deleted files, without actually modifying the
FAT.

Linux-Based Recovery Tools

Sleuth kit and SMART 6 are used for Linux based

recovery tool. These tools are used to recover deleted files from FAT and NTFS.

File Carving with Windows

File carving is a process used in computer forensics to extract data from

a disk drive or other storage device without the assistance of the file system that
originality created the file. carving looks for particular signatures or patterns that
may give a clue that some interesting data can be stored in a particular spot on the
disk.

It is a method that recovers files at unallocated space without any file

information and is used to recover data and execute a digital forensic investigation.
 Data carving technique: A raw bit of disk analysed to
identify recognizable patterns that may indicate a data file, e.g.

header / footer, semantic information.

 Carving software designed to take a linear approach to locating
data files. An incomplete files, large files containing information from multiple
sources, extracts embedded images from PowerPoint's are creates Franken files.
Following Fig. shows deleted file search.

Limitations of Data Carving

Not all data can be carved. Carving is based on characteristic

signatures or patterns.

For example, JPEG files typically have the “JFIF” signature in the
beginning, followed by the file header.

PDF files begin with “%PDF” and ZIP archives start with “PK”. Some
other files can be true binary.

Logical file size: It is the actual size of the file.

Physical file size: It is the size given to the file on the hard disk. The physical file
size is always greater than or equal to the logical file size.
 File slack is the difference between the physical file size and logical file
size. The file slack should always be less than 1 cluster.

For example: A data file size is 5055 bytes and it is given 2 clusters
space. 1 cluster = 4096 bytes. Two clusters mean 8192 bytes.

File slack = 8192 – 5055 = 3137 bytes

New file is created by overwriting unallocated space. The file slack is

essentially old fragments of unallocated file space. File slack can contain anything
at all, from fragments of web pages, emails and even complete small pictures, to
junk text.

Important evidence often ends up in the recycle bin. This is especially

true for Windows PCs. Literally, deleted files can often be successfully retrieved by
analyzing the content of the recycle bin, a temporary storage they're placed before
being erased. If deleted files do not show up in the recycle bin, there are still good
chances to recover them by using one of the many commercial data recovery tools.
The principle of deleted file recovery is based on the fact that Windows does not
wipe the contents of the file when it's being deleted. Instead, a file system record
storing the exact location of that file on the disk is being marked as “deleted”. The
disk space previously occupied by the file is then advertised as available - but not
overwritten with zeroes or other data just yet.

Dealing with Password Protection and Encryption

In some cases, digital investigators to overcome password

protection or encryption on a computer they are processing.

Hard disk is fully encrypted and suspect who refuses to give up the key
is totally useless to an investigator. If type of encryption algorithm is also known, a
brute force attack on any good encryption key is infeasible.

If the suspect has chosen one long and random password, then it is
impossible to recover any data form that computer.

For this type of situation, there are many specialized tools available that
can bypass or recover passwords of various files. The most powerful and versatile
password recovery programs currently available are PRTK and Distributed
Network Attack (DNA) from Access Data.

Log File

Windows operating systems store log files in the

“%systemroot%\system32\config\” folder. System log files can contain the
information about the user account. Each log contains a list of events that occurred,
along with problems, failures and warnings.

The Windows application, security, and system log files can be read
with a Windows application called “Event Viewer,” which is accessed through the
Control Panel.

Most log files are in plain text format. You can view them with any text
editor such as Vi or Emacs. Some log files are readable by all users on the system;
however, root privileges are required to read most log files.

Registry

The registry is made up of keys. Each key is like the branch of a tree.
Each key has one parent key and zero or more child keys. Each key can contain
zero or more “Values”, each of which contains a single piece of data.

Windows operating systems use the registry to store system

configuration information and usage details. Registry is a database that stores
initialization files such as hardware/software configuration, network connections,
user preferences, setup information.

The registry contains following main keys:

HKEY_CLASSES_ROOT: It contains information on file types, including which

programs are used to open a particular file type.

HKEY_CURRENT_USER: It contains user-specific settings that are built from

information in the HKEY_USERS key during the logon process.

HKEY_LOCAL_MACHINE: It contains computer specific information including

installed hardware and software. This is the one user tend to spend the most time
in.
HKEY_USERS: It contains information about all of the users who log on to the
computer. This includes settings for programs, desktop configurations and so on.
This key contains one sub-key for each user.

HKEY_CURRENT_CONFIG: It contains information about the computer's

hardware configuration.

In some registry file, keys value stored in hexadecimal format but it can
be converted to ASCII and saved to a text file.

The registry contains the configuration information for the hardware

and software and may also contain information about recently used programs and
files.15 proof that a suspect had installed a program or application may be found in
the registry.

Current Computer Forensics Tools: Software/ Hardware Tools

The field of computer forensic investigation includes the capture and

analysis of digital data to either prove a crime has or has not been committed. The
range of crimes can include computer related crime as well as other crimes that
have left evidence in digital formats.

There are two basic types of data that are collected, persistent data and
volatile data. Persistent data is that which is stored on a hard drive or another
medium and is preserved when the computer is turned off. Volatile data is any data
that is stored in memory or exist in transit and will be lost when the computer is
turned off. Volatile data might be key evidence, so it is important that if the
computer is on at the scene of the crime it remain on. There are a variety of tools
used to collect data.

Tools are used to analyze digital data and prove or disprove criminal
activity. It is used in 2 of the 3 phases of computer forensics.

Acquisition - Images systems and gathers evidence

Analysis - Examines data and recovers deleted content

Presentation – Tools not used

Types of Computer Forensics Tools

Hardware forensic tools: Range from single-purpose components to complete

computer systems and servers

Software forensic tools: There are two types of software forensic tools. Command-
line applications and GUI applications are two types. It is commonly used to copy
data from a suspect’s disk drive to an image file.

Computer Forensic Tools Capabilities

1. Recover deleted files

2. Find out what external devices have been attached and what users
accessed them
3. Determine what programs ran
4. Recover web pages
5. Recover emails and users who read them
6. Recover chat logs
7. Determine file servers used
8. Discover document's hidden history
9. Recover phone records and SMS text messages from mobile devices

Tasks Performed by Computer Forensics Tools

1. Acquisition
2. Validation and discrimination
3. Extraction
4. Reconstruction
5. Reporting

Computer forensics procedures can be distilled into three major components:

Make a digital copy of the original evidence. Investigator make a copy

of the evidence and work with the copy to reduce the possibility of inadvertently
changing the original evidence.

Authenticate that the copy of the evidence. Investigators must verify the
copy of the evidence is exactly the same as the original.
 Analyze the digital copy. The specific procedures performed in an
investigation are determined by the specific circumstances under which the
investigation is occurring.

Computer forensics is a very important branch of computer science in

relation to computer and Internet related crimes. Earlier, computers were only used
to produce data but now it has expanded to all devices related to digital data. The
goal of computer forensics is to perform crime investigations by using evidence
from digital data to find who was the responsible for that particular crime.

For better research and investigation, developers have created many

computer forensics tools. Police departments and investigation agencies select the
tools based on various factors including budget and available experts on the team.

These computer forensics tools can also be classified into various categories:

1. Disk and data capture tools

2. File viewers
3. File analysis tools
4. Registry analysis tools
5. Internet analysis tools
6. Email analysis tools
7. Mobile devices analysis tools
8. Mac OS analysis tools
9. Network forensics tools
10. Database forensics tools

Tools

The Sleuth Kit (TSK)

The Sleuth Kit (TSK) is a library and collection of Unix- and Windows-
based tools and utilities to allow for the forensic analysis of computer systems. It
allows examination of DOS, BSD, Mac, Sun, GPT partitions and disks.

It also includes the autopsy forensic browser as a graphical analysis tool

and supports integration with SQLite database. It can be run on live Windows
systems for incident response.
 With this kit, the user can examine the computer file systems through a
non-intrusive approach that is not dependent on the investigated machine operating
system to process the file system, deleted and hidden from files DOS, BSD, Mac,
Sun and Linux partitions.

The results generated by Sleuth Kit tools are used by another tool. The
autopsy forensic browser which presents such details as image integrity, keyword
searches and other automatized operations about the investigated partition through
a graphical interface.

The Sleuth Kit was written in C and Perl and uses an aspect of the TCT code.

The Coroner's Toolkit (TCT)

The TCT tools do not recognize NTFS, FAT or EXT3 partitions, making
them of little use when performing forensic investigations in machines with
Microsoft Windows and/or Linux operating systems with EXT3 file systems.

Investigating Windows (FAT) partitions with TCT is only possible with

a conversion to EXT2 format, demanding alterations on the i-nodes table of the
investigated partition. This activity is not always possible with data analysis.

FTK TOOL

FTK can analyze data from several sources, including image files from
other vendors. FTK also produces a case log file, where you can maintain a
detailed log of all activities during the examination such as keyword searches and
data extractions.

FTK provides two options for searching for keywords. One option is an
indexed search, which catalogs all words on the evidence drive so that FTK can
find them quickly. The other option is live search, which can locate items such as
text hidden in unallocated space that might not turn up in an indexed search.

Maresware

Maresware computer forensics software provides an essential set of

tools for investigating computer records and securing private information. It is
highly flexible to meet the needs of all types of investigators including: law
enforcement, intelligence agency, private investigator, corporate security officers
and human resources personnel.

It is used within a forensic paradigm; the software enables discovery of

evidence for use in criminal or civil legal proceedings. Internal investigators can
develop documentation to support disciplinary actions, yet do so non-invasively, to
preserve evidence that could end up in court.

Functions of Maresware

a) Discovery of “hidden” files (such as NTFS Alternate Data Streams)

b) For incident response purposes
c) Evaluation of timelines
d) Key word searching
e) Files verification
f) Drive wiping for information privacy and security
g) File reformatting
h) Documenting all the examiner's steps and procedures

Pro Discover Basic

Pro Discover basic from technology pathways is a forensics data

analysis tool. It can be used to acquire and analyze data from several different file
systems such as Microsoft FAT and NTFS, Linux Ext2 and Ext3 and other UNIX
file system.

Forensic Suite

The Forensic suite has various specialized instruments available for

forensic applications such as fibers analysis, finger marks detection, chemical trace
analysis (including paint, fibers, glass, fire and explosive residues), document
examination, drug analysis and microscopy analysis.

Acquisition and Seizure of Evidence from Computers and Mobile Devices

Acquiring and seizing evidence from computers and mobile devices

involves identifying, collecting, and preserving digital data for legal or
investigative purposes, often using techniques like logical or physical extraction
and ensuring the integrity of the evidence.
Logical Extraction:

Method: Communicates with the device using its own programming

language to access active and deleted files, file systems, and other data.

Data: Retrieves data from active and deleted files, file systems,
unallocated and unused space, and compressed, encrypted, and password-protected
data.

Speed and Ease: Faster and easier than physical extraction.

Data Scope: Contains less data than physical extraction.

Tools: Oxygen Forensic Device Extractor and XRY Logical.

Physical Extraction:

Method: Creates a bit-by-bit copy of the data on a device, including

hidden or deleted files.

Data: Captures all data on the storage media, including deleted

information.

Complexity: More complex and technically dependent on the device

manufacturer.

Data Scope: Provides a comprehensive view of the device's data.

Tools: Cellebrite UFED Physical Pro and XRY Physical.

Chain of Custody

The chain of custody is the most critical process of evidence

documentation. It is necessary to assure the court of law that the evidence is
authentic, i.e., the same evidence seized at the crime scene. It was always in the
custody of a person designated to handle it, and for which it was never
unaccounted. Although it is a lengthy process, the evidence must be relevant in
court. The continuity of possession of evidence or custody of evidence and its
movement and location from the point of discovery and recovery (at the scene of a
crime or from a person) to its transport to the laboratory for examination and until
the time it is allowed and admitted in the court, is known as the chain of custody or
chain of evidence.

Importance of the Chain of Custody

The chain of custody proves the integrity of a piece of evidence. A

paper trail is maintained so that the persons who had charge of the evidence at any
given time can be known quickly and summoned to testify during the trial if
required. A record of the chain of evidence must be maintained and established in
the court whenever presenting evidence as an exhibit. Otherwise, the evidence may
be inadmissible in the court, leading to serious questions regarding its legitimacy,
integrity, and the examination it is rendered the chain of custody needs to
document every transmission from the moment the evidence is collected, from 1
person to another, to establish that nobody else could have accessed or possessed
that evidence without authorization. Although there is no limit on the number of
transfers, keeping this number as low as possible is crucial.

Evidence requires conscientious handling to avert tampering. The chain

of custody is the sequential documentation or trail those accounts for the sequence
of custody, control, transfer, analysis, and disposition of physical or
electronic evidence. The goal is to establish that the evidence is related to the
alleged crime, was collected from the scene, and was in its original/unaltered
condition rather than having been tampered with or "planted" deceitfully to make
someone seem guilty. The chain of custody maintains the integrity of the sample.
The traceability of the record of the control, transfer, and analysis of samples
indicates the transparency of the procedure.

Maintaining the chain of custody is critical in forensic practice. This

documentation step is vital because everything done to examine and analyse the
evidentiary sample must be authorized and recorded. The liability for the condition
rests with everyone coming in contact with it. The documentation should be
comprehensive with information regarding the circumstances of evidence
collection, the people who handled the evidence, the period of the guardianship of
evidence, safekeeping conditions while handling or storing the evidence, and how
evidence is handed over to subsequent custodians every time a transfer occurs
(along with the signs of individuals involved at the respective stage). It prevents
police officers and other labs/law officials from tainting the evidence or misplacing
the piece of evidence as it would eventually be traceable back to them, and they
would be held responsible for it.

Clinical Significance

The Relevance of the Chain of Custody Documentation

The documentation of the chain of custody serves 3 primary purposes:

to ask relevant questions regarding the evidence to the analytical laboratory, to
maintain a record of the chain of custody, and to document that the
sample/evidence was handled only by approved personnel and was not accessible
for tampering before analysis. The investigator or the person responsible for
collecting evidence must complete the labels of the sample container/bags and the
chain of custody forms to enable the sample to be tracked.

Each sample container label must receive a unique identification code

and other relevant information such as location, date and time of collection, the
name and signature of the person who collected the sample, and the signature of
the witness(es). It is vital that the evidence is appropriately packed to avoid
damage during transport and must be preferably sealed in tamper-evident/resistant
bags or with tamper-evident tapes.

A separate chain of custody form must accompany different evidence

bags. The chain of custody form shall at least include the following information:

1. Unique identifier
2. Name and signature of the sample collector
3. Official address and contact number
4. Name of the recipient
5. Laboratory's address
6. Details of each sample, including:
7. Unique identifier and matrix
8. Date and time of collection
9. Type of analysis required
10. Signatures of everyone involved in the chain of possession with date
and time
 11. Date and method of delivery
12. Authorization for the analysis of the sample
13. Any other information about the sample

Custody of the Evidence

Each time the charge of evidence is changed, the chain of custody form
requires an entry of signature, date, and time. A sample shall be deemed to be in
custody if it is in the authorized custodian’s actual physical possession in a secured
place without access to unauthorized personnel or any opportunity for tampering.
An illustration of the chain of custody in the case of the recovery of a blood-
stained flat iron rod at the scene of a murder depicted in the routine text is as
follows: “Investigating officer Steve collects the iron rod, packs it, and hands it to
forensic analyst Jack. Forensic analyst Jack analyses the iron rod at the laboratory
and collects fingerprints and blood from the iron rod. Jack then hands over the iron
rod and all the collected evidence from the iron rod to the evidence-receiving clerk,
Tom. The evidence-receiving clerk, Tom, then stores the evidence in the evidence
storage locker. Tom records all those who have accessed the original
evidence.” During the trial, if the defense counsel raises queries on the chain of
evidence, the records demonstrate that the iron rod in the evidence storage is the
same as that collected from the crime scene. Still, if inconsistencies persist and the
prosecution cannot prove who had the iron rod at a given time, the chain is deemed
broken, and the defense counsel may seek in the court to have the resultant
evidence annulled.

Other Scenarios of the Chain of Custody Usage

Apart from crime scene investigation, the other areas which also find the use
of the chain of custody maintenance include (but are not limited to):

Civil litigation

In dope testing of athletes Managing the chain of source, e.g. to improve

the traceability of food products (to ensure authenticity to ethically sourced meat)
or to ensure that wood products originate from sustainably managed woodlands

In research (involving the use of animals) to know whether the animals were
ethically raised/sourced or not
In clinical trials

In the fields of history, art collection to see the provenance (timeline of the
ownership, custody, or location of the painting, document, or a piece of art/antique)

Postal services; supply chain integrity

The procurement of drugs for execution

Seizure of controlled/prohibited substance

Seizure of money/gold ornaments/other valuable items by customs, income tax, or

revenue departments

In violence and abuse cases

In firearms injuries, etc

The chain of custody is particularly significant in environmental

sampling, which can help identify contamination and can be used to fix
accountability. The laboratories should also be aware of other legal implications
such as chain of custody, expert testimony, and appropriateness of scientific
evidence.

Example

Chain of Custody in Clinical/Medical Drug Testing

A drug test in a clinical setting using urine or blood samples is usually

necessary in cases of the suspected overdosing patient getting admitted to the
emergency department except for the cases where the results are positive, and the
patient was in an accident or instances which may result in a trial. The screening
for drugs in urine samples is usually via immunoassays. Analytical methods
confirm the initial results on the clinician's request. The result of medical drug
testing is confidential information. Even if the drug screen is positive, it cannot be
evidence against the individual for disciplinary or penal action. Hence, the chain of
custody is not required. However, it is necessary to confirm the results of the initial
positive immunoassay, as they may be necessary in court as evidence. In these
cases, the chain of custody is essential.
List of the major instruments in the Forensic suite

1. Fourier Transform Infrared Spectroscopy

2. Raman Micro spectroscopy
3. Infrared Chemical Imaging
4. UV-VIS Spectroscopy
5. Microspectroscopy
6. Video Spectral Comparator
7. Polilight and Poliview x2
8. Ballistics Comparison Microscope
9. Fibre Comparison Microscope.
10. Glass Refractive Index Measurement
11. Crime Lite x3
12. Humidity Cabinet x2
13. Forensic Cyanoacrylate Cabinet x2
14. Vacuum Metal Deposition (VMD)
15. Crime Scene Simulation Lab

Fourier Transform Infrared (FT-IR) Spectroscopy

The Thermo Scientific Nicolet 6700 FTIR spectrometer is connected to

a Nic-Plan IR microscope for either transmission or reflections microscopy.
Infrared absorption by carbon dioxide and water vapour in ambient air can be
minimised by purging the optics with dry nitrogen.
 Applications of FTIR spectroscopy include helping to identify unknown
materials, determine the quality of a sample and quantify components in a
mixture. The instrument has a spectral range of 7,400 - 375 cm-1 using KBr beam
splitter and 0.9 cm-1 standard optical resolution.

Raman Spectroscopy

A Renishaw in Via Raman spectrometer system (Gloucestershire, UK)

equipped with a Leica DMLB microscope (Wetzlar, Germany) and a 17mW at 633
nm Renishaw helium neon laser source.

The application of Raman spectroscopy includes inorganic, polymer,

pharmaceutical, semiconductors, art, archaeology and biotech areas analysis,
especially in forensic and process analysis.

Infrared Chemical Imaging

 Infrared chemical imaging is carried out using a Digilab Stingray
system consisting of an FTS7000 infrared spectrometer, a UMA600 infrared
microscope, a Lancer 64x64 MCT focal plane array detector, and the Stingray large
sample (imaging) accessory.

The instrument is also equipped with a single point MCT detector

(microscope), a DTGS detector (bench), an MTEC photoacoustic detector, and hot
and cold stage capabilities (-200 to +1500 deg C).

Microspectroscopy

The 20/20 PV™ Craic Microspectrometer can take spectra and images
of microscopic samples from the deep ultraviolet to near infrared (200-2100nm)
with one seamless operation. It can acquire microspectra™ and images in
absorbance, reflectance, and fluorescence modes.

The applications of Microspectrometers include identification and

quantification of microscopic samples ranging from the microfluidic kinetics,
matching fibers or paints, the qualification of gems or coal, the determination of
the color of ink or paint or even the analysis of great works of art. As such, the
Microspectrometer is a highly flexible instrument with many different applications.
Video Spectral Comparator

The VSC6000/HR (Foster + Freeman) is a comprehensive digital

imaging system with an extensive range of features and applications. Techniques
include examination in the visible and infrared regions of the spectrum carried out
with incident and transmitted UV, visible and infrared illumination up to 1000 nm.

Equipped with a high resolution digital colour video camera the VSC
offers 5M pixel digital Firewire camera 2584 x 1956 viewable pixels with x22
motorised zoom output providing excellent image quality. Software features
include casework management; image integration, processing and measurement;
colour measurement and archiving facilities.

Polilight and Poliview x2

 The Polilight (Rofin Australian) is the leading forensic light source for
both scene and laboratory applications. The instrument produces 14 light bands in
the UV, visible and infrared range delivered via a flexible light guide. Applications
include latent fingerprint and document examination, as well as for trace evidence
such as fibers, bloodstains, hairs, paint chips, semen, saliva and some illicit drugs.

The Poliview (Rofin Australia) is an integrated image detection and

enhancement system that incorporates the Polilight. The system includes a CCD
camera with 1024 x 1024-pixel resolution and a 14x zoom lens, capable of 10-
minute integration times and employs all available optical techniques -
fluorescence, reflection, absorption, and transmission imaging.

Ballistics Comparison Microscope

The Leica DMC comparison microscope is ideally equipped for

forensic examination; allowing similarities and differences between two bullets or
cartridges to be compared. Split-image and superimposed image comparisons are
possible, with the microscope being equipped with a CCD camera for photography
and video documentation.

A key feature of the microscope is that the light is focused through the
objective, dramatically increasing definition of surface features visible to the eye.
The end magnification ranges from 4x to 80x, corresponding to object field sizes
of 50mm to 2.5mm. A large variability of clamping and mounts for different
objects are available.
Fibre Comparison Microscope

Leica Fiber comparison Microscope enables trace evidence

comparisons in forensic science laboratories. Comparison bridge integrates tilting
binocular tube that promotes ease of reach with natural body position. Automation
and motorization of comparison bridge allow one-button activation of comparison
methods and movement of image splitting line.

Glass Refractive Index Measurement

 GRIM 3 (Foster + Freeman) is a machine used to compare glass
fragments to see if they match. The fragments of glass are crushed and placed on a
glass microscope slide. A few drops of a special type of silicon oil is placed on the
crushed glass fragments and then the slide is placed in a heated chamber, known as
a hot stage which is placed under a microscope. This resulting image from the
microscope is fed via a camera attachment, to a computer. The silicon oil on the
slide is heated up slowly by the hot stage which alters the refractive index of the
oil. When its refractive index is equal to that of the glass, the glass fragments
become invisible! The computer can determine better than the human eye at which
point the glass becomes invisible and records the optimum match temperature. The
refractive index is then calculated from two match temperatures made by the
computer.

Crime Lite x3

Using advanced LED technology, Foster Freeman have created a range

of compact, battery powered, high-intensity forensic light sources for locating
evidence at the scene of a crime.

Crime-lites provide narrow bandwidth illumination in the following

wavelengths:

Blue Crime-lite® with a wavelength peak of 450nm (10%

bandwidth 430-470nm) for general search for body fluids.

Green Crime-lite® with a wavelength peak of 520nm (10%

bandwidth 500-550nm) for DFO treated fingerprints.
Humidity Cabinet x2

The Thermoline Humiditherm temperature and humidity chamber

has been designed to provide control of temperature between +10°C and
60°C with a humidity range of 30 to 90% RH.

Forensic Cyanoacrylate Cabinet x2

 Safe Automated Development of Latent Fingerprints for High Quality
Evidence

The FCC171 Forensic Cyanoacrylate Cabinet (Foster + Freeman) was

developed by experienced forensic scientists to enable the safe and efficient
development of latent fingerprints on non-porous surfaces using cyanoacrylate
vapour at atmospheric pressure.

Vacuum Metal Deposition (VMD)

VMD 360 (West Technology) is a powerful forensic technique that uses

the sequential vacuum deposition of gold and zinc to develop latent fingerprints.
VMD can be used on a wide range of non-porous and semiporous exhibits
including flexible plastic packaging, plastic bottles, glass, fabrics, firearms and
glossy paper or magazines. The technique is quick (typically less than 15 minutes)
and produces high quality images with ‘3rd’ level detail of pores and ridge shapes.
The developed prints can be photographed immediately.
Electrostatic Imaging System for Detecting Indented Writing Analysis (ESDA 2)

ESDA 2 (Foster + Freeman) works by creating an electrostatic image of

indented writing, which is then visualised by the application of charge sensitive
toners. The sensitive imaging process reacts to sites of microscopic damages to
fibres at the surface of a document, which have been created by abrasive
interaction with overlying surfaces during the act of handwriting.

UV-VIS Spectroscopy
 The Agilent Cary 60 UV-Vis spectrophotometer comprises a double
beam, Czerny-Turner monochromator, 190–1100 nm wavelength range, 1.5 nm
fixed spectral bandwidth, full spectrum Xenon pulse lamp single source with
exceptionally long life, dual silicon diode detectors, quartz overcoated optics, scan
rates up to 24,000 nm/min, 80 data points/sec maximum measurement rate, non-
measurement phase stepping wavelength drive, room light immunity, central
control by PC with Microsoft® Windows® operating system. Supported by GLP
software.
 UNIT – III
ANALYSIS AND VALIDATION

Validating Forensics Data

Validation involves performing laboratory tests to verify that a

particular instrument, software program, or measurement technique is working
properly. Confidence in forensic DNA results is gained through validation studies,
which provide objective evidence that a DNA testing method is robust, reliable and
reproducible.

Validation experiments define procedural limitations, identify critical

components of the procedure that require quality control and monitoring, and
establish standard operating procedures and interpretation guidelines for
laboratories to follow while processing samples.

Validation is useful for achieving a number of desired outcomes. It

minimizes reinvention of methods in different laboratories. Methods that have been
validated are more readily accepted, more easily standardized, and can be
compared internationally between different laboratories. Validation also helps to
identify potential limitations specific to a method or laboratory.
 Validation is the confirmation by examination and the provision of objective
evidence that a tool, technique or procedure functions correctly and as intended.

Verification is the confirmation of a validation with a laboratory’s tools,

techniques and procedures.

Validation should be distinguished from other method-assessment processes

such as verification or evaluation. Verification is the process by which
collaborating lines of evidence are collected in order to determine if a method is
working as expected within a specific laboratory's own conditions (operators,
equipment, environment).

During verification, results from a few samples are compared with results
obtained from other evidence. In the forensic field, this evidence is usually
validation data, typically in the form of publications or reports that detail the
performance characteristics of the standard method. The outcomes of the
verification process are closely linked to the quality and reliability of the validation
process. However, validation is a more intensive and rigorous process than
verification.
 System validation is associated with data generation and requires the unique
identification of systems, identification of system restarts, identification of changed
system configuration and attributes, and validation that messages were in fact
generated by the designated system.

Application validation is similar to system validation except applied to

specific applications running on a system. As with system validation, it must be
verified that the application is expected to be sending the events and that the
application itself matches known characteristics.

Application restarts, the user starting the application, and application

parameter settings can all be of critical importance in determining the validity of
the events generated by the application.

User validation attempts to provide validation of the users of a system.

Algorithm implementation: Given that an algorithm itself has been

validated, the implementation must be similarly validated. Errors often occur in the
transcription from a theoretical algorithm to an implemented algorithm. For
example, SSH uses a well-established protocol for initiation of a connection and
for maintaining the security of that connection. This protocol is well validated.
However, there have been well-known bugs in the implementation of the SSH
protocol that have allowed it to be compromised.

Data collection: After data is generated, a repository must collect the data.
This will require ensuring that the data is not modified on the way to the repository
and providing validation of temporal relationships. These needs for forensics
would be insufficient in terms of security, which would also require that the data
could not be read and examined in transit.

Investigative digital forensics can be divided into several stages according to

the Digital Forensic Research Workshop and its examination of digital forensic
models. The different stages are:

1. Identification: Recognizing an incident from indicators and

determining its type. This is not within the field of forensics, but
significant because it impacts other steps and determines if a
forensic examination is needed.
2. Preparation: Preparing a plan of action by selecting tools,
techniques, monitoring authorizations and management support.
This also includes warrants if the evidence lies with a third party.
3. Preservation: The preservation stage tries to freeze the crime
scene. It consists of stopping or preventing any activities that can
damage the digital information being collected like using
electromagnetic devices, stopping ongoing file deletion processes
and stopping any scheduled jobs which might interfere with the
evidence.
4. Collection: Collecting digital information relevant to the
investigation. The evidence is duplicated in some other medium. It
may involve removal of personal computers and hard disks from
the crime scene, copying log files from computer devices and
taking system snapshots of the devices involved.
5. Examination: Examination stage consists of in-depth systematic
search of evidence relating to the suspected crime. This stage
focuses on identifying and locating potential evidence, within
unconventional locations, and constructing detailed documentation
for analysis. The outputs of examination are data objects found in
collected evidence. They may include log file time stamps
matching the security camera timestamp. It is a mapping process of
all the evidence collected.
6. Analysis: The aim of analysis is to draw conclusions based on the
evidence found. Different types of evidence are linked during this
process.
7. Presentation: Summarises and provides explanations of
conclusions based on the analysis report. The technical data is
translated into layman's terms using abstracted terminology. All
abstracted terminology should reference the specific details.
8. Returning evidence: Ensuring physical and digital property is
returned to its proper owner after the investigation. It's not a
forensic step but a clean way of concluding the investigation.
Follow these basic steps for all digital forensics’ investigations:

1. For target drives, use recently wiped media that have been
reformatted and inspected for viruses
2. Inventory the hardware on the suspect's computer, and note
condition of seized computer
3. For static acquisitions, remove original drive and check the date
and time values in system's CMOS
4. Record how you acquired data from the suspect drive
5. Process drive's contents methodically and logically
6. 6. List all folders and files on the image or drive
7. Examine contents of all data files in all folders
8. Recover file contents for all password-protected files
9. Identify function of every executable file that doesn't match hash
values.

Validating with Hexadecimal Editors

Advanced hexadecimal editors support many features, which is not available

in computer forensics tools.

A hex editor is a software used to view and edit binary files. A binary file is
a file that contains data in machine-readable form.

Hex editors allow editing the raw data contents of a file, instead of other
programs which attempt to interpret the data for you. Since a hex editor is used to
edit binary files, they are sometimes called a binary editor or a binary file editor.

If you edit a file with a hex editor, you are said to hex edit the file, and the
process of using a hex editor is called hex editing.

A typical hex editor has three areas : An address area on the left, a
hexadecimal area in the center and a character area on the right.
 Data can be edited in a hex editor just like a normal text editor. A hex editor
has a cursor that can be moved by clicking with the mouse or using the cursor
keys.

Position the cursor over the byte you want to edit and type the value you
want to change to using the keyboard. The cursor can be switched between the
hexadecimal area and the character area by pressing the 'Tab' key.

When the cursor is in the hexadecimal area, you have to enter byte values in
hexadecimal notation, but when the cursor is in the character area, you can enter
regular characters just like a text editor.

The most advanced feature of hex editors is now the ability to place a
template over a file that allow you to understand what the bytes of a binary file
actually mean.

Hex workshop generates the hash value of selected data in a file or sector.
Data Hiding Techniques

Data hiding: Changing or manipulating a file to conceal information.

Techniques:

a) Hiding entire partitions

b) Changing file extensions
c) Setting file attributes to hidden
d) Bit-shifting
e) Using encryption
f) Setting up password protection.

Files are hiding by using operating system. One method is changing the file
extension. Advanced digital forensics tools check file headers and compare the file
extension to verify that it's correct or not. If there's a discrepancy, the tool flags the
file as a possible altered file. One more hiding technique is selecting the hidden
attribute in a file's properties dialog box.

Marking bad clusters: A data-hiding technique used in FAT file systems is

placing sensitive or incriminating data in free or slack space on disk partition
clusters. It involves using old utilities such as Norton Disk Edit. It can mark good
clusters as bad clusters in the FAT table so the OS considers them unusable.

Only way they can be accessed from the OS is by changing them to good
clusters with a disk editor. Disk Edit runs only in MS-DOS and can access only
FAT-formatted disk media

Bit-shifting: Some users use a low-level encryption program that changes

the order of binary data. It makes altered data unreadable. To secure a file, users
run an assembler program to scramble bits. Run another program to restore the
scrambled bits to their original order. Bit shifting changes data from readable code
to data that looks like binary executable code.
Steganography

Steganography is the art and science of communicating in a way which

hides the existence of the communication. The goal of steganography is to hide
messages inside other harmless messages in a way that does not allow any enemy
to even detect that there is a second message present

Steganography can be used in a large amount of data formats in the digital

world of today. The most popular data formats are .bmp, .doc, .gif, .jpeg, .mp3, .txt
and .wav. Steganographic technologies are a very important part of the future of
internet security and privacy on open systems such as internet.

Steganography is the science of hiding information. The purpose of

steganography is covert communication-to hide the existence of a message from a
third party.

Information hiding generally relates to both water-marking and

steganography. A watermarking system's primary goal is to achieve a high level of
robustness. It should be impossible to remove a watermark with-out degrading the
data object's quality.

Steganography is used for high security and capacity, which often entails
that the hidden information is breakable.

Taxonomy of steganographic techniques

 Technical steganography: it uses scientific methods to hide a message.

Linguistic steganography: It hides the message in the carrier in some non-

obvious ways and is further categorized as semagrams or open codes.

Semagrams: It uses symbol or signs for information hiding.

A visual semagram uses normal physical objects to convey a message.

A text semagram hides a message by modifying the appearance of the carrier

text.

Open codes hide a message in a legitimate carrier message in ways that are
not obvious to an unsuspecting observer.

Jargon code uses language that is understood by a group of people but is

meaningless to others.

The goal of steganography is to avoid the detection or even raising the

suspicion that a secret message is being passed on. Steganalysis is the art of
detecting these covert messages. It involves the detection of embedded messages.
The types of steganalysis attacks are similar to those of cryptanalysis attacks.

Steganography tools

1. MP3Stego: Hide files within mp3 files. MP3Stego will hide information
in MP3 files during the compression process. The data is first
compressed, encrypted and then hidden in the MP3 bit stream.
2. TextHide: Simple text steganography
3. wbStego: This tool used for bitmaps, text files, HTML files and PDF
files Steganography.
4. Hide4PGP is a freeware program distributed as source code in ANSI C
and precompiled executables for DOS and the Win32 console.
Difference between Stenography and Cryptography

Steganography Cryptography

Output of information hiding is the stego-

Output in cryptography is a cipher text
media.

It hides information It does not hide information

Additional carrier is needed Additional carrier is not needed

In cryptography, the structure of

Steganography does not alter secret of
message is scrambled to make it
message but hides inside the cover image
meaningless

In steganography the secret message

Cryptography is the science of using
embeds in a harmless looking cover such
mathematics to encrypt and decrypt
as a digital image file, then the image file
data
is transmitted.

Performing Remote Acquisition

Remote forensic tools give digital investigators an alternative to the most

common and readily accessible methods of volatile data and RAM acquisition.
These remote forensic solutions can be used to access live systems, and include the
ability to acquire and sometimes analyze memory.

These tools include enterprise solutions from core forensic application

vendors such as access data, guidance software, and technology pathways, which
all have agent-style installation options that may be rolled out to most of the
systems in a large network and accessed during an incident, rather than run for the
first time when a digital investigator accesses the system.
 The Online DFS tool can acquire data from remote systems without
installing an agent. Another tool that can be used to acquire volatile data and hard
drive contents remotely from windows systems is F-Response. This tool does not
acquire the data from the remote system, but rather provides access to memory and
hard drives on a remote computer via an iSCSI connection, which digital
investigators can then acquire using their tool of choice.

Following is the three different ways of determining the best acquisition method of
data acquisition:

1. Bit-stream disk-to-image file

2. Bit-stream disk-to-disk
3. Sparse data copy of a file or folder

Bit-stream copy: Is a bit-by-bit copy of the original storage medium and is an

exact duplicate of the original disc. It is different from a simple backup copy
because backups can only copy files stored in a folder or are of a known file type.

Bit-stream image: Is the file that contains the bit-stream copy of all the data on a
disk or disk partition.

Network Forensics

Network forensics is a sub-branch of digital forensics relating to the

monitoring and analysis of computer network traffic for the purposes of
information gathering, legal evidence, or intrusion detection. Unlike other areas of
digital forensics, network investigations deal with volatile and dynamic
information.

Now a day, most of the peoples depends upon e-mail, e-commerce, m-

commerce which required network support. Various networking technology is used
to support this type of operation. Digital investigators at-least known the basics of
computer network, working and functions of networking devices. It helps to digital
investigators to solve the problem and think in all directions.

Digital investigators understand the technology then it will enable to

recognize, collect, preserve, examine, and analyze evidence related to crimes
involving networks. Day by day, crime is increases by using networking
technology, so digital investigators must be familiar with the networking
technology.

Investigators need the ability to identify different packet types according to

various Internet Protocols. These include:

1. Email (POP3, SMTP and IMAP)

2. Web Mail (Yahoo Mail, Gmail, Hotmail)
3. Instant Messaging (Windows Live Messenger, Yahoo, ICQ)
4. FTP
5. Telnet
6. HTTP
7. VOIP

Network forensics is the process of capturing information that moves over a

network and trying to make sense of it in some kind of forensics capacity. Network
forensics is the capture, recording, and analysis of network events in order to
discover the source of security attacks or other problem incidents.

A network forensics appliance is a device that automates this process.

Wireless forensics is the process of capturing information that moves over a
wireless network and trying to make sense of it in some kind of forensics capacity.

Network attack

1. Denial of service
a. Denial of service attacks cause the service or program to cease
functioning or prevent others from making use of the service or
program. These may be performed at the network layer by
sending carefully crafted and malicious datagrams that cause
network connections to fail.
b. They may also be performed at the application layer, where
carefully crafted application commands are given to a program
that cause it to become extremely busy or stop functioning.
c. Preventing suspicious network traffic from reaching hosts and
preventing suspicious program commands and requests are the
best ways of minimizing the risk of a denial-of-service attack.

d. It is useful to know the details of the attack method, so you

should educate yourself about each new attack as it gets
publicized.
2. Spoofing
a. This type of attack causes a host or application to mimic the
actions of another. Typically, the attacker pretends to be an
innocent host by following IP addresses in network packets.
b. For example, a well-documented exploit of the BSD rlogin
service can use this method to mimic a TCP connection from
another host by guessing TCP sequence numbers.
c. To protect against this type of attack, verify the authenticity of
datagrams and commands. Prevent datagram routing with
invalid source addresses. Introduce unpredictability into
connection control mechanisms, such as TCP sequence
numbers and the allocation of dynamic port addresses.
3. Eavesdropping

This is the simplest type of attack.

a. A host is configured to “listen” to and capture data not

belonging to it. Carefully written eavesdropping programs can
take usernames and passwords from user login network
connections.
b. Broadcast networks like ethernet are especially vulnerable to
this type of attack.
c. To protect against this type of threat, avoid use of broadcast
network technologies and enforce the use of data encryption.
d. IP firewalling is very useful in preventing or reducing
unauthorized access, network layer denial of service, and IP
spoofing attacks. It not very useful in avoiding exploitation of
weaknesses in network services or programs and
eavesdropping.
Network Security Mechanisms

Network security starts from authenticating any user, most likely a username
and a password. Once authenticated, a stateful firewall enforces access policies
such as what services are allowed to be accessed by the network users

Though effective to prevent unauthorized access, this component fails to

check potentially harmful contents such as computer worms being transmitted over
the network.

An Intrusion Prevention System (IPS) helps detect and prevent such

malware. IPS also monitors for suspicious network traffic for contents, volume and
anomalies to protect the network from attacks such as denial of service.

Communication between two hosts using the network could be encrypted to

maintain Privacy. Individual events occurring on the network could be tracked for
audit purposes and for a later high- level analysis.

Honeypots, essentially decoy network-accessible resources, could be

deployed in a network as surveillance and early-warning tools.

Techniques used by the attackers that attempt to compromise these decoy

resources are studied during and after an attack to keep an eye on new exploitation
techniques.

Such analysis could be used to further tighten security of the actual network
being protected by the honeypot.

Some tools: Firewall, Antivirus software and Internet Security Software. For
authentication, use strong passwords and change it on a bi-weekly/monthly basis.
When using a wireless connection, use a robust password. Network analyser to
monitor and analyze the network.

Network forensics systems can be one of two kinds:

1. “Catch-it-as-you-can” systems, in which all packets passing

through a certain traffic point are captured and written to storage
with analysis being done subsequently in batch mode. This
 approach requires large amounts of storage, usually involving a
RAID system.
2. “Stop, look and listen” systems, in which each packet is analyzed
in a rudimentary way in memory and only certain information
saved for future analysis. This approach requires less storage but
may require a faster processor to keep up with incoming traffic.

Network forensics is the process of collecting and analyzing raw network

data and then tracking network traffic to determine how an attack took place.

When intruders break into a network they leave a trail. Need to spot
variations in network traffic; detect anomalies.

Network forensics can usually help to determine whether network has been
attacked or there is a user error.

Examiners must establish standards procedures to carry out forensics.

Network forensics tools:

1. Network Miner

Network Miner is a Network Forensic Analysis Tool (NFAT) for

windows.

Network Miner can be used as a passive network sniffer/packet

capturing tool in order to detect operating systems, sessions, hostnames,
open ports etc. without putting any traffic on the network.

The purpose of Network Miner is to collect data (such as forensic

evidence) about hosts on the network rather than to collect data regarding
the traffic on the network.

The main view is host centric (information grouped per host) rather
than packet centric (information showed as a list of packets/frames).
Open-source tools

1. Wireshark
2. Kismet
3. Snort
4. OSSEC
5. NetworkMiner is an open-source Network Forensics Tool available at
SourceForge.
6. Xplico is an Internet/IP Traffic Decoder (NFAT). Protocols supported:
HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6

Open-Source Tools: Wireshark

Wireshark is the most widely used graphical application for network

monitoring and analysis. It is open-source and runs on most popular computing
platforms, including UNIX, Linux, and Windows. It is available for download from
http://www.wireshark.org.

Wireshark is initiated by Gerald Combs under the name Ethereal. First

version was released in 1998. The name Wireshark was adopted in June 2006.
Wireshark is a free and open-source packet analyzer. Wireshark is software that
“understands” the structure of different networking protocols.

Wireshark is a network packet/protocol analyzer. A network packet analyzer

will try to capture network packets and tries to display that packet data as detailed
as possible. Wireshark is perhaps one of the best open-source packet analyzers
available today for UNIX and Windows.

Wireshark does not support intrusion detection system. Wireshark is a GUI

Network Protocol Analyzer. Wireshark software has been developed towork on
Microsoft Windows, Linux, Solaris, and Mac OS X.

Use of Wireshark

1. Network administrators use it to troubleshoot network problems

2. Network security engineers use it to examine security problems
3. Developers use it to debug protocol implementations
4. People use it to learn network protocol internals
 5. Displays the network traffic in human-readable format.

Use filters to capture only packets of interest to you. Wireshark uses two
types of filters:

1. Capture filters
2. Display filters

Capture filters: Filtered while capturing. Like TCP Dump. Wireshark contains a
powerful capture filter engine that helps remove unwanted packets from a packet
trace and only retrieves the packets of our interest.

Display filters: let you compare the fields within a protocol against a specific
value, compare fields against fields, and check the existence of specified fields or
protocols. More detailed filtering. Allows to compare values in packets but not real
time.

shows Wireshark startup screen.

 shows Wireshark graphical user interface.

Example:

1. Capture only UDP packets with destination port 53 (DNS requests) :

“udp dstport 53”
2. Capture only UDP packets with source port 53 (DNS replies) : “udp
srcport 53”
3. Capture only UDP packets with source or destination port 53 (DNS
requests and replies) : udpport 53

Comparison operators

Fields can also be compared against values. The comparison operators can
be expressed either through English like abbreviations or through C-like symbols.
 Symbol Meaning

== Equal (eq)

!= Not equal (ne)

> Greater than (gt)

< Less than (lt)

>= Greater than or equal to (ge)

<= Less than or equal to (le)

() Grouping

Logical expressions

Tests can be combined using logical expressions. These too are expressible
in C-like syntax or with English like abbreviations:

Symbol Meaning

&& Logical AND

|| Logical OR

! Logical NOT
Snort

Snort is an open-source Network Intrusion Detection System (NIDS) which

is available free of cost. NIDS is the type of Intrusion Detection System (IDS) that
is used for scanning data flowing on the network. Snort is a tool for small, lightly
utilized network’s location of snort.

Intrusion detection is a set of techniques and methods that are used to detect
suspicious activity both at the network and host level. Intrusion Detection System
is software, hardware or combination of both used to detect intruder activity.

A lightweight intrusion detection system can easily be deployed on most any

node of a network, with minimal disruption to operations. Snort is a libpcap based
packet sniffer and logger that can be used as a lightweight network intrusion
detection system.

Location of the snort

Snort uses rules stored in text files. Text editor can use for modifying the
rules. Rules are grouped in categories. Separate file is maintained for each group.
The “snort.conf “is the main configuration file and all group files are included in
this file. At startup time, snort reads these rules and builds data structure.
Components of snort

A snort IDS contains the following components:

1. Packet decoder
2. Preprocessors
3. Detection engine
4. Logging and alerting system
5. Output modules

Packet decoder: It takes packets from different types of network interfaces like
Ethernet, SLIP, PPP and prepare for processing. Packets are passed into the packet
decoder. Translates specific protocol elements into an internal data structure.

Preprocessor: Preprocessors are components that can be used with snort to

arrange or modify data packets before the detection engine does some operation to
find out if the packet is being used by an intruder. They are also used to prepare
data for detection engine; detect anomalies in packet headers; packet
defragmentation; decode HTTP URI and reassemble TCP streams.

Detection engine: The most important part, applies rules to packets. The detection
engine performs simple tests on a single aspect of each packet to detect intrusions.

Logging and alerting system: It generates alert and log messages depending upon
what the detection engine finds inside a packet. Logs are kept in simple text files
and tcpdumpstyle files. Log files are stored under /var/log/snort folder by default.
 Snort components

Output modules: It process alerts and logs and generate final output. Depending
on the configuration, output modules can take following actions:

1. Simply logging to /var/log/snort/alerts file

2. Sending SNMP traps c. Sending messages to syslog facility
3. Logging to a database like MySQL or Oracle.
4. Generating XML output
5. Modifying configuration on routers and firewalls

Email Investigations

Email is used in criminal acts, but also in inappropriate actions, such as

threats and frauds (phishing). While in principle email is hard to connect to an
individual, in practice, email can be traced and connected to the perpetrator.
 Over a period of year's e-mail protocols have been secured through several
security extensions and producers, however, cybercriminals continue to misuse it
for illegitimate purposes by sending spam, phishing e-mails, distributing child
pornography, and hate emails besides propagating viruses, worms, hoaxes and
trojan horses.

E-mail forensic analysis is used to study the source and content of e-mail
message as evidence, identifying the actual sender, recipient and date and time it
was sent, etc. to collect credible evidence to bring criminals to justice.

For networks, a port means an endpoint to a logical connection. The port

number identifies what type (application/service offered) of port it is. The
commonly used default port numbers used in e-mail are shown below:

Protocol Port number

SMTP 25

HTTP 80

POP3 110

IMAP 143

HTTPS 443

SMTPS 465

MSA 587

IMAPS 993

POP3S SPOP 995

MSA 587

Identities used in e-mail are globally unique and are: mailbox, domain name,
message-ID and ENVID. Mailboxes are conceptual entities identified by e-mail
address and receive mail.
 E-mail forensics refers to the study of source and content of e-mail as
evidence to identify the actual sender and recipient of a message, data/time of
transmission, detailed record of email transaction, intent of the sender, etc

A forensic investigation of e-mail can examine both email header and body.
An investigation should have the following:

1. Examining sender's e-mail address

2. Examining message initiation protocol (HTTP, SMTP)
3. Examining message ID
4. Examining sender's IP address

Email headers

When investigating email, we usually start with the piece of email itself and
analyze the headers of the email. Since each SMTP server that handles a message
adds lines on top of the header.

Meta data in the e-mail message in the form of control information i.e.
envelope and headers including headers in the message body contain information
about the sender and/or the path along which the message has traversed.

Inconsistencies between the data that subsequent SMTP servers supposedly

created can prove that the email in question is faked. Another investigation is that
of the header contents itself.

If a message does not have these, then it is faked. If possible, one can obtain
another email following supposedly the same path as the email under investigation
and see whether these ideosyncratic lines have changed. While it is possible that
the administrator of an SMTP node changed the behaviour or even the routing,
these changes tend to be far and in between.

In email server investigation, copies of delivered e-mails and server logs are
investigated to identify source of an e-mail message. E-mails purged from the
clients (senders or receivers) whose recovery is impossible may be requested from
servers (Proxy or ISP) as most of them store a copy of all e-mails after their
deliveries
 Some other aspects that control forensics step include the following
properties:

Storage format of email: Server-side storage format may include maildir,

mbox format. Server-side stores email in SQL Server databases. Reading different
types of formats can be done for forensics analysis by using notepad editor and
applying regular expression-based searches. At the client-side, an email is stored as
mbox format. Client side may also store emails as .PST (MSOutlook), and NSF
(Lotus Notes) files.

Availability of backup copy of email: When checking from the serve side,
all copies are transferred to the client. This requires seizing the client computer.
For webmail, copies are always saved at the server side.

Protocol used to transport email: Email can be initiated and transported

based on SMTP or HTTP depending on the email server applications.

E-Mail forensic tools

1. eMailTrackerPro analyses the headers of an e-mail to detect the IP address

of the machine that sent the message so that the sender can be tracked down.
It can trace multiple e-mails at the same time and easily keep track of them.
2. EmailTracer is an Indian effort in cyber forensics by the Resource Centre
for Cyber Forensics (RCCF) which is a premier centre for cyber forensics in
India. It develops cyber forensic tools based on the requirements of law
enforcement agencies.
3. Adcomplain is a tool for reporting inappropriate commercial e-mail and
usenet postings, as well as chain letters and “make money fast” postings.

Checking UNIX E-mail Server Logs

Log file provides useful information for investigation. After sending the
mail, it creates number of files on the server to track and maintain the email
service.

The “/etc/sendmail.cf” is the file for configuration information for send mail.
The “/etc/syslog.conf” file specifies how and which events send mail logs.
 Communication between SMTP and POP3 is maintained in /var/log/maillog
file. It also records IP address and time stamp.

Email evidence is in the email itself (header)? Email evidence is left behind
as the email travels from sender to recipient.

Reviewing e-mail headers can offer clues to true origins of the mail and the
program used to send it.

Received is the most essential field of the email header: It creates a list of all
the email servers through which the message travelled in order to reach the
receiver.

The best way to read are from bottom to top.

1. The bottom “Received” shows the IP address of the sender's mail server.
2. The top “Received” shows the IP address of receiver mail server.
3. The middle “Received” shows the IP address of the mail server through
which email passes from sender to receiver.

The syslog.conf file simply specifies where to save different types of e-mail
log files. The first log file it configures is /var/log/maillog, which usually contains
a record of simple mail transfer protocol communication between servers.

UNIX systems are set to store log files in the /var/log directory.

Microsoft E-mail Server Log

Microsoft e-mail server software is exchanging server. It uses database and

based on the Microsoft Extensible Storage Engine.

Microsoft Extensible Storage Engine (ESE) uses different files in various

combinations for providing E-mail service. For investigation two database files are
helpful. They are “.edb “and “.stm “files.

Checkpoint and temporary files also helpful for investigation. The .edb file
contains many tables that hold metadata for all e-mail messages and other items in
the exchange store.
 The .stm file stores native Internet content. Because Internet content is
written in native format, there is no need to convert messages and other items to
exchange format.

An .edb file is responsible for messages formatted with Messaging

Application Programming Interface (MAPI), a Microsoft system that enables
different e-mail applications to work together.

The .edb and .stm files function as a pair, and the database signature is
stored as a header in both files. The internal schema for the .stm pages is stored in
the .edb file.

E-mail Forensic Tools: MailXaminer

MailXaminer is a tool-kit having multiple functionalities out of which

powerful search mechanism is the best feature without any limitation. With this
email search software, users can scan, view, search, investigate, analyze, smart
review and generate a report of emails in a very less amount of time.

1. Input file in disk required: This indicates the presence of email file at the
local disk. MailXaminer requires input file to be present in the disk.
2. Search option: This feature indicates how to perform search of interesting
words in the content of an email. MailXaminer can perform plain text-
based search.
3. Information provided: This feature indicates the information extracted
and shown as part of forensic analysis. The MailXaminer tool shows the
message, date and time details of an email.
4. Recovery capability: A forensic-tools should have the capability to
recover corrupted email or deleted email to be useful for investigation.
The MailXaminer can recover corrupted email. It also has the capability
to import corrupted contacts, calendar.
5. Email format supported: This feature indicates the file type supported by
a tool. The MailXaminer supports Gmail, yahoo, Hotmail, IMAP, Mozilla
Thunderbird, Lotus Notes, Outlook, Exchange, Mac Outlook email
format.
 6. Visualization format supported: A forensic tool should allow investigator
different types of display of the extracted information to enable more
intelligence gathering. MailXaminer supports different view options.
7. OS Supported: Ideally, a forensic tool should support different types of
operating systems to make it useful for email applications running on
different platforms. The MailXaminer can run on Windows
8. Export format: A forensic-tools should have friendly format for saving
the examination results for compatible analysis with other forensic tools.
9. Extended device support: This feature indicates if a tool can act on plug-
ins devices such as added hard disk or USB memory stick, etc.

Cell Phone and Mobile Devices Forensics

Mobile devices are an evolving form of computing, used widely for personal
and organizational purposes. These compact devices are useful in managing
information, such as contact details and appointments, corresponding
electronically, and conveying electronic documents.

Over time, they accumulate a sizeable amount of information about the

owner. When involved in crimes or other incidents, proper tools and techniques are
needed to recover evidence from such devices and their associated media.

Mobile device forensics is the science of recovering digital evidence from a

mobile device under forensically sound conditions using accepted methods. Mobile
device forensics is an evolving specialty in the field of digital forensics.

Different mobile devices have different technical and physical characteristics

(e.g., size, weight, processor speed, memory capacity). Mobile devices may also
use different types of expansion capabilities to provide additional functionality.
Furthermore, mobile device capabilities sometimes include those of other devices
such as handheld Global Positioning Systems (GPS), cameras (still and video) or
personal computers.

People store a lot of information on cell phones. But people do not think
about securing their cell phones. Data stored on mobile phones are as follows:
 1. incoming, outgoing and missed calls
2. SMS
3. E-mail
4. instant-messaging logs
5. Web pages
6. Pictures
7. Personal calendars
8. Address books
9. Music files
10. Voice recordings.

Mobile phone consists of hardware components. It includes microprocessor,

ROM, RAM, a digital signal processor, a radio module, a microphone and speaker,
hardware interfaces, and display.

Most basic phones have a proprietary OS and smart phone have Android and
other OS.

Phones store system data in Electronically Erasable Programmable Read-

Only Memory (EEPROM). It enables service providers to reprogram phones
without having too physically access memory chips. OS is stored in ROM

The personal nature of the information on these devices can provide digital
investigators with valuable insights into the model operator of suspects and
activities of victims. Windows mobile uses a variation of the FAT file system called
the Transaction safe FAT (TFAT) file system, which has sorne recovery features in
the event of a sudden device shutdown.

The forensic acquisition tools that are available to most forensic analysts do
not have direct access to flash memory on Windows Mobile devices and are
limited to acquiring data through a hardware abstraction layer.

Mobile devices contain non- volatile and volatile memory. Volatile memory
(i.e., RAM) is used for dynamic storage and its contents are lost when power is
drained from the mobile device. Non- volatile memory is persistent as its contents
are not affected by loss of power or overwriting data upon reboot. For example,
Solid- State Drives (SSD) that stores persistent data on solid- state flash memory.
 Mobile devices typically contain one or two different types of non- volatile
flash memory. These types are NAND and NOR. NOR flash has faster read times,
slower write times than NAND and is nearly immune to corruption and bad blocks
while allowing random access to any memory location. NAND flash offers higher
memory storage capacities, is less stable and only allows sequential access.

NAND flash memory contains: PIM data, graphics, audio, video, and other
user files. This type of memory generally provides the examiner with the most
useful information in most cases. NAND flash memory may leave multiple copies
of transaction- based files (e.g., databases and logs) due to wear leveling
algorithms and garbage collection routines.

Since NAND flash memory cells can be re-used for only a limited amount of
time before they become unreliable, wear leveling algorithms are used to increase
the life span of Flas memory storage, by arranging data so that erasures and re-
writes are distributed evenly across the SSD.

SIM card

Identity modules are synonymous with mobile devices that interoperate with
GSM cellular networks. Under the GSM framework, a mobile device is referred to
as a mobile station and is partitioned into two distinct components: the Universal
Integrated Circuit Card (UICC) and the Mobile Equipment (ME).

A UICC, commonly referred to as an identity module (e.g., Subscriber

Identity Module [SIM], Universal Subscriber Identity Module [USIM], CDMA
Subscriber Identity Module [CSIM]), is a removable component that contains
essential information about the subscriber.

The ME and the radio handset portion cannot fully function without a UICC.
The UICC's main purpose entails authenticating the user of the mobile device to
the network providing access to subscribed services. The UICC also offers storage
for personal information, such as phonebook entries, text messages, Last Numbers
Dialed (LND) and service- related information.
 SIM

SlM stores following types of information:

1. SIM stores the International Mobile Subscriber Identity (IMSI), which is

a unique identifier for each subscriber in the system.
2. Subscribers can maintain a list of the numbers they call or they are called
from more frequently.
3. Information about SMS traffic.
4. Information about subscriber's location: The SIM stores the last area
where the subscriber has been registered by the system.
5. Information about calls: The last numbers dialed are stored in a file in the
SIM filesystem.
6. Information about the provider: It is possible to extract the provider’s
name and the mobile network commonly used for communications, along
with mobile networks that are forbidden to the subscriber.
7. Information about the system: Every SIM card has a unique ID stored in
it.

Mobile Virtual Network Operator (MVNO)

An MVNO does not own spectrum, it leases it from a network operator with
whom it has a relationship. An MVNO supplies the SIM card and has full control
over its subscribers and handles its own billing.

An MVNO buys network capacity, usually as close to the base level as

possible and invests in a service infrastructure of its own.

The MVNO thereby establishes a more independent position and is able to

compete directly with other mobile network operators in the market by offering
advanced services.
 MVNOs typically offer prepaid wireless plans on a subscription basis. Sales
and customer service may be handled directly by the MVNO or by yet another
entity called a Mobile Virtual Network Enabler (MVNE). MVNEs specialize in
marketing and administering mobile services.

An MVNO usually offers not only voice services but also value-added
services or sometimes referred as mobile value-added services, which are a
combination of voice, data, graphics and video information. Examples include
mobile music, mobile TV, games, ring tones, multimedia messaging, mobile
commerce and location-based services.

There are different kinds of MVNOs:

1. Classic service provider: Resellers merely resell subscription to end

users. In most cases, resellers are completely dependent on MNOs for
every aspect of service provision, billing and customer care. MVNOs that
operate as resellers are likely to require an ASP license.
2. ESP (Enhanced Service Provider): Procures their own SIM cards and
controls a few network elements. So, enhanced service providers are
those who do not own or provide network facilities but have the ability to
secure its own numbering range, operate its own HLR and offer its own
SIM cards with its own mobile network code. They are dependent on
MNOs for network facilities, as well access to radio network.
3. Full MVNO: Owns everything (including HLR) except the radio network
equipment’s. A full MVNO is one that owns or provides network
facilities and network services such as towers, mobile switching centres,
home location registers (“HLR”) and cellular mobile services.

Types of evidence on mobile devices

Two types of evidence can be retrieved from mobile:

1. Electronic evidence
2. Retained data evidence.

Electronic evidence includes the user's call history, contacts/phone book,

calendar information, and information stored on the SIM card.
 Retained data evidence is telecom records involving the detail of calls made
and received and the geographical location of the mobile phone when a call took
place.

The address book, call history and text messages are the three main
components for digital evidence.

1. Address book: It contains contact information. Digital investigator

will reach to suspect to a victim using information from address
book. It can provide a cross reference between real names and
nicknames.
2. Call history: It maintains the last call sent, last call receiver with
time and date. It also gives the time taken to speak with another
person.
3. Text messages: Texts are one of the most common forms of
electronic evidence. Texts offer concrete and direct information in
contrast to the call history and address book that only offer indirect
and inferential information. These contain the actual words written
by the owner or intended for the owner.

Evidence Extraction Process

Mobile phone evidence extraction process is as follows:

1. Intake: The evidence intake phase generally entails request forms

and intake paperwork to document chain of custody, ownership
information and the type of incident the phone was involved in.
2. Identification: For every examination, the examiner should
identify the legal authority to examine the phone, goals of the
examination, make, model and identifying information for the
cellular phone.
3. Preparation: The preparation phase involves specific research the
regarding the particular phone to be examined, the appropriate
tools to be used during the examination and preparation of the
examination machine to ensure that all of the necessary equipment,
cables, software and drivers are in place for the examination.
 4. Isolation: Isolation of the phone prevents the addition of new data
to the phone through incoming calls and text messages as well as
the potential destruction of data through a kill signal or accidental
overwriting of existing data as new calls and text messages come
in.
5. Processing: SIM cards should be processed separately from the
cellular phone they are installed in to preserve the integrity of the
data contained on the SIM card.
6. Verification: The examiner could extract the file system of the cell
phone initially, perform the examination and then extract the file
system of the phone a second time.
7. Documentation/reporting: Documentation should include
information such as:
a) The date and time the examination was started.
b) The physical condition of the phone.
c) Pictures of the phone and individual components.
d) Status of the phone when received.
e) Make, model, and identifying information.
8. Presentation: The investigator may also want to provide reference
information regarding the source of date and time information,
EXIF data extracted from images or other data formats, in order
that recipients of the data are better able to understand the
information.

Challenges in Mobile Device Forensics

1. Data volatility: It may be necessary to keep a seized device

powered up until the analysis is complete in order to prevent loss
of important data that may be changed or overwritten when the
power shuts off or the device is rebooted.
2. Data Preservation: For a mobile phone investigation, it is
important to prevent the device from receiving any further data or
voice communication. As text messages are stored in a “First In,
First Out” order, any new incoming text messages could delete
older stored text messages. Likewise, incoming calls could erase
 call history logs, and some devices can be wiped of all data
remotely if not protected from incoming communications.
3. Operating Systems and Communication Protocols: Another
challenge impeding the development of forensics tools is the
various operating systems used on mobile phones. Mobile phones
have evolved into full-fledged computing platforms requiring
vendors to use sophisticated operating systems so that various
software applications can be run on them.
4. Security Mechanisms: There are several security mechanisms
used on mobile phones to protect data. The handset lock is
normally activated upon power-up, which presents a problem for
examiners who must attempt to investigate a phone that was found
or seized in a powered off state.
5. Unique Data Formats: Textual information such as telephone
numbers, address books, email messages, and text messages are
stored using proprietary file formats. Makers of forensic software
tools will need to be aware of these formats so they can write
software that will convert these files to information easily
understood by humans. An exception to these proprietary file
formats is for image and video files which are typically stored in
common JPG and MPEG formats.

Understanding Acquisition Procedures for Cell Phones and Mobile

Devices

Mobile device forensic acquisition can be performed using multiple

methods. The main concerns with mobile devices are loss of power and
synchronization with PCs.

Acquisition should occur at a forensics laboratory once the seized equipment

has arrived and been checked in. The forensic examination begins with the
identification of the device.

The type of device, its operating system, and other characteristics determine
the route to take in creating a forensic copy of the contents of the device
 All mobile devices have volatile memory. Making sure they don't lose power
before you can retrieve RAM data is critical.

Mobile device attached to a PC via a cable or cradle/docking station should

be disconnected from the PC immediately

Depending on the warrant or subpoena, the time of seizure might be

relevant.

Messages might be received on the mobile device after seizure. Isolate the
device from incoming signals with one of the following options:

1. Place the device in a paint can

2. Use the Paraben Wireless Strong Hold Bag
3. Use eight layers of antistatic bags to block the signal

The drawback to using these isolating options is that the mobile device is put
into roaming mode, which accelerates battery drainage.

Check these areas in the forensics lab: Internal memory, SIM card,
removable or external memory cards and system server.

Checking system servers requires a search warrant or subpoena. The SIM

card file system is a hierarchical structure.

1. Information that can be retrieved:

2. Service-related data, such as identifiers for the SIM card and the
subscriber
3. Call data, such as numbers dialed
4. Message information
5. Location information

If power has been lost, PINs or other access codes might be required to view
files

To acquire data from a phone, a connection must be established to the device

from the forensic workstation. Before performing an acquisition, the version of the
tool being used should be documented, along with any applicable patches or errata
from the manufacturer applied to the tool.
 Caution should be taken to avoid altering the state of a mobile phone when
handling it, for example, by pressing keys that could potentially corrupt or erase
evidence.

Once the connection has been established, the forensic software suite can
proceed to acquire data from the device.

Acquiring a device's contents logically, the prevailing technique used by

present day forensic tools, requires the device to be switched on.

The goal during acquisition is to affect memory contents as little as possible

and then only with the knowledge of what is occurring internally, relying more on
adherence to the second and third evidentiary principles that respectively
emphasize high competence of the specialist and the capture of a detailed audit
trail of the actions taken.

The date and time maintained on the mobile phone is an important piece of
information. The date and time may be obtained from the network or manually set
by the user.

Suspects may manually set the day or time to a completely different value
from the actual one to leave misleading values in the call and message records
found on the phone.

If the phone was on when seized, the date and time maintained and
differences from a reference clock should have already been recorded, as
mentioned earlier. Nevertheless, confirmation at acquisition may prove useful.

If the phone was off when seized, the date and time maintained and
differences from a reference clock should be recorded immediately when first
turned on in the laboratory.

Note that actions taken during acquisition, such as removal of the battery to
view the device label, may affect the time value maintained.

Unlike desktop machines or network servers, only a few phones have a hard
disk and rely instead completely on semiconductor memory.
 Specialized software exists for performing a logical acquisition of PIM data
and, for certain phones, producing a physical image. However, the contents of a
phone are typically dynamic and continually changing.

Two back-to-back acquisitions of a device using the same tool may produce
different results overall, though the majority of information, such as PIM data,
remains unchanged.

Increasingly, mobile phones come with a built-in slot for some family of
memory cards.

Forensic tools that acquire the contents of a resident memory card normally
perform a logical acquisition.

To recover deleted data that might reside on the memory card, a direct
acquisition can be performed on it after the contents of the mobile phone have been
successfully acquired.

With either type of acquisition, the forensic tool may or may not have the
capability to decode recovered phone data stored on the card, requiring additional
manual steps to be taken.

After an acquisition is finished, the forensic specialist should always confirm

that the contents of a device were captured correctly.

On occasion, a tool may fail its task without any error notification and
require the specialist to reattempt acquisition with the same tool or another tool.
Similarly, some tools do not work as well with certain devices as others do,
and may fail with an error notification. Thus, where possible, it is advisable to have
multiple tools available and be prepared to switch to another if difficulties occur
with the initial tool.

Admissibility of Evidence

In cyber forensics, the admissibility of digital evidence hinges on its

authenticity, relevance, and compliance with legal procedures, including
maintaining a proper chain of custody and ensuring the integrity of the data. In
India, Section 65B of the Indian Evidence Act, introduced through the
Information Technology Act of 2000, provides the statutory basis for the
admissibility of electronic records.

Key Factors for Admissibility:

1. Authenticity: Digital evidence must be verifiable as originating from the

source it claims to be from.
2. Relevance: The evidence must be directly related to the issues in the case.
3. Integrity: The evidence must be shown to be unaltered and free from
tampering during collection, preservation, and presentation.
4. Chain of Custody: A clear and unbroken record of who had possession of
the evidence from its collection to its presentation in court is crucial.
5. Reliability: The methods used to collect and analyse the evidence must be
reliable and accepted by the court.
6. Completeness: The evidence should encompass all aspects of the alleged
incident, ensuring it's sufficient to prove or disprove a particular activity.
7. Probative Value vs. Prejudicial Effect: The evidence’s probative value (its
ability to prove something important) must outweigh any potential for
unfair prejudice, confusion, or misleading the jury.

Cyber Laws in India

In Simple way we can say that cyber-crime is unlawful acts wherein the
computer is either a tool or a target or both. Cyber-crimes can involve criminal
activities that are traditional in nature, such as theft, fraud, forgery, defamation
and mischief, all of which are subject to the Indian Penal Code. The abuse of
computers has also given birth to a gamut of new age crimes that are
addressed by the Information Technology Act, 2000.

We can categorize Cyber-crimes in two ways

1. The computer as a Target: -using a computer to attack other

computers. e.g. Hacking, Virus/Worm attacks, DOS attack etc.
 2. computer as a weapon: -using a computer to commit real world
crimes. e.g. Cyber Terrorism, IPR violations, Credit card frauds, FT
frauds, Pornography etc.

3. Cyber law (also referred to as cyberlaw) is a term used to describe

the legal issues related to use of communications technology,
particularly "cyberspace", i.e. the Internet. It is less a distinct field of
law in the way that property or contract are as it is an intersection of
many legal fields, including intellectual property, privacy, freedom
of expression, and jurisdiction. In essence, cyber law is an attempt to
integrate the challenges presented by human activity on the Internet
with legacy system of laws applicable to the physical world.

Why Cyber Laws in India?

When Internet was developed, the founding fathers of Internet hardly had
any inclination that Internet could transform itself into an all-pervading revolution
which could be misused for criminal activities and which required regulation.
Today, there are many disturbing things happening in cyberspace. Due to the
anonymous nature of the Internet, it is possible to engage into a variety of criminal
activities with impunity and people with intelligence, have been grossly misusing
this aspect of the Internet to perpetuate criminal activities in cyberspace. Hence the
need for Cyberlaws in India.

Importance of Cyber Law

The field of cyber law plays a very crucial role, in today’s digital era. Its
significance arises from the increasing reliance on internet and computer
networks across various aspects of our everyday lives ranging from personal
interactions to businesses.

• The importance is highlighted below: –

 Preserving Individual Rights: Cyber law serves to safeguard rights such
as privacy, identity and property within the realm of the world. It helps to block
entry to data, safeguards against cyberbullying and dangers online and
secures intellectual assets from being violated.

Fighting Cybercrime: Cyber Laws are preventive and protective

regulations pertaining to cyberspace crimes. They set out punishments for crimes
such as hacking, phishing, data and identity theft, cyberbullying and online fraud.
These laws also outline procedures for catching and punishing criminals and
hence are aimed to prevent unlawful activities and hold individuals accountable
for their wrongful actions.

Strengthening Cybersecurity: Within the domain of cyber law lie

frameworks that aim to protect infrastructure encompassing computer networks,
data storage systems and online services. It mandates cybersecurity measures,
promotes secure practices and facilitates cooperation in combating cyber threats.

Examples are Computer Emergency Response Team (CERT-In)

Directions to protect data theft.

Types of Cyber Laws

1. Cybercrimes laws: The Information Technology Act addresses types

of crimes such, as hacking into computer systems spoofing, altering
source documents sharing content cyber stalking and more. These
offenses are categorized as cybercrimes against individuals and
cybercrimes, against property.
2. Cybersecurity laws: Cybersecurity primarily aims to safeguard
systems such, as computer networks, data storage platforms and
internet services against cyber threats. Legal guidelines and
regulations in cyber law provide the foundation for enforcing
strategies like incident response plans such, as those outlined in the IT
(The Indian Computer Emergency Response Team) Rules of 2013.
 3. Data Privacy and Protection: Data protection
involves the management of data, how it is gathered, stored,
utilized and transferred globally. Cyber law oversees these
operations by setting out rules to safeguard the confidentiality
and integrity of details. The Digital Personal Data Protection
Act of 2023 (DPDPA), along with the IT (Reasonable Security
Practices and Procedures and Sensitive Personal Data or
Information) Rules, from 2011 (SPDI rules) are aimed at
safeguarding individuals’ privacy and preventing access or
misuse of their information. The notion of “Consent” holds
importance in this context.

Objectives of Cyber Law

Cyber law has numerous objectives all with the purpose of establishing an
environment that is safe secure and reliable, for individuals, organizations and
nations. Few advantages of cyber law and its objectives have been enumerated
below: –

Preserving Privacy: Cyber law ensures that individuals privacy rights are
protected in the world by ensuring collection, storage and proper processing of
personal data.

Shielding Identity: Cyber law acts as a safeguard for Individuals

identities by preventing unlawful access, theft or misuse of identity. This
protection helps prevent impersonation and identity fraud.

Preventing Cybercrime: Cyber law defines boundaries and penalties, for

cybercrimes. By doing it discourages individuals from participating in malicious
and unlawful activities online.
Difference between Cybercrime and Cybersecurity

BASIS CYBERCRIME CYBERSECURITY

Commission of illegal
Protection of computer
activities through use of
Definition systems and networks from
computer networks and
malicious digital activities.
programs.

Exploitation, harms towards Security, prevention and

Focus On Individuals, property and protection of harmful
government. activities.

Legal IT Act, Criminal laws, IT Act, Data Protection

Framework Contracts Laws

Deterring crimes, protection Protection of assets and

of individuals, and to information, incident
Objectives
impose punishments on response plans and to
offenders. minimise data attacks.

IPC that is going to be

IT Act, IPC that is going to Bharatiya Nyaya Sanhita
Examples be Bharatiya Nyaya Sanhita from 1st July, CERT-IN
from 1st July. Rules, The Digital Personal
Data Protection Act.
How to protect yourself on the Internet?

1. Use Anti-virus software- Antivirus programs are designed to

identify and eliminate suspicious software that can pose a threat,
to your device and compromise its security. It’s important to
scan your devices for viruses and malware to ensure that they
remain safeguarded.
2. Use strong passwords and 2 factor authentications: It’s very
necessary to prioritize passwords and multi factor authentication
to protect your accounts from unauthorized access. Avoid using
information such, as birthdays, names or common words, in
your passwords. Instead opt for a combination of upper- and
lower-case letters, numbers and symbols to create strong
unbreakable passwords.
3. Be cautious of sharing information and the content you post:
Phishing scams are frequently utilized by cybercriminals to
deceive people into exposing information or clicking on links.
It’s important to be cautious of emails those containing
attachments or links. Limit the amount of information you share
online on social media platforms. Refrain, from disclosing
details such, as your home address or phone number.

An overview of India's cyber laws is given below:

1. Information Technology Act, 2000:

• The primary legislation governing cyber activities in
India.
• Defines cyber-crimes and provides legal framework for
 e-commerce, digital signatures, and cyber offenses.
• Establishes various cyber offenses such as hacking, data
theft, and spreading of viruses.
2. Indian Penal Code (IPC), 1860:
• Certain cyber-crimes are punishable under the IPC, such
as hacking (Section 66) and identity theft (Section 66C).
3. The Indian Evidence Act, 1872:
• Provides guidelines for collecting and presenting
electronic evidence in court.
• Recognizes electronic records as evidence in legal
proceedings.
4. The Copyright Act, 1957:
• Protects digital content from unauthorized reproduction,
distribution, and use.
5. The Right to Privacy:
• While not a standalone law, the right to privacy is
protected under Article 21 of the Indian Constitution.
• The Supreme Court has also recognized privacy as a
fundamental right in landmark judgments.
6. The National Cyber Security Policy, 2013:
• Aims to protect information infrastructure in India and
strengthen cyber security measures.
7. The Personal Data Protection Bill, 2019:
• Addresses issues related to the collection, storage, and
processing of personal data.
• Introduces principles for handling personal data and
 establishes a Data Protection Authority.
8. The Aadhaar (Targeted Delivery of Financial and Other
Subsidies, Benefits and Services) Act, 2016:
• Governs the use and protection of Aadhaar data, India's
biometric identity system.
9. Cyber Appellate Tribunal (CAT):
• Established under the Information Technology Act to
hear appeals against decisions made by Adjudicating
Officers.
10. Cyber Cells and Cyber Crime Investigation Units:
• Various state police departments have dedicated units to
investigate cyber-crimes.
11. International Cooperation:
• India cooperates with international organizations and
other countries to combat cyber-crimes that transcend
national borders.
Cyber Crimes and Offenses & Section Under IT Act:

1. Tampering with computer source Documents Sec.65

2. Hacking with computer systems, Data Alteration Sec.66
3. Sending offensive messages through communication
service, etc Sec.66A
4. Dishonestly receiving stolen computer resource or
communication device Sec.66B
5. Identity theft Sec.66C
6. Cheating by personation by using computer resource
Sec.66D
7. Violation of privacy Sec.66E
8. Cyber terrorism Sec.66F
9. Publishing or transmitting obscene material in electronic
form Sec .67
10. Publishing or transmitting of material containing sexually
explicit act, etc. in electronic form Sec.67A
11. Punishment for publishing or transmitting of material
depicting children in sexually explicit act, etc. in electronic
form Sec.67B
12. Preservation and Retention of information by
intermediaries Sec.67C
13. Powers to issue directions for interception or monitoring or
decryption of any information through any computer
resource Sec.69
14. Power to issue directions for blocking for public access of
any information through any computer resource Sec.69A
15. Power to authorize to monitor and collect traffic data or
information through any computer resource for Cyber
Security Sec.69B
16. Un-authorized access to protected system Sec.70
17. Penalty for misrepresentation Sec.71
18. Breach of confidentiality and privacy Sec.72
19. Publishing False digital signature certificates Sec.73
20. Publication for fraudulent purpose Sec.74
21. Act to apply for offence or contraventions committed
outside India Sec.75
22. Compensation, penalties or confiscation not to interfere
with other punishment Sec.77
23. Compounding of Offences Sec.77A
24. Offences with three years’ imprisonment to be cognizable
Sec.77B
25. Exemption from liability of intermediary in certain cases
Sec.79
26. Punishment for abetment of offences Sec.84B
27. Punishment for attempt to commit offences Sec.84C Note:
Sec.78 of I.T. Act empowers Police Inspector to investigate
cases falling under this Act
28. Offences by Companies Sec.85
29. Sending threatening messages by e-mail Sec .503 IPC
30. Word, gesture or act intended to insult the modesty of a
woman Sec.509 IPC
31. Sending defamatory messages by e-mail Sec .499 IPC
32. Bogus websites, Cyber Frauds Sec .420 IPC
33. E-mail Spoofing Sec .463 IPC
34. Making a false document Sec.464 IPC
35. Forgery for purpose of cheating Sec.468 IPC
36. Forgery for purpose of harming reputation Sec.469 IPC
37. Web-Jacking Sec .383 IPC
38. E-mail Abuse Sec .500 IPC
39. Punishment for criminal intimidation Sec.506 IPC
40. Criminal intimidation by an anonymous communication
Sec.507 IPC
41. When copyright infringed: - Copyright in a work shall be
 deemed to be infringed Sec.51
42. Offence of infringement of copyright or other rights
conferred by this Act. Any person who knowingly
infringes or abets the infringement of Sec.63
43. Enhanced penalty on second and subsequent covictions
Sec.63A
44. Knowing use of infringing copy of computer programme
to be an offence Sec.63B
45. Obscenity Sec. 292 IPC
46. Printing etc. of grossly indecent or scurrilous matter or
matter intended for blackmail Sec.292A IPC
47. Sale, etc., of obscene objects to young person Sec .293 IPC
48. Obscene acts and songs Sec.294 IPC
49. Theft of Computer Hardware Sec. 378
50. Punishment for theft Sec.379
51. Online Sale of Drugs NDPS Act
52. Online Sale of Arms Act.
 UNIT – IV
ETHICAL HACKING
Introduction to Ethical Hacking

Hackers

Hacking is identifying weakness in computer systems or networks to

exploit its weaknesses to gain access. Example of Hacking: Using password
cracking algorithm to gain access to a system

Hacking refers to the practice of modifying or altering computer

software and hardware to accomplish a goal that is considered to be outside
of the creator's original objective.

Penetration testing can be defined as a legal and authorized attempt to

locate and successfully exploit computer systems for the purpose of making
those systems more secure. Authorization is the process of obtaining
approval before con-ducting any tests or attacks.

Hacking is an art of exploring various security breaches. Each hacker

has Motives, Methods and Skills. Computer Hacker is a typically
knowledgeable person. He/she knows several different languages, familiar
with UNIX and NT, Networking protocols.

In other words, can be referred to as the unauthorized access to any

computer systems or network. This method can occur if computer hardware
and software have any weaknesses which can be infiltrated if such hardware
or software has a lack in patching, security control, configuration or poor
password choice.

A hacker will look for internal and external system holes or bugs to
break into the system, fun and challenging.

Cracker and hacker are two different terms. Cracker is making an

attempt to break into the system by guessing or cracking user’s passwords.
Crackers can easily be identified because their actions are malicious.
 An ethical hacker possesses the skills, mindset, and tools of a hacker
but is also trustworthy. Ethical hackers perform the hacks as security tests
for their systems. Ethical hacking is also known as penetration testing or
white-hat hacking. It involves the same tools, tricks, and techniques that
hackers use, but with one major difference: Ethical hacking is legal.

Types of Hackers

1. Crackers: - A cracker is one who breaks security on a system.

Crackers are hardcore hackers characterized more as professional
security breakers and thieves.
2. Hacktivists: - Hacktivists are conscious hackers with a cause.
3. Cyber terrorists: Based on motives, cyber terrorists can be divided
into two categories:

The terrorists and information warfare planners.

How hackers hack the system?

A) The hacker will initially determine all available information about

the target network. The hacker will select a target which has the
least amount of protection, which will allow him to get the data he
wants.
B) The target will be compared against well-known attacks. If source
code is available for the target’s systems, the hacker will examine
the code for new ways in.
C) The hacker may attempt to gain access to the password database.
The hacker will attempt brute force access to the system. The
hacker may attempt to gain physical access to the system.

Steps performed by hackers

1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks
 Reconnaissance is the act of gaining information about our target.
Such as open ports, operating system, what services those ports are running,
and any vulnerable applications they have installed. All of this information
will be absolutely vital to choosing an attack.

Port scanning refers to the surveillance of computer ports, most often

by hackers for malicious purposes. Hackers conduct port-scanning
techniques in order to locate holes within specific computer ports.

Network scanning is a procedure for identifying active hosts on a

network, either for the purpose of attacking them or for network security
assessment.

In the enumeration phase, the attacker gathers information such as

network user and group names, routing tables, and Simple Network
Management Protocol (SNMP) data.

Advantages and Disadvantages of Hacking

Advantages of Hacking:

1. It is used to recover the loss of information, especially when user lost

password.
2. It is used to perform penetration testing to increase the security of the
computer and network.
3. It is used to test how good security is on your network.

Disadvantages of Hacking:

1. It can harm the privacy of someone.

2. Hacking is illegal.
3. Criminal can use hacking to their advantage.
4. Hampering system operations.

Ethical Hacking

Ethical hacking is an authorized practice of bypassing system security

to identify potential data breaches and threats in a network.
 Ethical hacking is identifying weakness in computer systems and/or
computer networks and coming with countermeasures that protect the
weaknesses.

Ethical hacking is also known as penetration testing or white-hat

hacking involves the same tools, tricks, and techniques that hackers use.

Ethical hacking is performed with the target’s permission. The intent

of ethical hacking is to discover vulnerabilities from a hacker’s viewpoint so
systems can be better secured.

Ethical Hacking Terminology:

Threat is a set of circumstances that has the potential to cause loss or

harm.

An exploit is a piece of software that takes advantage of a bug, glitch,

or vulnerability, leading to unauthorized access, privilege escalation, or
denial of service on a computer system.

Classification of exploits:

A remote exploit works over a network and exploits security

vulnerabilities without any prior access to the vulnerable system.

A local exploit requires prior access to the vulnerable system to

increase privileges.

An exploit is a defined way to breach the security of an IT system

through a vulnerability.

Vulnerability is a weakness in the security system. A particular system may be

vulnerable to unauthorized data manipulation because the system does not verify a
user identity before allowing data access. Bugs in the system that enable users to
violate the site security policy are called Vulnerability.

Vulnerability: A design flaw, defect, or mis-configuration which can

be exploited by an attacker.
 A vulnerability scanner scans a specified set of ports on a remote host
and tries to test the service offered at each port for its known vulnerabilities.

Phases of Hacking

First Phase: Passive and Active Reconnaissance

Passive reconnaissance: It is a penetration testing technique where

attackers extract information related to the target without interacting with the
target. That means no request has been sent to the target. Generally, the
public resource is used to gather information.

Active reconnaissance: It is a penetration testing technique where an

attacker gets information related to the target by interacting with the target.
Here, different vulnerability scanner such as Nessus, Nmap, etc. may be
used to extract information.

Second Phase: Scanning

Scanning involves taking the information discovered during

reconnaissance and using it to examine the network. Tools that a hacker may
employ during the scanning phase can Include dialers, port scanners,
network mappers, sweepers, and vulnerability scanners.

Hackers are seeking any information that can help them perpetrate
attack such as computer names, IP addresses, and user accounts.

Third Phase: Gaining Access

In this phase, actual hacking takes place. Vulnerabilities discovered

during the reconnaissance and scanning phase are now exploited to gain
access. The method of connection the hacker uses for an exploit can be a
LAN, local access to a PC, the Internet, or offline. Examples include stack-
based buffer overflows, denial of service, and session hijacking.
Fourth Phase: Maintaining Access

Once a hacker has gained access, they want to keep that access for
future exploitation and attacks. Sometimes, hackers harden the system from
other hackers or security personnel by securing their exclusive access with
backdoors, rootkits, and Trojans.

Once the hacker owns the system, they can use it as a base to launch
additional attacks. In some case, the owned system is sometimes referred to
as a zombie system.

Fifth Phase: Covering Tracks

Once hackers have been able to gain and maintain access, they cover
their tracks to avoid detection by security personnel, to continue to use the
owned system, to remove evidence of hacking, or to avoid legal action.

Hackers try to remove all traces of the attack, such as log files or
intrusion detection system (IDS) alarms. Examples of activities during this
phase of the attack include steganography, the use of tunnelling protocols,
and altering log files.

Hacktivism

Hacktivism refers to hacking for a cause. Hacktivism's main goal is to

bring issues to light and cause social change. It can also be considered
activism because it achieves these goals in a relatively peaceful manner.

Hacktivism relies on many properties of the internet, allowing people

to use different methods than they would offline. Because of the scalability
of the internet, even small groups of people are able to make statements
through hacktivism.

Hacktivism also relies on the internet being relatively difficult to

censor and mostly anonymous.
Types of Hackers Classes

Hackers are of different types and are named based on their intent of
the hacking system. Broadly, there are two main hackers: White-Hat hacker
and Black-Hat hacker. One more type is gray hackers.

White Hat:

A white hat hacker is a computer network security professional and

has non-malicious intent whenever he breaks into security systems. A White
Hat hacker has deep knowledge in Computer Networking, Network
Protocols and System Administration. White Hat hacker has also good
knowledge in hacking tools and know how to program hacking tools.

A white hat hacker has the skills to break into networks but he uses his
skills to protect organizations. A White Hat hacker can conduct vulnerability
assessments and penetration tests are also known as an Ethical Hacker.

Often white hat hackers are employed by companies and organizations

to check the vulnerabilities of their network and make sure that no hole is
available in their network for an intruder.

Black Hat:

A black hat hacker, also known as a cracker, is a computer

professional with deep knowledge in computer networking, network
protocols and system administration. Black hat hacker has also good
knowledge in many hacking tools and know how to program hacking tools.

A black hat hacker uses his skills for unethical reasons. A black hat
hacker always has malicious intention for intruding a network.

Example: To steal research data from a company, to steal money from

credit cards, hack email accounts etc.

Grey Hat:

A grey hat hacker is someone who is between white hat hacker and
black hat hacker. Grey hat normally does the hacking without the
permissions from the administrators of the network he is hacking. But he
 will expose the network vulnerabilities to the network admins and offer a fix
for the vulnerability for money.

Benefits of Ethical Hacking

The primary benefit of ethical hacking is to prevent data from being stolen
and misused by malicious attackers, as well as:

1. Implementing a secure network that prevents security breaches.

2. Defending national security by protecting data from terrorists
3. Gaining the trust of customers and investors by ensuring the
security of their products and data.
4. Discovering vulnerabilities from an attacker’s so that weak points
can be fixed.
5. Helping protects networks with real-world assessments.

The Importance of Ethical Hacking

Ethical hacking offers an objective analysis of an organization’s

information security posture for organizations of any level of security
expertise. The ethical hacking organization has no knowledge of the
company’s systems other than what they can gather.

Hackers must scan for weaknesses, test entry points, priorities targets,
and develop a strategy that best leverages their resources. The objectiveness
of this kind of security assessment has a direct impact on the value of the
whole evaluation.

Ethical hackers, or white hat hackers, offer a new approach to safety.

In order to test your security measures, they perform ‘pen tests’ on your
organisation.

In other words, they ‘hack’ your systems for you and provide you with
insight and valuable information regarding your organization’s security
posture.

As a result, you catch the opportunity to see your organization from

the perspective of a hacker without facing actual threats like sensitive data
theft.
Goals Attackers Try to Achieve

Security consists of four basic elements: Confidentiality, Authenticity,

Integrity and Availability

Confidentiality, integrity, and availability, often known as CIA, are the

building blocks of information security. Any attack on an information system
will compromise one, two, or all three of these components.

1. Confidentiality refers to limiting information access and disclosure to

authorized users and preventing access by or disclosure to unauthorized
ones. Sensitive information should be kept secret from individuals who are
not authorized to see the information.
2. Integrity ensures that information is not changed or altered in transit. Under
certain attack models, an adversary may not have to power to impersonate
an authenticated party or understand a confidential communication, but may
have the ability to change the information being transmitted.
3. Availability refers, to the availability of information resources. An
information system that is not available when you need it is at least as bad
as none at all. Availability means that people who are authorized to use
information are not prevented from doing so. It may be much worse,
depending on how reliant the organization has become on a functioning
computer and communications infrastructure.

Vulnerability Research

Vulnerability research is the process of discovering vulnerabilities and

design weaknesses that could lead to an attack on a system.

To exploit a vulnerability, an attacker must have at least one

applicable tool or technique that can connect to a system weakness. In this
frame, vulnerability is also known as the attack surface.

Security bug (security defect) is a narrower concept: there are

vulnerabilities that are not related to software: hardware, site, personnel
vulnerabilities are examples of vulnerabilities that are not software security
bugs.
 Hackers often rely on is the exploit techniques pioneered and shared
by security researchers and people in the computer underground.

Types of Ethical Hacks

Ethical hackers can use many different methods to breach an

organization’s security during a simulated attack or penetration test. The
most common methods follow:

Remote Dial-Up Network: The kind of ethical hacking identify and

tries to save from the attack which is causing among the modern pool of
client to find the open system, organizations make use of the method named
war dialing for representative dialing. An open system is the best example of
this kind of attacks.

Remote Network: This procedure is mainly used to identify the

attacks that cause among internet Mainly, the ethical hacker, try to recognize
default as well as proxy information in a network. Some of them involve
proxy or firewalls.

Local Network: The local network hacking is a process which is

utilized to access all the illegal information by making use of someone with
the physical access gaining through a local network. For this process, the
hacker needs to be ready to access the local network directly.

Stolen Equipment: With the use of stolen equipment hack it is

extremely easy to recognize the information about the thefts such as a
laptop. The data secured by the owner of a laptop can be easily identified.
The information includes password, username and other security settings in
equipment can be encoded by stealing a laptop.

Physical Entry: The physical entry hacking is utilized in the

businesses to control attacks being attained through some physical premises.

Social Network: The social engineering attack is a procedure being

used to check the reliability of the business. This can be fulfilled by making
use of face-to-face communication or telecommunication by gather data
 which can be utilized further in attacks. This kind of hack is used to know
about security method being used by an organization.

Application Network: The logic flaws being present in application results

in an illegal access of network and even in application and data being
offered in applications.

Wireless Network Testing: In this procedure of hacking, the wireless

network decreases the liability of network to an attacker by utilizing the radio
access to given wireless space.

Network Testing: This kind of hacking recognizes all unsafe data being
present in external as well as internal network. It not only works in the particular
network but also in a device that includes a virtual private network.

War dialing: This kind of hack recognized all the default information which
is being checked in a modem and is much dangerous for organizations.

Foot printing and Reconnaissance

Footprinting

Footprinting refers to the process of collecting as much as information

as possible about the target system to find ways to penetrate into the system.
An ethical hacker has to spend the majority of his time in profiling an
organization, gathering information about the host, network and people
related to the organization.

Information such as IP address, Whois records, DNS information, an

operating system used, employee email id, Phone numbers etc is collected.

The process of accumulating data regarding a specific network

environment, usually for the purpose of finding ways to intrude into the
environment.

The EC-Council divides footprinting and scanning into seven basic

steps. These include

1. Information gathering
2. Determining the network range
 3. Identifying active machines
4. Finding open ports and access points
5. OS fingerprinting
6. Fingerprinting services
7. Mapping the network

Information Gathering: Good information gathering can make the difference

between a successful pen test and one that has failed to provide maximum benefit
to the client. An amazing amount of information is available about most
organizations in business today. This information can be found on the
organization’s website, trade papers, Usenet, financial databases, or even from
disgruntled employees. Some potential sources are discussed, but first, let’s review
documentation.

Determining the Network Range: Now that the pen test team has been able to
locate name, phone numbers, addresses, some server names, and IP addresses, it’s
important to find out what range of IP addresses are available for scanning and
further enumeration. If you take the IP address of a web server discovered earlier
and enter it into the Who is lookup at www.arin.net, the network’s range can be
determined.

Identify Active Machines: Attackers will want to know if machines are alive
before they attempt to attack. One of the most basic methods of identifying active
machines is to perform a ping sweep.

Finding Open Ports and Access Points: With knowledge of the network range
and a list of active devices, the next step is to identify open ports and access points.
Identifying open ports will go a long way toward potential attack vectors. There is
also the possibility of using war dialing programs to find ways around an
organization’s firewall. If the organization is located close by, the attacker might
war drive the area to look for open access points.

OS Fingerprinting: At this point in the information gathering process, the hacker

has made some real headway. IP addresses, active systems, and open ports have
been identified. There are two ways in which the hacker can attempt to identify the
targeted devices. The hacker’s first choice is passive fingerprinting. The hacker’s
second choice is to perform active fingerprinting, which basically sends malformed
packets to the target in hope of eliciting a response that will identify it. Although
active fingerprinting is more accurate, it is not as stealthy as passive fingerprinting

Fingerprinting Services: Knowing what services are running on specific ports

allows the hacker to formulate and launch application specific attacks.

Mapping the Network: Mapping the network provides the hacker with a blueprint
of the organization. There are manual and automated ways to compile this
information.

Whois

Whois is a query/response protocol tool. It is widely used for querying

an official database in order to determine the owner of a domain name, an IP
address, or an autonomous system number on the Internet.

Whois normally runs on TCP port 43. Whois is the primary tool used
to query Domain Name Services.

Linux system provides built in facility of whois. Windows does not

have a built-in Whois client. Windows users will have to use a third-party
tool or website to obtain Whois information.

$ whois vtubooks.com Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered with many
different competing registrars. Go to http://www.internic.net for detailed
information.

Domain Name: VTUBOOKS.COM

Registrar: DOMAIN.COM, LLC

Sponsoring Registrar IANA ID: 886

Whois Server: whois.domain.com

Referral URL: http://www.domain.com

Name Server: NS5.INDIALINKS.COM

Name Server: NS6.INDIALINKS.COM

Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Updated Date: 23-oct-2013

Creation Date: 18-nov-2000

Expiration Date: 18-nov-2015

>>> Last update of whois database: Sun, 26 Jul 2015 17:11:41 GMT <<<

$ whois google.com

Domain Name: google.com

Registry Domain ID: 2138514_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.markmonitor.com

Registrar URL: http://www.markmonitor.com

Updated Date: 2015-06-12T10:38:52-0700

Creation Date: 1997-09-15T00:00:00-0700

Registrar Registration Expiration Date: 2020-09-13T21:00:00-0700

Registrar: MarkMonitor, Inc.

Registrar IANA ID: 292

Registrar Abuse Contact Email: [email protected] Registrar

Abuse Contact Phone: +1.2083895740

Domain Status: clientUpdateProhibited

https://www.icann.org/epp#clientUpdateProhibited

Domain Status: clientUpdateProhibited

https://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited

https://www.icann.org/epp#clientDeleteProhibited

Registry Registrant ID:

Registrant Name: Dns Admin Registrant Organization: Google Inc.

Registrant Street: Please contact [email protected], 1600 Amphitheatre

Parkway

Registrant City: Mountain View

Registrant State/Province: CA

Registrant Postal Code: 94043

Registrant Country: US

Registrant Phone: +1.6502530000

Registrant Phone Ext:

Registrant Fax: +1.6506188571

Registrant Fax Ext:

Registrant Email: [email protected]

Registry Admin ID:

Admin Name: DNS Admin

Admin Organization: Google Inc.

Admin Street: 1600 Amphitheatre Parkway

Admin City: Mountain View

Admin State/Province: CA

Admin Postal Code: 94043

Admin Country: US
Admin Phone: +1.6506234000

>>> Last update of WHOIS database: 2015-07-26T09:56:49-0700

Network Reconnaissance

Reconnaissance attack is a kind of information gathering on network

system and services. This enables the attacker to discover vulnerabilities or
weaknesses on the network.

One of the old reconnaissance methods was simply to sequentially

ping every IP address on a network, starting with the local subnet and then
expand outward. If an IP address responded to a ping, then the attacker knew
there was a active device at that IP address and would add it to a locally list
of potential attack targets. This ping method would require the attacker to
guess what subnets existed on the network.

Reconnaissance attack can be active or passive. Tools that could be

used for active reconnaissance are:

1. Application Mapper (AMAP): AMAP uses the results from Nmap

to mine for more information.
2. Nessus: It is vulnerability Scanner
3. Scanrand: Tt is fast network scanner
4. Paratrace: TCP Traceroute that utilizes selected TTL messages

Intruders are increasingly making use of compromised hosts to launch

reconnaissance against target networks.

Nmap

Nmap was developed by Fyodor Yarochkin. This tool is available for

Windows and Linux as a GUI and command-line program. It is most widely-
used port scanner tool. It can perform many types of scans and OS
identification, and also allows user to control the speed of the scan.

Network Mapped (Nmap) is a network scanning and host detection

tool that is very useful during several steps of penetration testing. It is an
open-source port or security scanner. Primary function of Nmap is to
discovery and mapping of hosts on a network.

Almost every Linux install its packaged, Windows you will need to
download Nmap and the Win-Pcap files.

Nmap can perform ping sweeps. Port scanning tools depends upon
communication between two machines and TCP, UDP services. State of the
connection is represented by flags in TCP connection. TCP uses six flags.
For connecting to a TCP port, client sends a packet with the SYN flag. When
SYN flag is set, it indicates clients wish to communicate with the port
services.

Nmap tool is capable to detect types of victims’ operation systems just

using TCP fingerprinting. TCP fingerprinting uses advanced fingerprinting
analyses of the TCP stack implementation. A TCP packet is crafted by
switching on or off certain flags and sent to the remote machine.

The remote operating system, based on its TCP stack implementation

sends a response, with some specific flags turned on or off. Depending on
TCP responses collected for each crafted packet we can make an intelligent
guess of the operating system from its database of TCP stack signatures.

Standard TCP communications are controlled by flags in the TCP

packet header. Following is the list of TCP connection flags:

a. Urgent (URG): The Urgent pointer is valid if it set to1.

b. Acknowledgement (ACK): ACK bit is set to 1 to indicate that the
acknowledgment number is valid.
c. Push (PSH): The receiver should pass this data to the application
as soon as possible.
d. Reset (RST): This flag is used to reset the connection. It is also
used to reject an invalid segment.
e. Synchronize (SYN): Synchronize sequence number to initiate a
connection. The connection request has SYN = 1 and ACK = 0 to
indicate that the piggyback acknowledgement field is not in use.
 f. Finish (FIN): The FIN bit is used to release a connection. It
specifies that the sender is finished sending data.

The port number along with the source and destination IP addresses in
the IP header, uniquely identify each connection. The combination of an IP
address and a port number is sometimes called a socket. When a new
connection is being established, the SYN flag is turned on. The sequence
number of the first byte of data sent by this host will be the ISN plus one
because; the SYN flag consumes a sequence number.

The three-way handshake involves the exchange of three messages

between the client and the server. Three messages are client SYN, service
SYN-ACK and client ACK etc.

shows three-way handshake for TCP.

The client initiates a connection to the server via a packet with only
the SYN flag set. The server replies with a packet with both the SYN and the
ACK flag set. For the final step, the client responds back the server with a
single ACK packet. If these three steps are completed without complication,
then a TCP connection has been established between the client and server.

Client sends a single SYN packet to the server on the appropriate port.
If the port is open then the server responds with a SYN/ACK packet. If the
server responds with an RST packet, then the remote port is in state closed.
 The client sends RST packet to close the initiation before a connection can
ever be established. This scan also known as “half-open” scan.

Command Line Syntax

$ nmap [ <Scan Type> ...] [ <Options>] {<target specification>}

Target specification can be hostnames, IP address etc.

The output of Nmap is a list of scanned targets, with additional

information on each depending on the options used. Port table is the main
information of Nmap. Table list the port number and protocol, service name
and state. The state is either open, filtered, closed, or unfiltered.

1. Open state means that an application on the target machine is listening for
connections/packets on that port.
2. Filtered means that a firewall, filter, or other network obstacle is blocking
the port so that Nmap cannot tell whether it is open or closed.
3. Closed means ports have no application listening on them, though they could
open up at any time.
4. Ports are classified as unfiltered. When they are responsive to Nmap's
probes, but Nmap cannot determine whether they are open or closed.

Open port: A service process is listening at the port. The OS receives

packets arriving at this port and passes the messages to the service process.
If the OS receives a SYN at an open port, this is the first packet of the three-
way handshake.

Closed: No process is listening at the port. If the OS receives a SYN

at a closed port, an RST is sent.

Filtered: A packet filter is listening at the port DOS

Nmap Options:

Sr. No. Options Remarks

1. -sS TCP SYN scan

-sF -sX -
2. Stealth FIN, Xmas Tree, or Null scan modes
sN

3. -sP Ping scanning

4. -sW Window scan

5. -sA ACK scan

6. -sL List scan

7. -P0 Do not try to ping hosts at all before scanning them

8. -sT TCP Connect

UDP Scanning: Sends a UDP packet to target ports

9. -U
todetermine if a UDP service is listening

Bounces a TCP scan off of an FTP server, hiding originator

10. -b
ofthe scan.

RPC Scanning: Scans RPC services using all discovered

11. -sR openTCP/UDP ports on the target to send RPC NULL
commands.
Nmap timing options:

Sr. No. Options Remarks

1. paranoid Send one packet every 5 minutes

2. Sneaky Send one packet every 15 seconds

3. Polite Send one packet every 0.4 seconds

Send packets ASAP without missing target

4. Normal
ports

wait no more than 1.25 seconds for any

5. Aggressive
response

wait no more than 0.3 seconds for any

6. Insane
response

Nmap can be used for following compliance testing:

1. Testing for open ports on the interfaces of a firewall.

2. Performing scans across workstation IP address ranges to determine if
any unauthorized networking applications are installed.
3. Determining if the correct version of web service is installed in De-
Militarized Zone
4. Locating systems with open file sharing ports.
5. Locating unauthorized FTP servers, printers or operating systems.

Nmap with help:

C:\nmap>nmap -h

Nmap 3.93 Usage: nmap [Scan Type(s)] [Options] <host or net list>

Some Common Scan Types (‘*’ options require root privileges)

* -sS TCP SYN stealth port scan (default if privileged (root))

 -sT TCP connect() port scan (default for unprivileged users)

* -sU UDP port scan

-sP ping scan (Find any reachable machines)

* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)

-sV Version scan probes open ports determining service and app
names/versions

-sR/-I RPC/Identd scan (use with other scan types)

Some Common Options (none are required, most can be combined):

* -O Use TCP/IP fingerprinting to guess remote operating system

-p <range> ports to scan. Example range: ‘1-1024,1080,6666,31337’

-F Only scans ports listed in nmap-services

-v Verbose. Its use is recommended. Use twice for greater effect.

-P0 Don’t ping hosts (needed to scan www.microsoft.com and others)

* -Ddecoy_host1, decoy2[,...] Hide scan using many decoys

-6 scans via IPv6 rather than IPv4

-T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing

policy

-n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]

-oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile>

-iL <inputfile> Get targets from file; Use ‘-’ for stdin

* -S <your_IP>/-e <devicename> Specify source address or network

interface

--interactive Go into interactive mode (then press h for help)

--win_help Windows-specific features

 Nmap is considered a required tool for all ethical hackers.

THC-Amap

Amap is a tool for determining what application is listening on a given port.

THC means The Hackers Choice.

Most of port scanners assume that if a particular port is open, then default
application for that port must be present. Amap probes these ports to find out what
is really running on that port.

You can download from http://thc.segfault.net/thc-amap/

THC-Amap runs in following modes:

Sr. No. Modes Remarks

1. -A It identifies the service associated with the port.

2. -B This mode does not perform identification

3. -P It conducts a port scan.

Scanning Networks

Scanning is another essential step, which is necessary, and it refers to the

package of techniques and procedures used to identify hosts, ports, and various
services within a network. Scanning is the process of locating systems that are
alive and responding on the network.

Types of scanning are port scanning, network scanning and Vulnerability

scanning.
Vulnerability Scanning

Vulnerability is a weakness in the security system. A particular system may

be vulnerable to unauthorized data manipulation because the system does not
verify a user identity before allowing data access. Bugs in the system that enable
users to violate the site security policy are called Vulnerability.

Vulnerability: A design flaw, defect, or mis-configuration which can be

exploited by an attacker.

A vulnerability scanner scans a specified set of ports on a remote host and

tries to test the service offered at each port for its known vulnerabilities.

Threat is a set of circumstances that has the potential to cause loss or harm.

Hardware is more visible than software, largely because it is composed of

physical objects.

Software is vulnerable to modification that either cause it to fail or cause it

to perform an unintended task. Data is especially vulnerable to modification.

A vulnerability scanner is software application that assesses security

vulnerabilities in networks or host systems and produces a set of scan results.
However, because both administrators and attackers can use the same tool for
fixing or exploiting a system, administrators need to conduct a scan and fix
problems before an attacker can do the same scan and exploit any vulnerability
found.

Vulnerability remediation is the process of fixing vulnerabilities. There are

different types of vulnerability scanners that operate at different levels of
invasiveness. Some simple scanners just check the Windows Registry and software
version information to determine whether the latest patches and updates have been
applied.

Scanners use predefined tests to identify vulnerabilities. Scanner may

produce false positive if written test is poor. There is no vulnerability attack but
scanner reports it as vulnerable.
 Vulnerability scanner is made up of four main modules: Scan Engine, Scan
Database, Report Module and a User Interface.

Vulnerability scanners can be divided broadly into two groups: network-

based and host-based scanners

A network-based scanner is usually installed on a single machine that

scans a number of other hosts on the network. It helps detect critical vulnerabilities
such as mis-configured firewalls, vulnerable web servers, risks associated with
vendor-supplied software, and risks associated with network and systems
administration.

A host-based scanner is installed in the host to be scanned, and has direct

access to low level data, such as specific services and configuration details of the
host's operating System-A database scanner is an example of a host-based
vulnerability scanner.

Working of Vulnerability Scanning

Steps for scanning:

1. Checking if the remote host is alive

2. Detect firewall if any
3. TCP / UDP port scanning
4. Detection of operating system
5. TCP / UDP service discovery
6. Vulnerability assessment based on the services detected

Limitations of Vulnerability Scanners

1. Generate overwhelming amount of data

2. No indication of how vulnerabilities can be combined
3. Vulnerability scanners can only report vulnerabilities according to the
plug-ins installed in the scan database.

The key difference between vulnerability assessment and penetration testing

is the lack of exploitation in vulnerability assessment and the actual exploitation in
penetration testing.
Port Scanning

Some of the services are naturally secure. Services do not always run on
default ports. Port scanning is the process of identifying open and available TCP/IP
ports on a system

The main goal of port scanning is to find out which ports are open, which
are closed, and which are filtered. When we say a port is filtered, what we mean is
that the packets passing through that port are subject to the filtering rules of a
firewall.

In TCP/IP and UDP networks, a port is an endpoint to a logical connection

and the way a client program specifies a specific server program on a computer in
a network. Some ports have numbers that are pre-assigned to them by the IANA,
and these are called the "well-known ports".

A port number is a 16-bit unsigned integer that ranges from 0 to 65535

A specific network port is identified by its number commonly referred to as

port number, the IP address in which the port is associated with and the type of
transport protocol used for the communication.

Standard port numbers are listed below:

1. Ports number 0 to port number 1023 are known as Well Known Ports

2. Port number 1024 to port number 49151 are named as Registered Ports

3. Port number49152 to Port number 65535 are Dynamic and/or Private

Ports

Port Port
Protocol Name Protocol Name
Number Number

21 FTP 110 POP3 port

SSH server
22 123 NTP
listing port

23 Telnet port 135 RPC

 25 SMTP mail port 143 IMAP4 port

53 DNS port 161 SNMP port

67 DHCP 179 BGP Port

80 HTTP 443 SSL Port

Port scanning may involve all of the 65,535 ports or only the ports that are
well-known to provide services vulnerable to different security-related exploits.

Open port: A service process is listening at the port. The operating system
receives packets arriving at this port and gives the messages to the service process.
If the operating system receives a SYN at an open port, this is the first packet of
the three- way handshake.

Closed port: No process is listening at the port. If the OS receives a SYN at

a closed port, an RST is sent.

Filtered port: A packet filter is listening at the port.

Port scanner tool can be used to identify available services running on a

server, it uses raw IP packets to find out what ports are open on a server or what
operating system is running or to check if a server has firewall enabled etc.

Port scanner is an essential security tool for finding open ports

corresponding to the TCP or UDP services running on a target device. This scanner
allows you to run four different types of scanning patterns while looking for TCP
or UDP open ports.

Port scanning technique consists of sending a message to a port and

listening for an answer. The received response indicates the port status and can be
helpful in determining a host’s operating system and other information relevant to
launching a future attack.

The vertical scan is a port scan that targets several destination ports on a
single host. A horizontal scan is a port scan that targets the same port on several
hosts.
Network Scanning

Network scanning refers to the process of obtaining additional information

and performing a more detailed reconnaissance based on the collected information
in the footprinting phase.

In this phase, a number of different procedures are used with the objective to
identify hosts, ports, and services in the target network. The whole purpose is to
identify vulnerabilities in communication channels and then create an attack plan.

Enumeration

Enumeration is the process of extracting user names, machine names,

network resources, shares, and services from a system. Enumeration techniques are
conducted in an intranet environment. During enumeration, information is
systematically collected and individual systems are identified.

Example:

1. Discovering NetBIOS name enumeration with NBTscan.

2. Establishing null sessions and connections. Null sessions tools like
Dumpsec, Winfo and Sid2User or more, may used to perform this attack

Enumeration can be used to gain information on :

a) Network shares
b) SNMP data, if they are not secured properly
c) IP tables
d) Usernames of different systems
e) Passwords policies lists

Enumerations depend on the services that the systems offer. They can be
DNS enumeration, NTP enumeration, SNMP enumeration, Linux/Windows
enumeration and server message block (SMB) enumeration.
Netbios Null Sessions

The null session is often referred to as the Holy Grail of Windows hacking.
Null sessions take advantage of flaws in the Common Internet File System/Server
Messaging Block (CIFS/SMB).

User can establish a null session with a Windows (NT/200/XP) host by

logging on with a null user name and password. Using these null connections, you
can gather the following information from the host:

a) List of users and groups

b) List of machines

c) List of shares

d) Users and host SIDs (Security Identifiers)

Techniques for Enumeration

a. Extracting user names using email ID's

b. Extract information using the default password

c. Brute force active directory

d. Extract user names using SNMP

e. Extract user groups from Windows

f. Extract information using DNS zone transfer

g. SNMP enumeration

Server Message Block Enumeration: It is mainly used for providing shared

access to files, printers and miscellaneous communications between nodes on a
network. It also provides an authenticated inter-process communication
mechanism.

DNS Enumeration: DNS enumeration retrieves information regarding all the

DNS servers and their corresponding records related to an organization. DNS
enumeration will yield usernames, computer names, and IP addresses of potential
target systems.

SNMP Enumeration: SNMP is an application layer protocol which uses UDP

protocol to maintain and manage routers, hubs, switches and other network
devices. It is based on a client-server architecture where SNMP client or agent is
located on every network device and communicates with the SNMP managing
station via requests and responses. Both SNMP request and responses are
configurable variables accessible by the agent software. SNMP contains two
passwords for authenticating the agents before configuring the variables and for
accessing the SNMP agent from the management station.

Default SNMP password allows attackers to view or modify the SMMP

configuration settings. Attackers can enumerate SNMP on remote network devices
for the following:

a. Information about network resources such as routers, shares, devices, etc.

b. ARP and routing tables

c. Device specific information

d. Traffic statistics etc.

NetBIOS Enumeration and Null Session: Net BIOS null Sessions occurs when
you connect any remote system without user-name and password. It is usually
found in systems with Common Internet File System (CIFS) or SMB depending on
operating system. Once attacker is in with null session, he/she can explore
information about groups, shares, permissions, policies and even password hashes.

Null session attack uses vulnerability in SMB protocol for creating

connection because it uses SMB uses trust for any kind of relationship between
devices available in network.

Now to check whether the system is vulnerable to null session or not, type
following commands:

C:\>net use \\IP_Address\IPC$ For example

C:\>net use\\192.168.56.1\IPC$ Next type

 C:\>net use \\IP_Address\IPC “”/u:“” where “”/u:“” denotes you want to
connect without user-name and password. Now explore further information.

C:\>net view \\IP_Address

The Steps Involved in Performing Enumeration:

The following steps are an example of those a hacker might perform in

preparation for hacking a target system:

1. Extract usernames using enumeration.

2. Gather information about the host using null sessions.

3. Perform Windows enumeration using the Superscan tool.

4. Acquire the user accounts using the tool GetAcct.

5. Perform SNMP port scanning

System Hacking

Password Cracking

When your log in to a computer and enter password, the computer checks
that password belongs to you and then grants access. The password is the secret
that is known only to the user and server. But it would be quite dangerous to store
the passwords in the file in the computer.

If an internal attacker obtains access to that file, all passwords stored on that
computer could get compromised.

Password cracking is one of the oldest hacking arts. Every system must store
passwords somewhere in order to authenticate users. However, in order to protect
these passwords from being stolen, they are encrypted. Password cracking is the art
of decrypting the passwords in order to recover them.

A password cracking program if used ethically can be used by the system

administrator to detect weak passwords amongst the system so they can be
changed. A password cracking program is most likely used to check the security of
your own system.
 Crack is a type of password cracking utility that runs through combinations
of passwords until it finds one that it matches. It also scans the content of a
password file looking for weak login passwords.

Passwords are not stored in clear text format. As a rule, passwords are stored
as hashes. Hashes are one-way encryption that is unique for a given input. In the
Windows operating system, passwords on the local system are stored in the SAM
file, while Linux stores them in the /etc/shadow file.

Reasons behind password cracking:

1. To gain unauthorized access to a computer/server.

2. Some time we forget the password so to recover a password
3. To check the security of your system
4. To do the crime with another name.

Manual password cracking is easy. Attacker uses following method for password
cracking.

1. Select administrator account or guest account

2. Make a list of possible passwords. Here date of birth, pet name, company
name, any particular event happens to that person are considered.
3. Prepared the password list with higher priority to lower priority
4. Try one by one password until you found the proper password.

Password is stored in database with encrypted format. Manual cracking of

password is time consuming process. Encrypted password is used to ensure
confidentiality.

UNIX Operating system stores the hashed value of passwords in the

password file instead of the actual passwords. Then when a user inputs their
password, the system can simply take the hash of the input and compare it to the
stored hash value. On most Unix-based file systems the password file is located at
/etc/passwd.

The password file for Windows, known as the Security Accounts Manager
(SAM) file, is located in C:\windows\system32\config\sam.
 Online services typically store passwords for their system in a non-
standardized way, and these systems are not always designed by engineers with
backgrounds in privacy or security.

The default Android program requires the user to create a password which
connects at least four dots in any order.

Password Cracker Tools

Dictionary Attack is the simplest and fastest password cracking attack. It

just runs through a dictionary of words trying each one of them to see if they work.

Rainbow Table: Most modern systems now store passwords in a hash i.e.
encrypted password. To crack this encrypted password is to take dictionary file and
hash each word and compare it to the hashed password.

Brute Force: Brute force password cracking attempts all possibilities of all
the letters, number, special characters that might be combined for a password and
attempts them. It is the most time-consuming approach to password cracking.

Hybrid: A hybrid password attack is one that uses a combination of

dictionary words with special characters, numbers, etc. Often these hybrid attacks
use a combination of dictionary words with numbers appending and prepending
them, and replacing letters with numbers and special characters.

JOHN THE RIPPER: John the Ripper is a fast password cracker, currently
available for many flavors of UNIX, Win32 and OpenVMS. Its primary purpose is
to detect weak UNIX passwords. It can use specialized wordlists or password rules
based on character type and placement.

L0phtCrack: Window password is cracked using l0phtCrack. L0phtCrack

obtains password hashes from the operating system, and then begins hashing
possible password values. The password is discovered when there is a match
between a target hash and a computed hash. L0phtCrack must first obtain password
hashes from the target system, and then uses various cracking methods to retrieve
the passwords.
 Aircrack-ng: Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking
program that can recover keys once enough data packets have been captured. It
implements the standard FMS attack along with some optimizations like KoreK
attacks, as well as the all-new PTW attack, thus making the attack much faster
compared to other WEP cracking tools.

THC-Hydra: When you need to brute force crack a remote authentication

service, Hydra is often the tool of choice. It can perform rapid dictionary attacks
against more than 21 protocols, including Telnet, FTP, HTTP, SMB etc.

Cain and Abel: Written strictly for Windows, it can crack numerous hash
types, including NTLM, MD5, wireless, Oracle, MySQL, SQL Server etc. It can
crack passwords using a dictionary attack, rainbow attack, and brute force. It
selects the password length and character set when attempting a brute force attack.

Brutus: It is an online password cracking tool that many consider the fastest
online password cracker. It is free and available on both Linux and Windows, and
it supports password cracking in HTTP.

Password Cracking Attacks

Password attacks, such as password guessing or password cracking, are

time-consuming attacks. Tools that make use of pre-computed hashes reduce the
time needed to obtain passwords greatly.

Classification of password cracking attacks are as follows:

1. Online attacks
2. Offline attacks

Online Password Attacks

It is also known as password guessing. It is the process of attempting to find

passwords by trying to login. Online attacks are of two types: passive and active
online attack.

In passive online attacks an attacker does not contact with authorizing party
for stealing password. A passive attack is not detectable to the end user. Types of
passive online attacks
include wire sniffing, man in the middle attack and reply attack.

Active online attack can be directly termed as password guessing. An

attacker tries number of passwords one by one against victim to crack user
password.

Online password attacks are relatively slow.

Offline Password Attacks

An offline password attack, also known as password cracking. The main

advantage of offline cracking is the speed.

Offline attacks require physical access to the system. It copies the password
file from the system onto storage disk.

In this attack, the attacker will start cracking the password by creating a hash
of a password or a challenge-response sequence and comparing it to the hash or
response that he captured.

If a match is found, the attempt to crack the hash is considered successful.

It is not possible to prevent offline attacks by restricting the security policies.

Offline attacks are in general much faster than online attacks.

Offline attacks include, dictionary attacks, hybrid attacks, brute force attack,
pre-computed hash attacks, syllable attacks, rule-based attacks and rainbow
attacks.

LAN Manager Hash

Windows does not store your actual password with your account; when you
select a new password, Windows computes a hash of the password and stores that
with your account in the local SAM or Active Directory depending on the type of
account. In fact, by default Windows computes 2 hashes: one is called an NT or
Unicode hash and the other is called the LANMAN (LANMANAGER) hash.

The LAN manager hash is an encryption mechanism implemented by

Microsoft prior to its release of Windows 2000 uses NT Lan Manager (NTLM).
The LANMAN hash was advertised as a one-way hash that would allow end users
to enter their credentials at a workstation, which would, in turn, encrypt said
credentials via the LANMAN hash.

The LANMAN password can’t exceed 14 characters and if it exceeds 7

characters, LANMAN actually builds 2 independent hashes of the first 7 characters
and then the 2nd 7 characters. LANMAN also converts lower case letters to upper
case before hashing.

For example, the hash for the password “QBMzftvX” is broken into two
parts (QBMZFTV and X). You will also see that all of the cleartext characters of
these LM hashes are uppercased.

C88062822433f468 bcbb464a6f1414b9

Characters 1 to 7 Cleartext : QBMZFTV Characters 7 to 14 Cleartext : X

Cracking Windows 2000 Passwords

The Security Account Manager (SAM) file in Windows contains the

usernames and hashed passwords. It is located in the Windows\system32\config
directory. The file is locked when the operating system is running so a hacker can’t
attempt to copy the file while the machine is booted to Windows.

In addition, it’s also located in the registry file HKEY_LOCAL_MACHINE\SAM

which cannot be accessed during run time. Finally backup copies can be often
found in Windows\Repair.

The SAM file is further encrypted with the SysKey (Windows 2000 and
above) which is stored in %SystemRoot%\system32\config\system file.

During the boot-time of Windows the hashes from the SAM file gets
decrypted using the SysKey and the hashes are loaded to the registry is then used
for authentication purpose.
 Both system and SAM files are unavailable to standard programs during
Windows’ runtime.

Password Cracking and Brute-Force Tools

A Brute-Force attack is method of breaking a cipher by trying every possible

key. Feasibility of brute force attack depends on the key length of the cipher, and
on the amount of computational power available to the attacker.

Brute-force attacks are often used for attacking authentication and

discovering hidden content/pages within a web application. These attacks are
usually sent via GET and POST requests to the server.

In Brute-Force we specify a charset and a password length range.

Hackers launch brute-force attacks using widely available tools that utilize
wordlists and smart ruleset to intelligently and automatically guess user passwords.
This type attacks are easy to detect, but they are not so easy to prevent.

A Brute force attack is an automated process of trial and error used to guess
a person's user name, password, credit-card number of cryptographic key.
Insufficient authentication occurs when a web site permits an attacker to access
sensitive content or functionality without having to properly authenticate. Weak
password recovery validation is when a website permits an attacker to illegally
obtain, change or recover another user's password.

Password is a front-line protection against the unauthorized access to the

system. A password authenticates the identifier (ID) and provides security to the
system. Therefore, almost all systems are password protected.

Linearization attack is used to crack any password in seconds

John the Ripper

John the Ripper is a fast password cracker, currently available for many
flavors of UNIX, Windows and OpenVMS. Its primary purpose is to detect weak
UNIX passwords. It can use specialized wordlists or password rules based on
character type and placement.
 John the Ripper is a command line tool. A dictionary attack uses a word
database, and tries it repeatedly.

John the Ripper has this capability.

John will accept three different password file formats. It cracks any
password encrypted in one of the formats listed by the “-test” option.

John the Ripper supports the following cracking modes:

1. wordlist with or without rules;

2. "Single crack", makes use of the login information;
3. incremental, tries all character combinations;
4. External, allows you to define your own cracking mode.

John the Ripper comes pre-installed with a small dictionary of some typical
passwords located in “/usr/share/john/password.lst” file.

John automatically selects the correct encryption algorithm for the hashes
and begins cracking. All the cracked passwords are saved in the John.pot file,
which is a text file. This tool uses for brute force is called "Incremental".In
incremental mode john does not use a word list, but just tries all possible
passwords.

While cracking, you can press the Enter key for status, or Ctrl+C to abort the
session, saving point information to a file. By the way, if you press Ctrl+C twice
John will abort immediately without saving.

Cracking Modes

Wordlist mode: User must specify a wordlist and some password files.

Single crack mode: It will try using the login information as passwords.
This mode is much faster than the wordlist mode, which allows using a lot of rules
in a reasonable time.

Incremental mode: This is the most powerful cracking mode; it can try all
possible character combinations as passwords.
 External mode: You can define an external cracking mode for use with
John. This is done with ~/john.ini's sections called [List.External:<mode>], where
<mode> is any identifier that you assign to the mode. The section should contain
some functions that John will use to generate the words it tries. These functions are
coded in a subset of the C language, and are compiled by John at startup.

John Ripper Command Line Options:

Sr. No. Command Remark

1. Wordfile Set to your wordlist file name.

2. Timeout Set to the value in minutes

Set to something starting with 'Y' or 'N' to

3. Beep specifywhether to beep when a password is found or
not

L0PHTCRACK

This tool used to crack Windows NT/2000 passwords. Easy to use GUI
interface. It runs on MS Windows 9x, NT, and 2000 systems.

Windows stores passwords in the Security Accounts Manager (SAM). It is

binary file that is difficult to read without special tools. Not only will L0phtCrack
guess passwords, it will extract LANMan hashes from any SAM file, the local
system, or a remote system, and it will even sniff hashes as they cross a network.
The SAM file is stored in the \WINNT\system32\config\ directory.

L0phtCrack will extract passwords from the local or remote computers with
the Dump Passwords from Registry option.

Attacker must get a copy of the encrypted/hashed password representations

stored in the SAM database of target machine. L0phtCrack includes “pwdump”
tool for dumping Windows NT password representation from a local or remote
machine across the network. Requires administrator privileges on target machine.
 Shows Configuration Options for L0phtCrack.

Pwdump

Pwdump is able to extract NTLM and LanMan hashes from a Windows

target, regardless of whether Syskey is enabled. It is also capable of displaying
password histories if they are available. It outputs the data in L0phtcrack-
compatible form, and can write to an output file.

This tool is written by Jeremy Allison in the year 1997.

It only affects Windows XP/2000 computers, and it is used in order to dump

users and password hash tables in local or remote Windows XP/2000 computers.
These hash tables allow brute force password cracking in order to try to guess the
original values of the user names and passwords associated, and dictionary attacks.

Login as system admin to windows machine and then run following

command at command prompt:
C:\> pwdump7 >c:\hash.txt

pwdump7 will dump the SAM to the screen and the > character redirects the
output to a file called hash.txt

Syntax:

pwdump [-h][-o][-u][-p] machineName

where

-h Prints the usage message and exits

-o Specifies a file to which to write the output

-u Specifies the user name used to connect to the target

-p Specifies the password used to connect to the target

Specifies the share to be used on the target, rather than

-s
searching for one

Keyloggers and Spyware

A keylogger is a type of surveillance software that has the capability to

record every keystroke you make to a log file. A keylogger recorder can record
instant messages, e-mail, and any information you type at any time using your
keyboard. The log file created by the keylogger can then be sent to a specified
receiver.

A keylogger is a program that runs in the background or hardware, recording

all the keystrokes. Once keystrokes are logged, they are hidden in the machine for
later retrieval, or shipped raw to the attacker.

Security using keyloggers will monitor email, internet, chats or anything that
requires a keystroke. This will help capture all information in image and/or text
form. Keyloggers are a type of malicious malware that track the users’ keystrokes
and captures the characters that are pressed in and writes the information to a file.
 There are two types of keylogger: hardware keylogger and software
keylogger

Hardware Keyloggers

Hardware Keyloggers are small electronic devices used for capturing the
data in between a keyboard device and I/O port. These devices have built in
memory where they store the keystrokes. They must be retrieved by the person
who installed it in order to obtain the information.

Hardwar keyloggers is not detected by anti-viral software or scanners.

Hardwar keyloggers are of three types:

1. Inline devices that are attached to the keyboard cable

2. Devices which can be installed inside standard keyboards
3. Replacement keyboards that contain the key logger already built-in

List of hardware keyloggers:

1. Hardware KeyLogger Stand-alone Edition: A tiny hardware

device that can be attached in between a keyboard and a computer.
2. Hardware KeyLogger Keyboard Edition: Looks and behaves
exactly like a normal keyboard, but it keeps a record of all
keystrokes typed on it.
3. KeyGhost Hardware Keylogger: A tiny hardware device that can
be attached in between a keyboard and a computer.
4. KeyKatcher Keystroke Logger: A tiny hardware device that can
be attached in between a keyboard and a computer.

Advantages:

1. Antivirus techniques cannot catch these

2. Work on all computing platforms

Disadvantage:

1. It can be spotted by a suspicious user

Software Keyloggers

Software keyloggers track systems, collect keystroke data within the target
operating system, store them on disk or in remote locations, and send them to the
attacker who installed the Keyloggers.

They are implemented as traditional applications or kernel-based. In almost

all malicious instances of this type of keylogger, users participated in some way in
the software’s installation.

Anti-malware, personal firewall, and host-based intrusion prevention (HIPS)

solution detect and remove application keyloggers.

Software keylogger detection methods include:

1. Scan local drives for log.txt or other log file names associated with
known keyloggers;
2. Implement solutions that detect unauthorized file transfers via FTP
or other protocols;
3. Scan content sent via email or other authorized means looking for
sensitive information;
4. Detect encrypted files transmitted to questionable destinations.

Software keyloggers can be detected using software tools. For this reason,
users of keyloggers often prefer hardware solutions.

Advantages:

1. Are hard to detect

2. Can be deployed remotely via a software-vulnerability attack
3. Are fairly easy to write

Disadvantages:

1. A good Antivirus scheme could sniff these out.

2. Far fewer cons with the software, so these are much more common
than hardware-type keyloggers.
Examples of Windows Keyloggers

1. Badtrans: A keylogger worm that exploited vulnerabilities in

Outlook Express and Internet Explorer. It collected keystrokes and
sent them to various e-mail address.
2. Magic Lantern/Carnivore: FBI’s own software to wiretap/log e-
mails passing through ISPs.

Spywares

Software that is installed on a computer without the user’s knowledge which

monitors user activity and transmits it to another computer. Many spyware
programs are set to monitor what web sites you visit and how long you visit them
for, generally for advertising / marketing purposes.

Spyware originated in the 1990's with programs that secretly observed and
logged user web surfing habits. It can do more than steal your personal information
but also rob user PC of its speeds, stability and Internet access efficiency.

Adware: It is software that gathers information about your Web-surfing habits in

order to target you with pop-up advertisements for products and services that might
be of interest to you. Adware is generally not malicious or illegal. Adware can be
Spyware when it tracks browser activity and reports such activity back to some
unknown recipient.

Spyware differs from viruses and worms in that it does not usually self-
replicate. Like many recent viruses, spyware is designed to exploit infected
computers for commercial gain. Spyware may have to same effect as viruses.

Prevention of Spyware

1. Do not install free software available on Internet.

2. Do not click on email attachments or links if you don’t know the
sender or even if you know the sender, but the content is
unexpected.
3. Do not install unknown software
4. Do not click on links or buttons on pop-up windows.
 5. Do not install non-work-related software onto your work
computers
6. Save your data and backup often

Buffer Overflow

The main cause for the problem of buffer overflow vulnerabilities is the fact
that in many languages, such as C, bounds are not checked when arrays are
accessed.

Buffer is a contiguous block of computer memory that holds multiple

instances of the same type. Overflow means to fill more than full. Buffer Overflow
happens when a program attempts to write data outside of the memory allocated
for that data.

In buffer overflow attacks, the extra data may contain codes designed to
trigger specific actions, in effect sending new instructions to the attacked computer
that could, for example, damage the user's files, change data, or disclose
confidential information.

The stack is a section of memory used for temporary storage of information.

In a stack-based buffer overflow attack, the attacker adds more data than expected
to the stack, overwriting data. For example, "Let's say that a program is executing
and reaches the stage where it expects to use a postal coder or zip code, which it
gets from a Web-based form that customers filled out."

The longest postal code is fewer than twelve characters, but on the web
form, the attacker typed in the letter "A" 256 times, followed by some other
commands. The data overflows the buffer allotted for the zip code and the
attacker's commands fall into the stack. After a function is called, the address of the
instruction following the function call is pushed onto the stack to be saved so that
the function knows where to return control when it is finished.
 Buffer overflows attack

A buffer overflow allows the attacker to change the return address of a

function to a point in memory where they have already inserted executable code.
Then control can be transferred to the malicious attack code contained with the
buffer, called the payload.

The payload is normally a command to allow remote access or some other

command that would get the attacker closer to having control of the system.

C language example:

#define BUFSIZE 128

int main(int argc, char **argv)

char buf[BUFSIZE];

strcpy(buf, argv[1]);

}
 The buffer size is fixed, but there is no guarantee the string in argv [1] will
not exceed this size and cause an overflow.

Stack Based Buffer Overflows

A stack is contiguous block of memory which is used by functions, two

instructions are used to put or remove data from stack, “PUSH” puts data on stack,
& “POP” removes data from stack. The stack works on Last in First out “LIFO”
basis.

Stack based buffer overflows affects any function that copies input to
memory without doing bounds checking. For example: Strcpy() ,memcpy(), gets ()
etc…

A buffer overflow occurs when a function copies data into a buffer without
doing bounds checking. So, if the source data size is larger than the destination
buffer size this data will overflow the buffer towards higher memory address and
probably overwrite previous data on stack.

Heap-based Buffer Overflows

A heap overflow is a form of buffer overflow; it happens when a chunk of

memory is allocated to the heap and data is written to this memory without any
bound checking being done on the data. This is can lead to overwriting some
critical data structures in the heap such as the heap headers, or any heap-based data
such as dynamic object pointers, which in turn can lead to overwriting the virtual
function table.

Function longjump( ) in C allows the programmer to explicitly jump back to

functions, not going through the chain of return addresses. Function setjmp() uses
environment data to store the point where longjmp() should return. If we can
overwrite it to point to the attack code, longjmp() jumps to that.

Tools Used to Protect Buffer Overflow

1. Libsafe: It provides a combination of static and dynamic intrusion

prevention. Statically it patches library functions in C language. A range
check is made before the actual function call. Libsafe uses the old base
pointer pushed onto the stack after the return address. No local variable
 should be allowed to expand further down the stack than the beginning of
the old base pointer. The boundary is imposed by overloading the
functions with wrapping functions.

Memory layout for Libsafe

2. StackGuard: StackGuard is a systematic compiler tool that prevents a

broad class of buffer overflow security attacks from succeeding. If we
place a dummy value in between the return address and the stack data
above, and then check whether this value has been over-written or not
before we allow the return address to be used, we could detect this kind
of attack and possibly pre-vent it. The inventors have chosen to call this
dummy value the canary. StackGuard is a small set of patches to gcc.
StackGuard is available both as a patch to gcc 2.7.2.2.
 StackGuard stack frame

Steganography

Steganography is the science of hiding information. The purpose of

steganography is covert communication-to hide the existence of a message from a
third party.

Information hiding generally relates to both water-marking and

steganography. A watermarking system’s primary goal is to achieve a high level of
robustness. It should be impossible to remove a watermark with-out degrading the
data object’s quality.

Steganography is used for high security and capacity, which often entails
that the hidden information is breakable.
 Taxonomy of steganographic techniques

Technical Steganography: It uses scientific methods to hide a message.

Linguistic Steganography: It hides the message in the carrier in some non-

obvious ways and is further categorized as semagrams or open codes.

Semagrams: It uses symbol or signs for information hiding.

A visual semagram uses normal physical objects to convey a message.

A text semagram hides a message by modifying the appearance of the carrier

text.

Open codes hide a message in a legitimate carrier message in ways that are
not obvious to an unsuspecting observer.

Jargon code uses language that is understood by a group of people but is

meaningless to others.

The goal of steganography is to avoid the detection or even raising the

suspicion that a secret message is being passed on. Steganalysis is the art of
detecting these covert messages. It involves the detection of embedded messages.
The types of steganalysis attacks are similar to those of cryptanalysis attacks.
Steganography Tools

1. MP3Stego: Hide files within mp3 files. MP3Stego will hide

information in MP3 files during the compression process. The data
is first compressed, encrypted and then hidden in the MP3 bit
stream.
2. TextHide: Simple text Steganography
3. wbStego: This tool used for bitmaps, text files, HTML files and
PDF files Steganography.
4. Hide4PGP is a freeware program distributed as source code in
ANSI C and precompiled executables for DOS and the Win32
console

Difference between Steganography and Cryptography

Steganography Cryptography

Output of information hiding is the stego- Output in cryptography is a

media. ciphertext

It hides information It does not hide information

Additional carrier is needed Additional carrier is not needed

In cryptography, the structure of

Steganography does not alter secret of
message is scrambled to make it
message but hides inside the cover image
meaningless

In steganography the secret message embeds Cryptography is the science of

in a harmless looking cover such as a digital using mathematics to encrypt
image file, then the image file is transmitted. and decrypt data
Malware Threats

“Malware” is short for malicious software and used as a single term to refer
to virus, spy ware, worm etc. Malware is designed to cause damage to a stand-
alone computer or a networked PC.

Malware is any software intentionally designed to cause damage to a

computer, server or computer network.

Malware does the damage after it is implanted or introduced in some way

into a target’s computer and can take the form of executable code, scripts, active
content, and other software.

A common step to protect your computers and mobile devices from malware
is to install anti-virus software from trusted vendors. Anti-virus, sometimes called
anti-malware, is security software designed to detect and stop malicious software.

Trojan Horse

The city of Troy was protected by a high wall built around the city. Greeks
attacked to one of the Troy's cities. After an unsuccessful attack, Greeks made a
great plan to win.

Their plan was to build a horse, a beautiful and huge wooden horse, and
leave it outside the gate. Then, the entire Greek army would pretend to leave, as if
they had finally admitted defeat. But the horse would be hollow. Thirty men would
be hiding inside. Horse is left it in front of the Troy's gate.

The troy's civilians thought that it was a gift and brought that horse which is
called Trojan into the city. That night, while the Trojan people were sleeping, the
men hiding inside the wooden horse climbed out and opened the gates. Greek
militaries destroyed the whole city.

The applications work like this story and it is one of the most popular
applications which is used for attacking computers. Trojan horse is not a virus and
it do not do replicate.

Trojan horse is malicious code hidden in an apparently useful host program.

When the host program is executed, trojan does something harmful or unwanted.
 Trojan horses are programs that enter a system or network under the guise of
another program. A Trojan horse may be included as an attachment or as part of an
installation program. The Trojan horse could create a backdoor or replace a valid
program during installation.

How can your computer be infected by Torjan Horse?

1. Websites: You can be infected by visiting a bogus website.

Internet Explorer is most often targeted by makers of Trojans.
Even using a secure web browser, such as Mozilla's Firefox, if Java
is enabled, your computer has the potential of receiving a Trojan
horse.
2. Instant message: Many get infected through files sent through
various messengers.
3. E-mail: Attachments on e-mail messages may contain Trojans.

Objectives of Trojan horse Programs

1. It creates a backdoor and allows remote access to control your

computer
2. Keystrokes are recorded to steal password and bank account
information.
3. Destroy or delete data.
4. Uploading or downloading files
5. Your activity is monitored by camera and send to remote location.

How to avoid getting infected with Trojan horse?

a) Install latest security patches for the operating system

b) NEVER download any type of software which you are not
guarantee about that web site.
c) Install a secure firewall
d) Even if the file comes from a friend, you still must be sure what
the file is before opening it
e) NEVER use features in your programs that automatically get or
preview files
f) Never blindly type commands that others tell you to type.
 g) Do regular backup of your system

Types of Trojan Horses

1. Remote Access Trojans

2. Data Sending Trojans
3. Destructive Trojans
4. Proxy Trojans
5. FTP Trojans
6. Security software disabler Trojans
7. Denial-of-service attack Trojans

Example of a simple Trojan horse

1. Simple example of a Trojan horse would be a program named

waterfalls.scr" where its author claims it is a free waterfall screensaver.
When run, it instead unloads hidden programs, commands, scripts, or
any number of commands with or without the user's knowledge or
consent.
2. AIDS also known as Aids Info Disk or PC Cyborg Trojan, is a trojan
horse that replaces the AUTOEXEC.BAT file, which would then be used
by AIDS to count the number times the computer has booted. Once this
boot count reaches 90, AIDS hides directories and encrypts the names of
all files on drive.
3. Dmsys is a dangerous Trojan that specializes in infecting various instant
messengers and stealing user confidential information.

Backdoors

A backdoor is any hidden method for obtaining remote access to a computer.

A Backdoor is a remote administration utility that allows a user access and control
a computer, usually remotely over a network or the Internet.

Backdoor is also called trapdoor. It is an undocumented entry point to a

module. A backdoor’s goal is to remove the evidence of initial entry from the
system’s log files Backdoors can be installed for accessing a variety of services; of
particular interest for network security are ones that provide interactive access. It
frequently run over protocols such as Telnet and Rlogin or SSH.
 Backdoor is difficult to detect. A common method for masking their
presence is to run a server for a standard service such as Telnet, but on an
undistinguished port rather than the well-known port associated with the service.

Network administrators often use backdoors to control their clients and

supervise their actions in a business network.

Backdoors are usually based on a client-server network communication,

where the server is the attacked machine and the client is the attacker. It is a kind
of standard. This is called direct connection, when the client directly connects to
the server.

Remote Administration Trojans (RATs) are a class of backdoors used to

enable remote control over a compromised machine.

RATs are used by the attacker with malicious intent to surveillance the
infected victim by recording audio, video, keystrokes, in addition RATs enable
attacker to run services from the victim’s computer, it is also capable of exfiltrating
files, and more.

Virus

The term computer virus was originally used by Dr. Fred Cohen in his PhD
thesis, in 1986. The term malware will be used to describe all forms of malicious
software. The term virus writer will be used to describe the person who is
responsible for creating all types of malicious software.

A computer virus is a small program that can copy itself to infect computers.
Self-replicating programs that spread by infecting other programs or data files. A
Virus is a malicious program that spreads using a propagation technique that
generally requires user intervention, and always possesses a malicious intent.

A virus infects another executable and uses this carrier program to spread
itself. The virus code is injected into the previously benign program and is spread
when the program is run.

A computer virus requires some sort of user action to abet their propagation.
A virus program infects other programs by modifying them.
 A major component of virus is an infection code, payload and trigger.

1. Infection code: This is the part that locates an infectable object.

2. Payload: Any operation that any other program can do but is
usually something meant to be possibly destructive.
3. Trigger: Whatever sets it off, time-of-day, program execution by
user.

Viruses usually have two phases:

1. Infection phase: Virus reproduce as widely as possible without

being detected
2. Attack phase: Virus an attempt to carry out whatever damage they
were designed to Inflict

A virus is dependent upon a host file or boot sector, and the transfer of files
between machines to spread. A virus can be either transient or resident.

1. Transient virus: Runs when its attached program executes and

terminates when its attached program ends
2. Resident virus: Locates itself in memory so that it can remain
active even after its attached program ends

Virus cannot be completely invisible but can be very hard to detect,

especially if it has self-modifying code. The code it executes can be identified and
a program can scan for entire code. Usually, it is at the start of a program or maybe
a test and jump to code at the bottom of the file.

If the virus writer wants to keep the program size the same to prevent
detection, then it has to replace some of the program code or compress the program
and prepaid the virus to the program. But a good scanner with a checksum can
detect the changes in the code.

Virus program can be small so it hides very easily in a large program. It

might hide in a compiler, a data base manager or a file manager. Macro virus so
named because it’s a macro in Microsoft Word, Excel and others. The number one
spot is an attachment to email or some public download file.
 Virus code is both prepended and appended to the host file. Virus code could
be split into several segment and interspersed throughout the infected file using
JUMP statement at the end of each virus segment.

shows virus infected host file. Host file is not damage and easy to clean the
file.

It is called prepended

Prepended virus infected host file

Virus does not damage host file but it is difficult to remove the virus from file.

Appended virus infected host file

Viruses that surround a program: Virus code runs the original program but has
control before and after its execution.

Characteristics of Virus

1. Propagates when the host program is executed

2. All the virus code need not be located at the start of the infected file.
3. Virus makes a set of system call.

Preventing Virus Infection

Ways to prevent Virus infections

1. Test all new software on an isolated computer.

2. Use only commercial software acquired from reliable, well-
established vendors.
3. Do not put a floppy disk in the machine unless it has been scanned
first.
4. Do not open attachments to email unless they have been scanned.
Including turn-off, the auto open of attachments in mail readers.
5. Scan any downloaded files before they are run.
6. At least once a week update the virus signature data files.

Make a bootable disk/CD with a virus scan program on it and write

protected.

Make and retain backup copies of executable system files in the event the
virus detection program can't remove the virus.
Phases of Viruses

During its lifecycle, virus goes through following phases:

1. Dormant phase
2. Propagation phase
3. Triggering phase
4. Execution phase

Dormant phase: The virus is idle. It is activated by some event.

Propagation phase: During this phase, the virus is replicating itself,

infecting new files on new systems. Virus will typically not propagate to another
infected program.

Triggering phase: The virus is activated to perform the function for which
it was intended. It is caused by a variety of system events.

Execution phase: In this phase, the virus performs the malicious action that
it was designed to perform, called payload. This action could include something
seemingly innocent, like displaying a silly picture on a computer’s screen, or
something quite malicious, such as deleting all essential files on the hard drive.

Types of Viruses

1. Boot Sector Virus: It infects a master boot record or partition boot

record and spreads when a system is booted from the disk
containing the virus. Virus gains control very early in the boot
process before most detection tools are active. Operating systems
usually make files in the boot area invisible to the user, therefore,
virus code is not readily noticed.
2. File Infector: This type of virus infects files that the operating
system or shell consider to be executable. File viruses infect
executable files. Most really successful file infectors are classified
as Worms.
3. Macro Virus: Infects files with macro code that is interpreted by
an application.
4. Appended Viruses: Virus code attaches itself to a program and is
activated whenever the program is run.
5. Integrated Viruses: This type of virus replace some of the target
program or the entire target and give the effect that the target
program worked.
6. Document Virus: This virus is implemented within a formatted
document. For example, database, written document, picture,
spreadsheet and slide presentation. Document is structured files
which contains data and commands. Commands are part of
programming language. Virus uses features of programming
language to perform malicious actions.
7. Macro Viruses: A macro is an executable program embedded in a
word processing document (MS Word) or spreadsheet (Excel).
When infected document is opened, virus copies itself into global
macro file and makes itself auto-executing. Melissa was really
successful macro virus.
8. Metamorphic Virus: A metamorphic virus mutates with every
infection. Virus rewrites itself completely a teach iteration,
increasing the difficulty of detection. Some even have the ability to
dynamically disassemble themselves, change their code, and
reassemble themselves into an executable form. It may change
their behaviour as well as their appearance in every incarnation.
9. Memory Resident Viruses: Memory resident viruses remain in
memory after the initialization of virus code. They take control of
the system and allocate a block of memory for their own code.
They remain in memory while other programs run and infect them.
10. E-mail Viruses: If the recipient opens the email attachment, the
Word Macro is activated. Thee-mail virus sends itself to everyone
on the mailing list in the user’s e-mail package. The virus does
local damage. The first rapidly spreading e-mail viruses, such as
Melissa, made use of a Microsoft Word Macro embedded in an
attachment.
11. Polymorphic Virus: A virus can change its appearance is called a
polymorphic virus.
 12. Stealth Virus: Virus explicitly designed to hide itself from
detection by antivirus software. Thus, the entire virus, not just a
payload is hidden.
13. Multipartite Viruses: Viruses that use more than one infection
mechanism like file and boot viruses.

Virus Countermeasures

Prevention is best solution for virus. A countermeasure is an action, process,

device, or system that can prevent, or mitigate the effects of, threats to a computer,
server or network.

Antivirus software mainly prevents and removes computer viruses,

including worms and trojan horses. Such programs may also detect and remove
adware, spyware, and other forms of malware.

1. Prevention: Do not allow a virus to get into the system

2. Detection: Once infection has occurred, determine that it has
occurred and locate the virus;
3. Identification: Once a virus is detected, identify it;
4. Removal: Once the specific virus has been identified, remove all
traces of the virus and restores the infected programs to their
original states.

Generations of antivirus software

Four generations of antivirus software are

1. First generation: - simple scanners

This type of scanners typically looked for certain patterns or

sequences of bytes called string signatures.

Virus may contain wildcards. Such signature-specific scanners

are limited to the detection of known viruses.

Program size and length is maintained by scanner. It program

length is compared before and after.
 Once a virus is detected, it can be analyzed precisely and a unique sequence
of bytes extracted from the virus code.

2. Second generation: - heuristic scanners

The scanner uses heuristic rules to search for probable virus

infection.

Smart scanning refers to a defense optimizing method for the

newer generation of viruses, which try to conceal their code within a
sequence of worthless instructions such as no operation NOP
instructions.

The heuristics analysis is a useful method for detection of new

unknown malwares. It is especially helpful for detection of macro
viruses too.

3. Third generation: - activity traps

Third-generation programs are memory-resident programs that

identify a virus by its actions rather than its structure in an infected
program.

Memory-resident programs that identify a virus by its actions in

run time rather than by its signature or its structure.

It is necessary to identify the small set of indicative actions

4. Fourth generation: - full featured protection

Fourth-generation products are packages consisting of a variety

of antivirus techniques used in conjunction. These include scanning
and activity trap components.

Packages consisting of a variety of antivirus techniques used

together: Scanning; Activity trap and Control capability.
Worm

A worm is a sophisticated piece of replicating code that uses its own

program coding to spread, with minimal user intervention. A worm usually exists
as a standalone program that executes itself automatically on a remote machine,
without any user interaction. Worms are network viruses, primarily replicating on
networks.

Worm infects the environment rather than specific objects. Unlike a virus,
does not require a host to propagate.

The Morris worm or Internet worm was one of the first computer worms
distributed via the Internet. Morri’s worm uses topological techniques. Topological
worm searches for local information to find new victims by trying to discover the
local communication topology.

Passive worm does not seek out victim machines. Instead, it either waits for
potential victims to contact the worm or rely on user behaviour to discover new
targets.

Worm Classification

Worms can be classified according to the following categories:

1. Stealth worms do not spread in a very rapid fashion but instead

they spread in a slow. This worm is very hard to detect.
2. Polymorph worms can change themselves during propagation in
order to make signature-based detection more complicated.
3. File worms are a modified form of viruses, but unlike viruses they
do not connect their presence with any executable file. When they
multiply, they simply copy their code to some other disk or
directory hoping that these new copies will someday be executed
by the user.
4. Multi-vector worms use different propagation methods in order to
make more hosts vulnerable for attack and effectively propagate
behind firewalls.
5. Email worms email themselves to other email addresses and make
the user execute email attachments with malicious code or use
 bugs in the email programs to get attachments executed
automatically.

Difference between Worm and Virus

Worm Virus

A worm has ability to self-propagate, and A virus is a malicious program that

may or may not have malicious intent spreads using a propagation
computer worm is a program that self- technique that generally requires user
propagates across a network exploiting intervention, and always possess a
security or policy flaws. malicious intent

Worms do not need hosts. Virus needs hosts

Worm can spread quicker than virus Virus can spread slower than worm

Example : Self modified virus, stealth Example : Multi-vector worm, Email

virus worm
 UNIT – V
ETHICAL HAKING IN WEB
Social Engineering

Social engineering is the art of manipulating people so they give up

confidential information.

Criminals use social engineering tactics because it is usually easier to

exploit your natural inclination to trust than it is to discover ways to hack
your software. For example, it is much easier to fool someone into giving
you their password than it is for you to try hacking their password.

Social engineering is important to understand because hackers can use

it to attack the human element of a system and circumvent technical security
measures.

It is a way for criminals to gain access to information systems. The

purpose of social engineering is usually to secretly install spyware, other
malicious software or to trick persons into handing over passwords and/or
other sensitive financial or personal information.

Social engineers use various tricks to convince their victims to give

out sensitive information. In a very simple social engineering attack, an
attacker would call his victim, pretend to be a bank official, and then ask the
victim for his credit card number and PIN.

The victim would give away the details, believing the call was really
from an authorized bank official. All the information that is gathered through
various footprinting techniques is very useful in building successful social
engineering attacks.

Phases of social engineering:

1. Research and information gathering: The attacker does comprehensive

research on the target organization through various information sources.
Social networking sites, job boards, and people search engines give out a lot
of valuable information.
 2. Choosing the victim/target: Based on the information collected, the
attacker then analyses and chooses the most vulnerable person who could
reveal sensitive information to engage with.
3. Establish trust relationship: Once the victim has been chosen, the attacker
communicates with the victim through various ways, like instant messaging,
email, or a direct call. The attacker claims to be someone the victim can
relate to and trust.
4. Exploit the relationship: The attacker now tries to exploit the established
trust relationship. By engaging the victim in deceptive talk, the attacker tries
to extract as much as information as possible.
Social engineering can be broken into two common types:
1. Human-based social engineering refers to person-to-person interaction to
retrieve the desired information. An example is calling the help desk and
trying to find out a password.
2. 2. Computer-based social engineering refers to having computer software
that attempts to retrieve the desired information. An example is sending a
user an e-mail and asking them to re-enter a password in a web page to
confirm it. This social-engineering attack is also known as phishing.
Common social engineering attacks:
Social engineering is a tactic used by cyber criminals that uses lies and
manipulation to trick people into revealing their personal information.
Social engineering attacks frequently involve very convincing fake stories to
lure victims into their trap. Common social engineering attacks include:
1. Sending victims an email that claims there's a problem with their
account and has a link to a fake website. Entering their account
information into the site sends it straight to the cyber-criminal
(phishing).
2. Trying to convince victims to open email attachments that contain
malware by claiming it is something they might enjoy (like a game) or
need (like anti-malware software).
3. Pretending to be a network or account administrator and asking for the
victim's password to perform maintenance.
4. Claiming that the victim has won a prize but must give their credit
card information in order to receive it.
5. Asking for a victim's password for an Internet service and then using
the same password to access other accounts and services since many
people re-use the same password.
6. Promising the victim, they will receive millions of dollars, if they will
help out the sender by giving them money or their bank account
information.
Denial of Service
The goal of a denial-of-service attack is to deny legitimate users
access to a particular resource. An incident is considered an attack if a
malicious user intentionally disrupts service to a computer or network
resource.
The SYN attack is denial of service attack. It is related to TCP
connection setup. In a SYN attack, a remote attacker floods user machine
with SYN packets, causing it to spend all its cycles setting up bogus TCP
connections.
Telnet protocol establish virtual connection with server is called
session. Session is established with three-way TCP handshake protocol.
Each TCP packet has flag bits, two of which are denoted SYN and ACK. To
establish a TCP connection, the originators send a packet with the SYN bit
on.
If the recipient is ready to establish a connection, it replies with a
packet with both the SYN and ACK bits on. The first party then sends a
packet with the ACK bits on. Sometime, packets get lost or damaged in
transmission. Destination maintains a queue called SYN_RECV connection.
If ACK or SYN-ACK packet is lost, the destination host will time out
the incomplete connection and discard it from its waiting queue. The
attacker can deny service to the target by sending many SYN requests and
never responding ACK with ACKs, thereby filling the victim SYN_RECV
queue and never processes it. This queue is small which contain up to 20
entries. There-fore the target system keeps on waiting. The result may be a
hard disk crash or reboot.
If a few SYN packets are sent by the attacker every 10 seconds, the
victim will never clear the queue and stops to respond.
Another DoS attack is to send a stream of packets to a router. Packets
contains all bits turn on. The router spends so much time processing these
options that it fails to process BGP updates.
The denial-of-service attack does not result in information theft or any
kind of information loss. DoS attacks affect the destination rather than a data
packet or router.
DoS attack affects a specific network service, such as e-mail or
domain name system. One way of initiating this attack is by causing buffer
overflow. Inserting an executable code inside memory can potentially by
causing buffer overflow.
 DoS Attack

DoS attacks are easy to generate but difficult to detect.

Protecting against DoS attack is as follows:

1. Make a list of all resource consumed by every user.

2. Detect when the resources consumed by a given user exceed those
allowed by some system policy.
3. After detecting attack, reclaim the consumed resources using as few
additional resources as possible or removal of an offending user.

Classification of DoS Attacks

1. Logic attacks: This attack takes place in network software such as

TCP/IP protocol stack or web server.
2. Protocol attacks: Protocol is a set of rules. This attack takes place to
specific feature or implementation bug.
3. Bandwidth attacks: Attacker open many web pages and keep on
refreshing for consuming more bandwidth. After some time, web site
becomes out of service.
Types of DoS Attacks

1. Ping of death: Ping of death attack sends large oversized ICMP packets.
Maximum legal size of IP packets is 65535 bytes. Because of limitations
in the physical layer, packets may have to be fragmented and then
reassembled at the destination. So, this packet is fragmented for
transport. The receiver then starts to reassemble the fragments as the ping
fragments arrive. The total packet length becomes too large. It may
possible that system may crash.
2. Smurf: It is a variation of ping attack. Attacker selects a network of
unwitting victims. The attacker spoofs the source address in the ping
packet so that it appears to come from the victim. Then the attacker sends
this request to the network in broadcast mode by setting the last byte of
the address to all 1s.
3. Teardrop attack: This attack misuses a feature designed to improve
network communication. Attacker sends a series of datagram that cannot
fit together properly. One datagram might say it is position 0 for length
60 bytes, another position 30 for 90 bytes so on. These fragment pieces
overlap so they cannot be reassembled properly.
4. Malicious misrouting of packets: A attacker may attack a router and
change its routing table, resulting in misrouting of data packets, causing a
denial of service.
5. Attacker send large number of UDP packets to non-listing ports on the
victim. This cause victim to respond with an ICMP Host Unreachable
message for each packet that it receives.

DoS Shortfalls

1. This type of attacks is unable to attack large bandwidth websites.

2. New distributed server architecture makes it harder for one denial of
service to take down an entire site.
3. New software protections deactivate existing DoS attacks quickly
4. Service Providers know how to prevent these attacks from affecting
their networks.
Distributed Denial of Service (DDoS) Attack

In DDoS attack, a large number of hosts are used to flood unwanted traffic
to a single target. The target cannot then be accessible to other users in the
network, as it is processing the flood of traffic.

Highly visible site like CNN, eBay and Yahoo were brought down by a
DDoS attack in Feb 2000.

In DDoS attack, the attacker scans the Internet to find multiple vulnerable
hosts called handlers and comprises them. Each handler, in turn, recruits many
agents to launch the attack.

IP spoofing is a common technique used in almost all forms of attack.

Botnets consist of a large number of “zombie” machines controlled by a

single user which can be used to carry out all sorts of attacks. Network and
protocol implementation loopholes can also be used for launching such attacks.

Attackers can use different kinds of scanning techniques in order to find

vulnerable machines.

1. Hit-list scanning: Long before attackers start scanning, they collect a list of
a large number of potentially vulnerable machines.
2. Random scanning: The machine that is infected by the malicious code
probes IP addresses randomly from the IP address space and checks their
vulnerability.

How do you know if an attack is happening?

The following symptoms could indicate a DoS or DDoS attack:

a) Inability to access any website.

b) Suddenly increase in the amount of spam you receive in your account

c) Slowdown the network/Internet speed

d) Particular website is unavailable

DDoS attack consumes system resources thereby reducing the speed of computer.
The resources attack can be classified as

1. Internal resource attack

2. Attacking data transmission resources

DDoS Attack

Widely Used DDoS Programs/Tools

1. Trinoo: This is the first DDoS Tool widely available. A trinoo network
consists of a master host and many broadcast hosts. When an attacker
wishes to launch a denial-of-service attack, he/ she issues commands to
the master host using a TCP connection. The master then communicates
with all of the broadcast hosts via UDP, telling them to send a flood of
UDP packets to random ports on the specified target host. The flood of
UDP packets coming from the broadcast hosts causes denial of service to
the target host. An attacker must have prior access to a host in order to
 install a trinoo master or broadcast, either by breaking in or by some
other means.
2. TFN (Tribe Flood Network): TFN is a distributed denial of service tool
that allows an attacker to use several hosts at once to flood a target. It has
four different kinds of floods: ICMP Echo flood, UDP Flood, SYN
Flood, and Smurf attack. The TFN client and server use ICMP echo reply
packets to communicate with each other. The attacker uses the TFN client
to control the remote servers and initiate the denial-of-service attack.
3. Stacheldraht is also based on the TFN and trinoo client/server model
where a master program communicates with potentially many thousands
of agent programs. The perpetrator connects to the master program to
initiate the attack. Stacheldraht adds the new features: encrypted
communication between the attacker and the master program, as well as
automated updates of the agent programs using RCP.

In a DoS attack, one computer and one internet connection is used to

flood a server with packets, with the aim of overloading the targeted server’s
bandwidth and resources.

DDoS attack, uses many devices and multiple Internet connections,

often distributed globally into what is referred to as a botnet. A DDoS attack
is much harder to deflect, simply because there is no single attacker to
defend from, as the targeted resource will be flooded with requests from
many hundreds and thousands of multiple sources.

Session Hacking

Session hijacking refers to the exploitation of a valid computer session

where an attacker takes over a session between two computers. The attacker
steals a valid session ID, which is used to get into the system and sniff the
data.

To perform session hijacking, an attacker needs to know the victim’s

session ID (session key). This can be obtained by stealing the session cookie
or persuading the user to click a malicious link containing a prepared session
ID.
 In both cases, after the user is authenticated on the server, the attacker
can take over (hijack) the session by using the same session ID for their own
browser session. The server is then fooled into treating the attacker’s
connection as the original user’s valid session.

Session Hijacking can be done at two levels: Network Level and

Application Level. Network level hijacking involves TCP and UDP sessions,
whereas Application-level session hijack occurs with HTTP sessions.

Session hijacking involves the following three steps to perform an attack:

1. Tracking the session: The hacker identifies an open session and

predicts the sequence number of the next packet.
2. Desynchronizing the connection: The hacker sends the valid user’s
system a TCP reset (RST) or finish (FIN) packet to cause them to
close their session.
3. Injecting the attacker’s packet: The hacker sends the server a TCP
packet with the predicted sequence number, and the server accepts
it as the valid user’s next packet.

Types of Session hijacking

1. Active: In an active attack, the culprit takes over your session and
stops your device from communicating with the web server,
kicking you off. Posing as you, the criminal can perform actions
only you would be able to. Depending on what website the session
is taking place on, the hacker can then make online purchases,
change passwords, or recover accounts as if they were you.
2. Passive: In a passive attack, you don’t get kicked out of the
session. Instead, the criminal quietly observes the data traffic
between your device and the server, collecting your sensitive
information. This way they can find out your passwords, credit
card details, and other information without raising suspicions.
Hacking Web Server

Web server is defined as an application that responds to web page

requests submitted by various users over the Internet using the HTTP. The
web server basically constitutes the interface between users and web-based
applications and databases.

The applications/databases that users connect to through these Web

servers are called websites. Any vulnerability occurring in the front-end
applications, database or OS can translate to Web Server vulnerabilities.

Types of Web Server Vulnerabilities:

1. Web server software misconfiguration

2. Lack of proper security policies and procedures
3. Application bugs, or flaws in programming code
4. Vulnerable default installation of operating system and web server
software

Attacks against Web Servers

A website defacement is an attack on a website that changes the visual

appearance of the site.

A message is often left on the webpage. Most times the defacement is

harmless, however, it can sometimes be used as a distraction to cover up
more sinister actions such as uploading malware.

Defacing a website means the hacker exploits a vulnerability in the

operating system or web server software and then alters the website files to
show that the site has been hacked.

Often the hacker displays their hacker’s name on the website’s home
page.
A web site defacement consists of following key elements:

1) A system with a vulnerability is identified and exploited, allowing

unauthorized access by a malicious third party
2) Existing web pages are modified or replaced with new text or
graphics
3) Something that an attacker might hope to accomplish as a result of
a web site defacement

Common website attacks that enable a hacker to deface a website include the
following:

1. Using man-in-the-middle attack, capture administrator credentials

2. Compromising an FTP or e-mail server
3. Misconfiguring web shares
4. Using SQL injection attacks
5. Using Telnet or Secure Shell intrusion
6. Carrying out URL poisoning, which redirects the user to a different
URL

Patch Management Techniques

Patch management is the process that helps acquire, test and install
multiple patches (code changes) on existing applications and software tools
on a computer, enabling systems to stay updated on existing patches and
determining which patches are the appropriate ones.

Managing patches thus becomes easy and simple.

Generally, software patches can be categorized into three different

categories: feature updates, bug fixes, and security updates.

1. Feature patches: they improve software functionality and provide

additional capabilities.
2. Bug fix patches: they address certain errors found in software,
helping it run smoothly and prevent crashes.
3. Security patches: through security patch management they correct
known software vulnerabilities and cover holes in your systems,
 thus preventing malicious actors from exploiting the flaws and
compromising your organization.

Countermeasures for Web server-based attacks are:

a) Keep web software patched and updated.

b) Disable client-side scripting.
c) Block unsigned applets.
d) Disable cookies.
e) Use a proxy server with content filtering.
f) Don’t install scripting languages on Web servers.
g) Inspect all scripts before deploying them.
h) Audit and log activity.
i) Deny access from known malicious domains.
j) Disable harmful or exploited URL constructions such as directory
traversals (..), backslashes, or multiple CGI processes in a single
URL.
k) Restrict non-Web file types from being referenced in a URL.
l) Disable unused script extension mappings.

Hacking Web Applications

Web applications are programs that reside on a web server to give the
user functionality. Database queries, webmail, discussion groups, and blogs
are all examples of web applications.

Web application uses a client/server architecture, with a web browser

as the client and the web server acting as the application server.

Prominent examples of web application vulnerabilities are the following:

1. Code injection vulnerabilities: Code injection vulnerabilities or injection

flaws are prevalent and extremely popular types of flaws which may quite
profoundly undermine a web application's security. The key point here is a
connection between the application interface and a back-end database.
Provided that a RDBMSand SQL are used to access the Database. For
example, this could happen, if parts of a random user's input were integrated
 into an SQL query without further securing this input against classified
malicious ones.
2. Cross-Site Scripting (XSS): Cross-Site Scripting is another vulnerability of
paramount importance, also stemming from the lack of web application
development provisions to validate input. The application is not the ultimate
target but, rather the means to it.

Stages of a web application attack

Web Application Threats

The following are the most common threats:

1. SQL Injection - SQL injection is a type of web application

security vulnerability in which an attacker is able to submit a
database SQL command, which is executed by a web
application, exposing the back-end database.
2. Command injection: The hacker inserts programming
commands into a web form.
3. Cookie poisoning and snooping : The hacker corrupts or steals
cookies
 4. Cross-site scripting: A parameter entered into a web form is
processed by the web application.

SQL Injection

SQL injection is a code injection technique, used to attack data-

driven applications, in which malicious SQL statements are inserted into an entry
field for execution. SQL injection attacks are also known as SQL insertion attacks.
SQL Injection is one of the most common application layer attack techniques used
today.

SQL injection refers to a class of code-injection attacks in which

data provided by the user is included in an SQL query in such a way that part of the
user’s input is treated as SQL code. An attacker can submit SQL commands
directly to the database.

SQL injection attacks can lead to privilege bypass and/or

escalation, disclosure of confidential information and corruption of database
information, among other effects.

SQL Injection Example: An example SQL injection attack starts

with code utilizing an SQL statement, such as:

$db_statement = "SELECT COUNT(1) FROM `users` WHERE `username` =

'$username' AND `password` ='$password'";

In an SQL injection attack against code such as this, the attacker

supplies input, such as the following, to the application:

$username = "badUser";

$password = "' OR '1'='1";

Using this example, the SQL statement executed becomes the

following:

SELECT COUNT (1) FROM `users` WHERE `username`='badUser' AND

`password`='' OR '1'='1';
 In the above example, this results in returning a count of all rows in
the "users" table, regardless of the user’s name or password supplied, since the
conditional '1'='1' always returns as true. If the query shown in this example is used
for authentication purposes, the example SQL injection attack has just bypassed the
authentication process for the application in question.

This form of SQL injection occurs when user input is not filtered
for escape characters and is then passed into an SQL statement. These results in the
potential manipulation of the statements performed on the database by the end user
of the application.

In web application, the values received from a Web form, cookie,

input parameter, etc., are not typically validated before passing them to SQL
queries to a database server. Then dynamically built SQL statements. An attacker
can control the input that is sent to an SQL query and manipulate that input.

Attacker may be able to execute the code on the back-end database.

shows three-tier application with SQL commands.

Using SQL injections, attackers can add new data to the database;
modify data currently in the database and sometime gain access to other user’s
system capabilities by obtaining their password.
Prevention from SQL Injection Attack

1. Check syntax of input for validity

2. Specify the length limits for input string
3. Scan query string for undesirable word combinations that
indicate SQL statements
4. Limit database permissions

Blind SQL Injection

Blind SQL Injection is used when a web application is vulnerable

to an SQL injection but the results of the injection are not visible to the attacker.
Time Delays are a type of blind SQL injection that cause the SQL engine to
execute a long running query or a time delay statement depending on the logic
injected.

Blind SQL Injection is used when there is No Output and No Error

from the web application. This attack is often used when the web application is
configured to show generic error messages, but has not mitigated the code that is
vulnerable to SQL injection.

Blind SQL injection is identical to normal SQL Injection except

that when an attacker attempts to exploit an application rather than getting a useful
error message, they get a generic page specified by the developer instead.

Web applications commonly use SQL queries with client-supplied

input in the WHERE. clause to retrieve data from a database. By adding additional
conditions to the SQL statement and evaluating the web application’s output, you
can determine whether or not the application is vulnerable to SQL injection.

To secure an application against SQL injection, developers must

never allow client-supplied data to modify the syntax of SQL statements. All SQL
statements required by the application should be in stored procedures and kept on
the database server.
SQL server penetration Tools

1. Sqlpoke is a NT based tool that locates MSSQL servers and

tries to connect with the default account. Scans IP addresses
looking for SQL Servers with the default sapassword.
2. NGSSQLCrack: This is a Password auditing tool. It identifies
user accounts with weak passwords that could be vulnerable to
brute force attacks.
3. SQLScan: Scans IP addresses looking for SQL Servers, with IP
list to scan, optional dictionary file and optional installation of
backdoor on vulnerable hosts.

Hacking Wireless Networks

Following is the key factors contributing to higher security risk of wireless

networks.

1. Communication Channel: Wireless networking typically

involves broadcast communications, which is far more
susceptible to eavesdropping and jamming than wired networks.
Wireless networks are also more vulnerable to active attacks
that exploit vulnerabilities in communications protocols.
2. Mobility: Wireless devices are far more portable and mobile,
thus resulting in a number of risks.
3. Accessibility: Some wireless devices, such as sensors and
robots, may be left unattended in remote and/or hostile
locations, thus greatly increasing their vulnerability to physical
attacks

Type of Wireless Attack

The main categories of attack on wireless computer networks are as follows:

1. Interruption of service: Resource becomes unavailable because

it is destroyed.
2. Modification: Attacker gain access of the resources and modify
the database values, alters the program etc.
 3. Fabrication: The attacker sends fake message to the
neighbouring nodes without receiving any related message.
4. Jamming: Jamming is a special class of DoS attacks which are
initiated by malicious node after determining the frequency of
communication. In this type of attack, the jammer transmits
signals along with security threats. Jamming attacks also
prevents the reception of legitimate packets.
5. Attacks against encryption Wired equivalent privacy encryption
method is used 802.11b wireless LAN but there is some
weakness in this algorithm. Sophisticated attacker can break the
WEP method.
6. Brute force attacks against passwords of access points. A ‘brute
force’ login attack is a type of attack against a access point to
gain access by guessing the username and password, over and
over again.
7. Mis-configuration: Because of heavy load on the network
admin, most of the access points are not configure properly.
These access points remain at high risk of being accessed by
unauthorized parties or hackers.
8. Interception: As the communication takes place on wireless
medium can easily be intercepted with receiver tuned to the
proper frequency. The main aim of such attacks is to obtain the
confidential information that should be kept secret during the
communication. The information may include private key,
public key, location or passwords of the nodes.

Wireless Equivalent Privacy Protocol (WEP)

Wired Equivalent Privacy (WEP)is a security protocol, specified in

the IEEE Wireless Fidelity (Wi-FI) standard, 802.11b, that is designed to provide a
wireless local area network (WLAN). WEP is designed to provide the same level
of security as that of a wired LAN.

The WEP algorithm was designed to be used to protect wireless

communication from unauthorized eavesdropping and restricting access to a
wireless network.
 A wired local area network (LAN) is generally protected by
physical security mechanism that are effective for a controlled physical
environment, because a wireless network broadcasts messages using radio, it is
particularly susceptible to eavesdropping.

WEP aims to provide security by encrypting data over radio waves

so that it is protected as it is transmitted from one end point to another. However,
WEP is not as secure as believed.

WEP is used at the two lowest layers of the OSI model - the data
link and physical layers; it therefore does not offer end-to-end security.

WEP is part of the IEEE 802.11 standard. It uses the stream cipher
RC4 for confidentiality and the CRC-32 checksum for integrity. Fig. 5.7.1 shows
basic WEP Encryption where RC4 Keystream XORed with Plaintext.

Basic WEP Encryption where RC4 Keystream XORed with Plaintext

Standard 64-bit WEP uses a 40-bit key, which is concatenated to a

24-bit initialization vector (IV) to form the RC4 traffic key. But restrictions on
cryptographic technology limit the key size. Once the restrictions were lifted, all of
the major manufacturers eventually implemented an extended 128-bit WEP
protocol using a 104-bit key size.

Key size is not the only major security limitation in WEP. Cracking
a longer key requires interception of more packets, but there are active attacks that
stimulate the necessary traffic.

There is other weakness in WEP, including the possibility of IV

collisions and altered packets, that are not helped at all by a longer key.
 Because RC4 is a stream cipher, the same traffic key must never be
used twice. The purpose of an IV, which is transmitted as plain text, is to prevent
any repetition, but a 24-bit IV is not long enough to ensure this on a busy network.
The way the IV was used also opened WEP to a related key attack. For a 24-bit IV,
there is a 50% probability the same IV will repeat after 5000 packets.

WEP security involves two parts: Authentication and

Encryption.

When device initially join the LAN, then authentication starts. It

prevents the device or station to join the network unless they know the WEP key.

WEP authentication

Wireless device sends authentication request to the wireless access

point, then wireless access point sends 128-bit random challenge in a clear
text to the requesting client. The wireless device uses the shared secret key
to sign the challenge and sends it to the wireless access point.

Wireless access point decrypts the signed message using the shared
secret key and verifies the challenge that it has sent before. If the challenge
matches, then authentication succeeds otherwise not.

In WEP, same key is used for authentication and encryption. So, it is

difficult to tell whether the subsequent message come from the trusted
device or from an impostor. There is possibility of man in the middle attack.
Strengthening WEP

Following is the solution to overcome the weakness of WEP:

1. Initialization Vector size should be increases.

2. The hashed value of IV can be pre-pended or appended to the cipher-text
instead of the clear-text.
3. For the data integrity verification, use different method instead of CRC
checksum.
4. Change secret key regularly.
5. Better key management using security handshake protocols.
6. New authentication mechanisms using the Extensible Authentication
Protocol (EAP).

Wireless Sniffers and Locating SSIDs

Sniffing is eavesdropping on the network. A packet sniffer is a program that

intercepts and decodes network traffic broadcast through a medium.

Sniffing is the act by a machine S of making copies of a network packet sent

by machine A intended to be received by machine B. Such sniffing, strictly
speaking, is not a TCP/IP problem, but it is enabled by the choice of broadcast
media, Ethernet and 802.11, as the physical and data link layers.

Sniffing has long been a reconnaissance technique used in wired networks.

Attackers sniff the frames necessary to enable the exploits described in later
sections.

Sniffing is the underlying technique used in tools that monitor the health of a
network. Sniffing can also help find the easy kill as in scanning for open access
points that allow anyone to connect, or capturing the passwords used in a
connection session that does not even use WEP, or in telnet, rlogin and ftp
connections.

It is easier to sniff wireless networks than wired ones. It is easy to sniff the
wireless traffic of a building by setting shop in a car parked in a lot as far away as a
mile, or while driving around the block.
 In a wired network, the attacker must find a way to install a sniffer on one or
more of the hosts in the targeted subnet. Depending on the equipment used in a
LAN, a sniffer needs to be run either on the victim machine whose traffic is of
interest or on some other host in the same subnet as the victim.

An attacker at large on the Internet has other techniques that make it possible
to install a sniffer remotely on the victim machine.

Scanning is the act of sniffing by tuning to various radio channels of the

devices. A passive network scanner instructs the wireless card to listen to each
channel for a few messages. This does not reveal the presence of the scanner.

The Service Set Identifier (SSID) is the name of the WLAN and can be
located in a beacon. Wireless computers need to configure the SSID before
connecting to a wireless network.

If two wireless network shares physically close, the SSIDs are used to
identify and differentiate the respective networks.

The attacker can discover the SSID of a network usually by passive scanning
because the SSID occurs in the following frame types: Beacon, Probe Requests,
Probe Responses, Association Requests, and Reassociation Requests.

The SSID is usually sent in the clear in a beacon packet. Most APs allow the
WLAN administrator to hide the SSID.

If the Beacons are not turned off, and the SSID in them is not set to null, an
attacker obtains the SSID included in the Beacon frame by passive scanning.

If Beacon transmission is disabled, the attacker has two choices. The

attacker can keep sniffing waiting for a voluntary Associate Request to appear from
a legitimate station that already has a correct SSID and sniff the SSID as described
above. The attacker can also choose to actively probe by injecting frames that he
constructs, and then sniffs the response. When the above methods fail, SSID
discovery is done by active scanning.
Collecting the MAC Addresses:

The attacker gathers legitimate MAC addresses for use later in constructing
spoofed frames. The source and destination MAC addresses are always in the clear
in all the frames.

There are two reasons why an attacker would collect MAC addresses of
stations and Aps participating in a wireless network.

1. The attacker wishes to use these values in spoofed frames so that

his station or AP is not identified.
2. The targeted AP may be controlling access by filtering out frames
with MAC addresses that were not registered.

Wireless Hacking Techniques

Wireless hacking attacks can be categorized as follows:

1. Cracking encryption and authentication mechanisms: It

includes cracking WEP, WPA etc. Hackers can use them to
connect to the WLAN using stolen credentials or can capture
other users’ data and decrypt/encrypt it.
2. Eavesdropping or sniffing: This involves capturing
passwords or other confidential information from an
unencrypted WLAN or hotspot.
3. Denial of Service: DoS can be performed at the physical
layer.
4. AP masquerading or spoofing: Rogue APs pretend to be
legitimate APs by using the same configuration SSID
settings or network name.
5. MAC spoofing: The hacker pretends to be a legitimate
WLAN client and bypasses MAC filters by spoofing another
user’s MAC address.
Hacking Mobile Platform

When a mobile phone transmits audio, it applies an oscillating electric

current to the mobile phone antenna. The mobile phone antenna then emits
corresponding electromagnetic waves, which are also known as radio waves.

To receive calls, the mobile phone antenna intercepts an

electromagnetic wave of a particular frequency. Its terminal then receives a
minuscule amount of voltage, which is amplified and converted to sound by
other components.

Mobile phone antennas transmit signals to radio towers and receive

signals back simultaneously.

Modern mobile phones use cellular networks. Cellular networks are

also radio networks. In a cellular network, the towers are distributed over
portions of land called cells. These cells are usually hexagonal in shape, but
they can also be square or circular. Each cell of land contains at least one
radio tower.

Each cell is also assigned a number of frequencies which correspond

to radio base stations other cells can use the same frequencies as long as they
are not adjacent.

A cell-phone carrier typically gets 832 radio frequencies to use in a

city.

Each cell phone uses two frequencies per call, a duplex channel. So there are
typically 395 voice channels per carrier. (The other 42 frequencies are used for
control channels).

Therefore, each cell has about 56 voice channels available. In other words,
in any cell, 56 people can be talking on their cell phone at one time.

Cell-phone handset is composed of two components: Radio frequency (RF)

and Baseband
 RF is the mode of communication for wireless technologies of all kinds,
including cordless phones, radar, ham radio, GPS, and radio and television
broadcasts.

RF waves are electromagnetic waves which propagate at the speed of light,

or 186,000 miles per second (300,000 km/s). The frequencies of RF waves,
however, are slower than those of visible light, making RF waves invisible to the
human eye.

Baseband: In signal processing, baseband describes signals and systems

whose range of frequencies is measured from zero to a maximum bandwidth or
highest signal frequency. In telecommunications, it is the frequency range occupied
by a message signal prior to modulation. It can be considered as a synonym to low-
pass.

Mobile phone contains SMD components, Microprocessor, Flash memory

etc. In addition to the Circuit board, Mobile phone also has Antenna, LCD,
Keyboard, Microphone, Speaker and Battery.

International mobile equipment identity (IMEI):

IMEI is a unique number given to every single mobile phone, typically

found behind the battery. IMEI numbers of cellular phones connected to a GSM
network are stored in a database containing all valid mobile phone equipment.
When a phone is reported stolen or is not type approved, the number is marked
invalid.

Equipment Identity Register (EIR):

The EIR keeps a black list of stolen phones that should be barred from
access. Stolen phones can be re-flashed with a new IMEI and thus avoid the EIR
check.

EIR can also block phones that are malfunctioning and disturb the network.

The EIR feature is used to reduce the number of GSM mobile handset thefts
by providing a mechanism to assist network operators in preventing stolen or
disallowed handsets from accessing the network.
 This control is done by comparing the International Mobile Equipment
Identity (IMEI) that is provided during handset registration to a set of three lists
provided by the network operator:

a) Black list - Mobile Stations (MS) on the BlackList will be denied

access to the network
b) White list - MSs on the White List will be allowed access to the
network
c) Gray list - MSs on the Gray List will be allowed on the network,
but may be tracked

Mishing

Mishing is the combination of the words mobile phone and phishing. It is

just like phishing but instead of using a computer, the scammer targets mobile
devices. This is especially true for users that buy goods and services on their
mobile device or use it for banking.

The typical mishing scam involves the scammer calling or text messaging,
posing as an employee from your bank claiming to need your personal details for
authorization.

Scammers are very good at coming up with different reasons why they need
your information. It could be to authorize a payment or a purchase you have made
on your mobile phone.

For example, the image on the right shows the sort of text message that
could be used to trick you into opening a link that looks genuine, but is a
fraudulent site.

To stay safe, keep in mind your bank or business is never going to call you
and ask you for your account information with them and never select a link in the
text message.

Mobile hacking

Hacking means indexing the weakness in the computer system or network or

cracking the system to gain access. Hacking is not all about cracking the password
and stealing, anything. if you use anything without the owner permission is known
as hacking.

Mobile phone hacking can also mean: intercepting mobile telephone calls to
listen to the call in progress taking covert control of the mobile phone to receive
copies of text messages and other activity, and to remotely listen to activity around
the phone.

This is done by installing software on the phone to provide the functionality

that is remotely accessed. The phone user is not aware of the operation of the
software. Information is sent using the phone data capability and is not readily
identifiable from the phone bill

Designing Mobile Security Policy

The mobile device policy should take into account the risks of working with
mobile devices in unprotected environments.

The mobile device policy should consider:

1. registration of mobile devices;

2. requirements for physical protection;
3. restriction of software installation;
4. requirements for mobile device software versions and for applying
patches;
5. restriction of connection to information services;
6. access controls;
7. cryptographic techniques;
8. malware protection;
9. remote disabling, erasure or lockout;
10. backups;
11. usage of web services and web apps.

Security Challenges Posed by Mobile Device

Physical threats: Gaining physical access to a device would allow an attacker

to perform malicious actions such as flashing it with a malicious system image that
is connected to a computer to install malicious software or conduct data extraction.
 Network-based threats: Mobile devices use common wireless network
interfaces such as Wi-Fi and Bluetooth for connectivity.

System-based threats: Manufacturers can sometimes introduce

vulnerabilities into their devices unintentionally.

Application-based threats: Similar to system vulnerabilities, third-party

applications on mobile devices may also be out-of-date. Some application
developers do not release software updates in a timely manner or may have
dropped support for older OS versions.