Module 3

Computer Forensics
Part 1
1. Introduction to Computer Forensics
 Computer Forensics is a scientific method of investigation and analysis in order
to gather evidence from digital devices or computer networks and components
which is suitable for presentation in a court of law or legal body.

 It is the process of methodically tentative computer media(hard disks, diskettes,

tapes etc.) for proof. In other words, computer forensics is the collection,
preservation, analysis and presentation of computer related proof.

 It involves performing a structured investigation while maintaining a

documented chain of evidence to find out exactly what happened on a computer
and who was responsible for it.

2. Importance of Computer forensic

 Computer forensics also stated to as computer forensic analysis, electronic
discovery, electronic evidence discovery, digital discovery, data recovery, data
discovery, computer analysis and computer examination.

 Computer proof can be useful in illegal cases, civil disputes and human resources
or employ proceedings.

 Computer Forensics is not just about “detective work”, searching for and trying
to find out information.

1
  Computer forensics is also worried with:
i. Sensitive data handling responsibility and confidentiality.

ii. Taking precautions to not nullify findings by corrupting data.

iii. Taking precautions to make certain the integrity of the information.

iv. Within the regulation and guidelines of evidence.

3. Use of Computer forensic in Law Enforcement :-

Use of Computer Forensics in Law Enforcement include:

 Improving deleted files such as documents, graphics and photos.

 Searching unallocated space on the hard drive, places where an abundance of
data often resides.
 Tracing artifacts, those grabbing of data left overdue by the operating system.
The specialists know how to assess the value of the evidence they find.
 Processing hidden files, that are not visible or available to the user which contain
past usage information. Often this process needs reconstructing and examining
the date codes for each file and defining when each file was formed, last
modified and when removed.
 Running a string search for email, when no email client is obvious.

4. Benefits of Professional Computer Forensic Methods:-

A familiar computer forensics professional should guarantee that a subject computer
system is carefully handled to ensure that:

i. No possible indication is damaged, demolished or otherwise negotiated by the

procedures used to investigate the computer.
ii. No likely computer virus is introduced to a subject computer during the analysis
process.

2
iii. Extracted and possibly applicable evidence is correctly handled and endangered
from later mechanical or electromagnetic damage.
iv. A continuing chain of custody is familiar and maintained.
v. Business operations are affected for a incomplete amount of time, if at all.
vi. Any client-attorney information that is reluctantly learned during a forensic
examination is ethically and formally respected and not disclosed or revealed.

5. Steps taken by Computer Forensic Specialists:-

The computer forensics professional should take several cautious steps to identify and
attempt to retrieve evidence that may exist on a computer system. Those steps are
discussed below:

1. Protect: Protect the subject computer system during the forensic examination from
any possible alteration, damage, data corruption, or virus introduction.

2. Discover: Discover all files on the subject system. This includes existing normal files,
deleted yet remaining files, hidden files, password-protected files and encrypted files.

3. Recover: Recover all (or as much as possible) of discovered deleted files.

4. Reveal: Reveal (to the greatest extent possible) the contents of hidden files as well
as temporary or swap files used by both the application programs and the operating
system.

5. Access: Access (if possible and legally appropriate) the contents of protected or
encrypted files.

6. Analyze: Analyze all possibly relevant data found in special (and typically
inaccessible) areas of a disk. This includes but is not limited to what is called
unallocated space on a disk as well as slack space in a file (the remnant area at the end
of a file in the last assigned disk cluster, that is unused by current file data, but once

3
 again, may be a possible site for previously created and relevant evidence).

7. Print: Print out an overall analysis of the subject computer system, as well as a listing
of all possibly relevant files and discovered file data.

8. Provide: Provide an opinion of the system layout, the file structures discovered, any
discovered data and authorship information, any attempts to hide, delete, protect and
encrypt information and anything else that has been discovered and appears to be
relevant to the overall computer system examination. Also provide expert consultation
and/or testimony, as required.

6. Evidence Collection (Disk, Memory, Registry, Logs):-

Why collect evidence??

The simple reasons for gathering evidences are:

1. Future Prevention: Without knowing what happened, there is no hope of ever being
able to stop someone else from doing it again.

2. Establishing Facts: Evidence helps establishing facts related to a particular incident,

event, or situation. It provides a tangible record of what occurred, helping to create an
accurate and reliable account of events.

3. Supporting Investigations: In criminal investigations, evidence is essential for

identifying and apprehending suspects. It assists law enforcement in building a case
against individuals who may have committed crimes.

4. Legal Proceedings: Evidence is the foundation of legal proceedings. It is presented in

court to support arguments, establish the credibility of claims and contribute to the
overall decision-making process in civil and criminal cases.

4
 5. Ensuring Justice: Properly collected and preserved evidence is useful for ensuring
justice. It helps the legal system make fair and informed decisions, preventing wrongful
convictions and ensuring that the guilty are held accountable.

7. Obstacles in Evidence Collection:-

 Computer transactions are fast, then can be shown from anywhere, can be
encoded or anonymous and have no inherent identifying features such as writing
and signatures to identify those accountable.

 Any paper trail of computer records they may leave can be easily altered or may
be only temporary.

 Auditing programs may mechanically destroy the records left when computer
contacts are finished with them.

 Investigating electronic crimes will continuously be problematic because of the

ease of changing the data and the fact that dealings may be done namelessly.

8. Do’s and Don’ts in Evidence Collection:-

a) Minimize handling and corruption of original data: Once a master copy of the
original data is formed, then it shouldn’t be touched. Any changes made to the
exemplars will affect the consequences of any analysis later done to copies.

b) Account for any changes and keep detailed logs of your actions: Sometimes
evidence alteration is inevitable. In these cases, it is unconditionally essential
that the nature, extent and reasons for the variations be documented.

c) Comply with the five rules of evidence: Subsequent these rules are essential for
assuring successful evidence collection.

5
 d) Do not exceed your knowledge: If someone find himself out of his depth, he
should learn more before ongoing (if time is available) or find someone who
knows the territory.

e) Follow local security policy: If one fails to observe with his company’s security
policy, he may find manually with some difficulties.

f) Capture as accurate an image of the system as possible: Taking an precise image

of the system is related to reduce the corruption of original data.

g) Wok fast: The earlier work can be done, the less likely the data is going to
change. Unstable evidence may vanish entirely, if it is not collected in time. If
multiple systems are involved, need to work parallelly.

h) Proceed from volatile to persistent evidence: It should be tried to collect the

most volatile evidence first.

i) Don’t shutdown before collecting evidence: A system should not be never ever
shut down before the indication is collected. If so, not only any volatile
information is lost, but also the attacker may have trojan the startup and shut
down scripts , plug-and-play plans may alter the system shape and provisional
file systems may be wiped out.

9. Types of Collectable Data:-

There are two types of data that can be collected in a computer forensics investigation:

a) Persistent data: It is the data that is stored on a non-volatile memory type

storage device such as a local hard drive, external storage devices like SSDs,
HDDs, pen drives, CDs, etc. the data on these devices is preserved even when
the computer is turned off.

6
 b) Volatile data: It is the data that is stored on a volatile memory type storage
such as memory, registers, cache, RAM, or it exists in transit, that will be lost
once the computer is turned off or it loses power. Since volatile data is
temporary, it is crucial that an investigator knows how to reliably capture it.

10. Types of Evidence:-

Collecting the shreds of evidence is really important in any investigation to support the
claims in court.

Below are some major types of evidence:

a) Real Evidence: These pieces of evidence involve physical or tangible evidence

such as flash drives, hard drives, documents, etc. an eyewitness can also be
considered as a shred of tangible evidence.

b) Hearsay Evidence: These pieces of evidence are referred to as out-of-court

statements. These are made in courts to prove the truth of the matter.

c) Original Evidence: These are the pieces of evidence of a statement that is made
by a person who is not a testifying witness. It is done in order to prove that the
statement was made rather than to prove its truth.

d) Testimony: Testimony is when a witness takes oath in a court of law and gives
their statement in court. The shreds of evidence presented should be authentic,
accurate, reliable, and admissible as they can be challenged in court.

7
11. Methods of Evidence Collection:-
There are two basic forms of collection:
1. freezing the scene
2. Honey potting.

1. Freezing the scene:

 It involves attractive a snapshot of the system in its cooperated state. Then it

should be started to collect whatever data is significant onto removable non-
volatile media in a standard format.
 All data collected should have a cryptographic message digest created and those
digest should be likened to the prototypes for confirmation.

2. Honey Potting:

 It is a trap for hackers. It mimics a target for hackers and uses their intrusion
attempts to gain information about cybercriminals and the way they are
operating or to distract them from other targets.
 Honey potting is the process of making the replica system and luring the attacker
into it for further monitoring.

The assignment of confusing information and the attacker’s reply to it is a good method
for decisive the attacker’s motive.

12. Steps of Evidence Collection:-

Following are the steps of evidence collection:

a) Find the Evidence: A checklist is used. Not only does it help to assemble
indication, but also it can be used to double-check that everything which need to
look for is there.

8
 b) Find the relevant data: Once the signal has originated, then it is easy to figure
out what part of it is applicable for the case.

c) Create an order of Volatility: The order of volatility for a system is a good guide
and guarantees that one can minimize loss of virtuous evidence.

d) Remove external avenues of change: It is essential that one should avoid

changes to the original data.

e) Collect the Evidence: Collect the evidence consuming the suitable tools for the
job.

f) Document Everything: Collected events may be questioned later, so it is

significant that everything what have done should be documented. Timestamps,
digital signatures and employed statements all are significant documents.

13. Computer Evidence Processing Steps:-

i. Shut down the computer.
ii. Document the hardware configuration of the system.
iii. Transport the computer system to a secure location.
iv. Make bit stream backups of hard disks and floppy disks.
v. Mathematically authenticate data on all storage devices.
vi. Document the system date and time.
vii. Make a list of key search word.
viii. Evaluate the Windows swap file, which is erased when the computer is twisted
off.
ix. Evaluate file slack (It is a source of significant safety leakage and contains of raw
memory dumps that happen during the work session as files are closed).
x. Evaluate unallocated space (erased files).
xi. Search files, file slack and unallocated space for keywords
xii. Document file names, dates and times

9
 xiii. Identify file programs and storage anomalies
xiv. Evaluate program functionality
xv. Document all the findings
xvi. Retain copes of software used

14. People involved in Data Collection Technique:-

There are several people involved in evidence collection techniques –

a) First respondent (usually an officer or a security person),

b) Investigators (usually a senior investigator)

c) The crime scene technicians (usually a person who is an expert in computer forensic).

1. The role of first responder:

The first responder is the one who appears in crime locations, usually an officer or a
security person. They are basically the first people on the scene when there is an
incident. They should be concerned with the following tasks:

a) Identifying the crime location: The person, who arrives first at the crime scene,
should be able to identify depth of the crime and restrict access to the crime
location.

b) Protecting the crime scene: All the devices, including non-functional computers,
mobile phones, notebooks, PDAs or other portable devices are considered a
part of the crime scene. First respondent should freeze the condition of all the
devices and wait for the IT incident response team or investigator in-charge to
decide if any equipment can be excluded.

c) Preserving temporary and tampered evidences: An evidence that could

disappear or destroyed before the arrival of investigation team, should be
preserved and maintained by the first respondent. If there is surveillance (CCTV)

10
 available, then it is easier to have a record of the crime. But if there is no
surveillance, then identifying crime scene is a challenge for investigation.

2. Role of Investigators:
a) A chain of order: This refers to the flow investigation process. All the systems
and other equipment's at the crime scene should not be touched, replaced,
accessed or unplugged without the permission of a senior investigator. The role
of investigator is to control and manage the investigation.

b) Conducting the crime scene search: Officers should seek all the systems, written
documents and notes, manuals and log files related to the crime. It involves
mobile phones, printers, scanners, external device such as flash drive, hard disk
etc.

c) Preserving integrity of the facts or evidence: Criminals always removes all the
evidences. That’s why it is needed to preserve all the evidences in order to take
action against the offender. Investigator should make exact copy of all the
evidences, if possible and should be able to analyse the footprints of criminal.

3. Role of Crime Scene Technicians:

a) Preserving temporal evidences to replicate disks: The disk containing evidences
should be replicated or copied before shutting down the system, as there might
be the possibility of disappearance of evidence after shutting down or rebooting
the system.

b) Shutting down the computer system for transport: To preserve the integrity of
original evidence, systems should be properly shut down. All the running
applications should be properly closed in order to avoid corruption of files.

11
 c) Marking and recording the evidence: All the evidences should be marked with
time and date of evidence collected, initials of the investigator, case
identification number and other related information all of which should be
recorded in evidence log files.

d) Packaging of the evidence: All the digital evidences such as handheld, computer,
laptops, PDAs, hard disks should be properly packed in antistatic bag for
transport. Written documents such as notes, manuals and books should be
placed in plastic bags in order to protect them from damage.

e) Securely transport the evidence: All the data should be securely transported to a
secure evidence locker. The evidence should not come directly in contact with
magnetic fields during transport nor left in direct contact with sunlight etc.

f) Processing the evidence: Special tools will be used to analyse the data at last.

16. Live Data Collection from Windows System:-

The following steps should be followed to collect the live data from windows system.

i. Creating a Response toolkit

ii. Saving information collected during initial response
iii. Obtain volatile data for live response
iv. Documenting and managing the investigation

I. Creating a Response toolkit:

a. Collecting the tools: It is critical to use trusted commands in all incident
responses, irrespective of type of incident. An investigator should maintain a
CD or a floppy that involves a minimum of the tools described below.

12
 b. Preparing the Response toolkit: There are several stages to prepare toolkit

for initial response.

a) Tag a response toolkit media: Documenting the collection itself is the

first step in evidence collection process. CD or floppies should be
tagged to identify that this is the part of investigation. The tag may
contain information such as case identification no, time and date of the
investigation, name of the investigator who created response media
and also the name who used that response media.

b) Check for dependencies with Filemon: It is necessary to identify which

DLLs and files the respond tool is to depend on.

c) Creating checksum for the response toolkit.

d) Write protect any toolkit floppies.

II. Saving information obtained during the initial response:

13
There are four options available when the information has been retrieved.

a) The information obtained from the hard drive of the target

system should be saved.
b) The obtained data should be noted by hand.
c) The data obtained from the floppy disks or other external devices
should be saved.
d) The obtained data should be stored from forensic system by using
cryptcat or netcat.

Transferring data using Netcat:

 Netcat is a freely available tool that can be used to establish a

communication channel between hosts.
 This can be used at the time of initial response to establish a TCP
connection between the forensic workstation and the target system.
 To use Netcat, an IP address of the target system and sufficient storage
capacity laptop to keep the collected information are needed.
 Netcat helps to transfer all the significant system information and data
that is required to confirm whether an event has occurred or not.
 The connection need to be disconnected by pressing CTRL-C on the
forensic workstation after the completion of data transfer.

 Two advantages :
1. It helps to quickly get on and off the target system.
2. It also provides offline feature of reviewing the information
which was previously attained.

14
 III. Obtaining Volatile Data for live response:
The following volatile or temporal data is collected before forensic duplication
i. The date and time of the system
ii. List of users that are currently logged on.
iii. Entire file system’s time and date stamp.
iv. List of processes that are currently running.
v. List of sockets that are open currently.
vi. Applications that are listening on the open sockets.
vii. List of systems that have current or had recent connections to the
system.

IV. Documenting and managing the investigation:

There are two main reasons for documenting the actions while responding to
the victim system:
a) To protect an organization
b) To collect the data that may become evidence against the offender or
criminal.

17.Volatile/Temporal Data Collection from Windows

System:-
After knowing what data should be collected and how to document the response, the
following steps are followed to retrieve those temporal data.

1. Run a trusted cmd.exe: There might be need to run cmd.exe on victim’s system
only to find that actually del *.* is done in the \winnt\system32 directory.

2. Record system time and date: After executing trusted command shell, it is a
good idea to capture the local system date and time. This is important to
correlate the system logs as well as to mark the times at which the response has

15
 been performed.
A:\>date>record.txt // Saves date in record.txt
A:\>time>>record.txt // Updates record.txt with time

3. Determine logged users: Identifying the active connections of the user accounts
is the next step. It is necessary to identify which user accounts have remote
access rights on the target system, in order to respond to a system that offers
remote access via modem. PsLoggedOn is an applet that is used to display both
the locally logged on users and the users logged on via resources for either the
local computer or a remote one.

4. For all files, record modification, creation and access times: To get the list of all
the directory files on the target machine, “dir” command is used. It includes the
size, access, alteration and creation time. The time and date stamps become the
evidence, if the significant information about the time frame when an event
occurred is identified.

5. Determine open ports: There are several networking commands available, out of
which Netstat can be used to determine which ports are open. It also enlists all
listening port and current connections to those port. Volatile data, such as
recently terminated connections and current connections can be recorded
using Netstat.

6. List of applications that are associated with those ports: Knowing which
services listen on which ports is helpful. A free tool fport is used to enlist listening
ports for all the processes.

7. List of all running process: It is necessary to record all the processes that are
currently executing on the system before turning off the target system, as it may
destroy this information. To manage the process and maintain statistical
information about the process, the kernel object is created by the operating
system.

16
8. List of current and recent connections: To know who is connected or who has
connected recently, the networking commands like:

a. netstat: Used to identify IP address of remote system and current

connections of the systems

b. arp: Used to map IP address to the MAC address.
c. nbstat: Used to access the remote NETBIOS name cache, listing the recent
NETBIOS connections for approximately last ten minutes.

9. Record date and time of target system: Recording date and time of the target
system ensures that you have a record of when you were logged on to that
system. It can be used as an evidence, if anything changed on the system outside
the timeframe you have recorded, you are not responsible for that alteration.

10. Commands access at the time of initial response: Doskey/history command can
be used to show the history of the commands that was currently accessed on the
system.

18.Volatile/Temporal Data Collection from in UNIX

System:-

For obtaining live data, following steps should be followed.

1. Run a trusted shell: Attacker attacks the UNIX shell to log all the commands
executed on the system or to perform criminal activities hidden to the
investigator. This is the reason to run someone’s trusted own shell.

2. Record the time and date of the system: Local date and time can be
recorded using “date” command. It is necessary for future reference. It will
also display when someone was on the system. The following command can
be used to capture this information:
17
 [root@conan / root]# date
Tue Feb 20 16:12:43 UTC 2024

3. Identify who is currently logged on to the system: The “w” command is

executed to get the details like, the user IDs of logged on users, the system
they logged on from and what they are currently executing.

4. Record creation, alteration and access time of each file: All the available
time/date stamps for each file in Windows and UNIX system – atime(i.e.
access time), mtime(i.e. modification time) and ctime(i.e. inode change time)
can be obtained by using the proper command line arguments such as:
ls –alRu / > /floppy/atime
ls –alRc / > /floppy/ctime
ls –alR / > /floppy/mtime

5. Identify open ports: The most widely used command for listing open ports on
a UNIX system is Netstat. To view all the open ports –an command is used. To
tell the Netstat command not to resolve the host name which reduces the
impact on the system and speed up the execution of the command, -n option
is used.

6. Enlist applications associated with open ports: -p option of Netstat command

is used to map the name of the application and its process identification
number(i.e. PID) to the open ports.

7. Identify the running process: The “ps” command displays all the running
processes in the system.

8. List the current and recent connections: Netstat and arp commands are used
to get the information about the current and recent connections.

9. Record the time of the system: Date command can be used to record time.
Recording time of the target system ensures that someone has a record on
18
 when he/she was logged on to that system. It can be an evidence, if anything
changed to the system outside the timeframe he/she has recorded, he/she is
not responsible for that alteration.

10. Record the steps taken: History command can be used to show the history of
the commands that was currently accessed on the system. “vi” can be used if
live response is performed from the editor.

11. Record cryptographic checksum: “Md5sum” can be used against all the files
in data directory to record cryptographic checksum of all collected
information:
[root@conan / root]# md5sum * > md5sums.txt

19