CYBER FORENSICS

VI YEAR A SECTION
VEL TECH MULTI TECH
Forensic Duplication and Investigation
 Preparation for IR : Creating Response Tool
Kit and IR Team
• In a large business or organization the delegation of tasks is
essential to maintaining effective operations. When looking at the
makeup of an Incident Response Plan (IRP), a company's assumes
responsibility for the creation of it.

The CP team creates three sets of incident-handling procedures :

1. During the incident : The planners develop and document the
procedures that must be performed during the incident.
2. After the incident : Once the procedures for handling an incident
are drafted, the planners develop and document the procedures that
must be performed immediately after the incident has ceased.
3. Before the incident : The planners draft a third set of procedures
which are tasks that must be performed to prepare for the incident.
Contd..
Incident Recovery:
The recovery process includes the following steps :
1. Identify and resolve vulnerabilities that allowed the
incident to occur and spread.
2. Address the safeguards that failed to stop or limit the
incident - install, replace, or upgrade them.
3. Evaluate monitoring capabilities – improve detection
and reporting methods, or install new monitoring
capabilities
4. Restore systems backups
Contd..
Incident Response Team:
• The Incident response team is established to provide a quick,
effective and orderly response to computer related incidents
such as virus infections, hacker attempts and break-ins,
improper disclosure of confidential information to others,
system service interruptions, breach of personal information,
and other events with serious information security
implications.

• Team provides services and support, to a defined consistency,

for preventing, handling and responding to computer
security incidents
Contd..
Contd..
• Every organization should have an incident response team.
This team may consist of one person in an organization or
several persons. In the event of suspected computer crime or
violations of user policies, the team should be activated.

• Each of the following members will have a primary role in

incident response.
1. Information Technology Director
2. Information Technology Assistant Director
3. Vice President Finance and Administration
4. Qualified Member of Information Technology
5. Network Engineer
6. Security Analyst
Contd..
Following set of services provided by team :
Contd..
Types of Incidents:
1. Breach of Personal Information-(protected information to an
unauthorized person)
2. Denial of Service / Distributed Denial of Service
3. Excessive Port Scans-( Trusted Site has found more than 20 open ports)
4. Firewall Breach-(Incorrectly configured rules)
5. Virus Outbreak-( sudden rise in the number of cases of a disease)

Forensic Software Tools are used for

1. Data imaging 2. Data recovery
3. Data integrity 4. Data extraction
5. Forensic analysis 6. Monitoring
 Understanding Computer Investigation
• Investigation : is a process that develops and tests hypotheses
to answer questions about events that occurred. In general,
computer forensics investigates data that can be retrieved from
a computer’s hard disk or other storage media.

• The computer investigations group manages investigations and

conducts forensic analysis of systems suspected of containing
evidence related to an incident or a crime.

• For complex casework, the computer investigations group

draws on resources from those involved in vulnerability
assessment, risk management, and network intrusion detection
and incident response. This group resolves or terminates all
case investigations.
Contd..
• Digital Forensic Investigation: process that uses science and
technology to examine digital objects and that develops and tests
theories, which can be entered into a court of law, to answer questions
about events that occurred.

• IT Forensic Techniques are used to capture and analyze electronic data

and develop theories.
Following steps are applied to the network to investigate the proof.
1. Preparation and authorization
2. Identification
3. Documentation, collection and preservation
4. Filtering and data reduction
5. Class/Individual characteristics and evaluation of source
6. Evidence recovery
7. Investigative reconstruction
8. Reporting result
Contd..
Digital Evidence on the Internet:
• Internet crime is defined as any illegal activity involving one
or more components of the Internet, such as websites, chat
rooms and e-mail. Internet crime involves the use of the
Internet to communicate false or fraudulent representations to
consumers.
• To track an e-mail message back to the sender you simply
retrace the route that the e-mail travelled by reading through
the e-mail’s received headers.
• To locate offenders and missing persons, Internet play very
important role.
• Identity theft is one of the fastest growing crimes in the world.
Identity theft occurs when enough information about an
individual is obtained to open a credit card account in their
name and charge items to that account
Contd..
Digital evidence must follows the following rules of evidence :
1. Admissible : it must conform to certain legal rules before it
can be put before a court.
2. Authentic : it must be possible to positively tie evidentiary
material to the incident.
3. Complete : it must tell the whole story.
4. Reliable : there must be how the evidence was collected and
subsequently handled that casts about its authenticity.
 Data Acquisition
• Forensic data acquisition is a process that involves the
identification of a digital source, such as a hard disk, a
memory card or any other form of media and data storage,
and the copying of the identified data to some accessible
destination object, such as an image file, a clone or a bit-
stream duplicate, performed in a complete and accurate
manner.
• Hence, completeness and accuracy are the two most important
features that any data acquisition tool must demonstrate, in
order for the tool to be considered of a forensic standard of
quality.
• During data acquisition an exact (typically bitwise) copy of
storage media is created
 Contd..
• A dead acquisition copies the data without the assistance of
the suspect’s (operating) system. A live acquisition copies the
data using the suspect’s (operating) system.

• Live Data Acquisition : Real-time forensic acquisition from

computers, servers, database and email server applications that
can’t be taken offline or leave your site.

Write Blockers:
• Allow acquisition of data from a storage device without
changing the drive’s contents. Here write commands are
blocked. Only read commands are allowed to pass the write
blocker.
 Contd..
• Types of blockers : Hardware Write Blocker and Software
Write Blocker.
• Hardware Write Blockers : The device sits in between
investigator’s PC and storage device. It supported storage
interfaces are ATA, SCSI, USB or SATA. The controller
cannot write values to the command register, which writes or
erases data on the storage device.
• Software Write Blockers (SWB) : A software layer that sits
in between the OS and the device driver for the storage
device. It prevents all disc requests that use system calls to
write data to the storage device.
• The SWB should not modify a read-only disk. The SWB is
designed to prevent any operations on data storage media that
are not write protected.
Contd..
Data acquisition methods are as follows :
1. Disk-to-image file
2. Disk-to-disk copy
3. Logical disk-to-disk or disk-to-data file
4. Sparse data copy
Contd..
• A bootable Linux CD is a complete Linux operating system
that can boot from an optical disc, USB stick or Preboot
execution Environment (PXE).
• It runs in the computer’s memory and allows an operating
system to run without installing or making changes to the
computer’s original configuration and files.
• Live images can be adjusted to run special (start-up) scripts and
contain special drivers and software. The process of adjusting
the contents of a live image is called re-mastering.
• Linux can read hard drives that are mounted as read-only.
Windows OSs and newer Linux automatically mount and
access a drive.
• Windows will write to the Recycle Bin, and sometimes to the
NTFS Journal, just from booting up with a hard drive
connected
Contd..
• Forensic Linux Live CDs mount all drives read-only, which
eliminates the need for a write blocker. It is configured not to
mount, or to mount as read-only, any connected storage media.
Well designed Linux Live CDs is used for computer forensics.
• Use of fdisk command lists, creates, deletes, and verifies
partitions in Linux. The mkfs.msdos command formats a FAT
file system from Linux.
Set up the scene for data acquisition Suspect host (Linux ) :
1. Load Helix CD-ROM into drive.
2. Ensure that your tools do NOT modify the disk.
3. Use IP addresses instead of hostnames.
4. Used trusted CD-ROM binaries only.
5. Send acquired data over encrypted network
Contd..