Sanjivani Rural Education Society’s

Sanjivani College of Engineering, Kopargaon-423 603

(An Autonomous Institute, Affiliated to Savitribai Phule Pune University, Pune)
NAAC ‘A’ Grade Accredited, ISO 9001:2015 Certified

Department of Computer Engineering

(NBA Accredited)

Subject- Digital Forensics (DF) [CO 315A)]

Unit 3 :- Computer Forensics analysis and validation

Prof. Abhijit S. Bodhe

Assistant Professor
Department of Computer Engineering
E-mail :
[email protected]
Contact No: 7709 340 570
 Unit 1:- Introduction to Digital Forensics

• Digital Forensics: Definition, Process,

• Locard’s Principle of Exchange,
• Branches of Digital Forensics,
• Handling Digital Crime Scene,
• Important documents and Electronic Evidence,
• Introduction to Evidence Acquisition: Identification, Acquisition,
Labeling and Packaging, Transportation, Chainof-Custody.
• Structure of storage media/devices: windows/Macintosh/ Linux --
registry,
• boot process, file systems, file metadata.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 2

 Unit 2:-Data recovery and Digital evidence controls
• Data recovery: identifying hidden data,
• Encryption/Decryption, Steganography,
• recovering deleted files.
• Digital evidence controls: uncovering attacks that evade Detection
by Event Viewer,
• Task Manager, and other Windows GUI tools,
• data acquisition, disk imaging, re
• covering swap files, temporary &cache files.
• Data Privacy, Data privacy usages, Data privacy usages tools.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 3

 Unit 3:- Computer Forensics analysis and validation
• Computer Forensics analysis and validation: Determining what
data to collect and analyse, validating forensic data, addressing data-
hiding techniques.
• Network Forensics: Network forensics overview, performing live
acquisitions, developing standard procedures for network forensics,
using network tools, examining the honeynet project.
• Computer Forensic tools(Case Study): Encase, Helix, FTK,
Autopsy, Sleuth kit Forensic Browser, FIRE, Found stone Forensic
ToolKit, WinHex, Linux dd and other open source tools

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 4

 Computer Forensics analysis and validation
• Computer Forensics analysis :-Forensic scan refers to a detailed
investigation for detecting and documenting the course, reasons,
culprits, and consequences of a security incident or violation of rules
of the organization or state laws. Forensic analysis is often linked with
evidence to the court, particularly in criminal matters.
• Data forensics – also known as forensic data analysis (FDA) – refers
to the study of digital data and the investigation of cybercrime.
• Computer Forensic Validation:- Validation is the confirmation by
examination and the provision of objective evidence that a tool,
technique or procedure functions correctly and as intended.
Verification is the confirmation of a validation with laboratories tools,
techniques and procedures.
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 5
 Determining What Data to Collect and Analyze
• Examining and analyzing digital evidence depends mostly on:
1. Nature of the case/s
2. Amount of data to process
3. Search warrants and court orders
4. Company policies
5. Tools used
6. Techniques applied
7. Scope creep:-Investigation expands beyond the original description.
• Right of full discovery of digital evidence:

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 6

 Approaching Computer Forensics Cases
• Some basic principles apply to almost all computer forensics cases
The approach you take depends largely on the specific type of case
you’re investigating.
• Basic steps/rules/ principles for all computer forensics
investigations:-
1. Remove the original drive from the computer, Check date and time
values in the system’s CMOS.
2. Record how you acquired data from the suspect drive
3. For target drives, use only recently wiped media that have been
reformatted and inspected for computer viruses

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 7

 Steps/rules/principles for computer forensics investigations

4. Inventory the hardware on the suspect’s computer and note the

condition of the computer when seized
5. Process the data methodically and/or logically.
6. List all folders and files on the image or drive and If possible,
examine the contents of all data files in all folders, Starting at the
root directory of the volume partition
7. For all password-protected files that might be related to the
investigation, Make your best effort to recover file contents
8. Identify the function of every executable (binary or .exe) file that
doesn’t match known hash values
9. Maintain control of all evidence and findings, and document
everything as you progress through your examination.
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 8
 Refining and Modifying the Investigation Plan
• Considerations
1. Determine the scope of the investigation
2. Determine what the case requires
3. Whether you should collect all information
4. What to do in case of scope creep
• The key is to start with a plan but remain flexible in the face of new evidence.
• Using Access Data Forensic Toolkit to Analyze Data Supported file systems: FAT12/16/32, NTFS,
Ext2fs, and Ext3fs
• FTK can analyze data from several sources, including image files from other vendors too.
• FTK produces a case log file.
• Searching for keywords:- includes Indexed search Live search Supports options
advanced searching techniques, such as stemming.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 9

 Validating Forensic Data
• One of the most critical aspects of computer forensics.
• Ensuring the integrity of data you collect is essential for presenting evidence in court.
• Validating data connects to reliability, reproducibility as well as robustness properties
for acquired data. When data is not accurate and reliable, it is difficult to be accepted
in court cases because digital forensic data is scrutinized in court to ensure that it is
admissible evidence.
• For example, when ProDiscover(tool) loads an image file, it runs a hash and
compares that value to the original hash calculated when the image was first
acquired, If it matches then only it is admissible evidence.
• Why is validation important in forensics?- there is a strong requirement for correct
processes, and the systems relied upon to 'do what they are intended to do'.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 10

 Validating Forensic Data
• Different types of validation can be performed depending on destination
constraints or objectives. Data validation is a form of data cleansing
(cleaning).
• Validation is the confirmation by examination and the provision of objective
evidence that a tool, technique or procedure functions correctly and as
intended.
• There are many different ways to approach data validation, the four most
common are writing your own scripts, using Excel’s built-in data validation
tool, using an ETL( Extract, Transform and Load) tool, or using a data
observability tool.
• Lets discuss al 4 one by one.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 11

 1.Coding/Scripting data validation
• Depending on your ability to code, validating data by writing a script
may be an option for you. You can write Python scripts, DBT
assertions, or Great Expectations to compare data values and metadata
against your defined rules and schemas to verify that all the necessary
information meets your required data quality parameters.
• The most popular of these kinds of data validation is using SQL. SQL
can easily validate data records in a database based on a specific
condition.
• This type of data validation is pretty popular among database
administrators and programmers.
• This method of data validation can be quite time-consuming

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 12

 2.Using Excel sheets
• Among the most basic ways of data validation is using Microsoft
Excel or Google Sheets.
• This method of data validation requires you to export your data into
Excel or Sheets before you can start, which granted is neither scalable
nor easily maintainable.
• Excel and Sheets both have a menu item listed as Data > Data
Validation. By selecting the Data Validation menu, a user can choose
the specific data type or constraint validation required for a given file
or data range.
• you can only fit a limited number of records to either of these tools
before your data validation process becomes unwieldy

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 13

 3.ETL/ ELT- data integration and validation
• ETL (Extract, Transform and Load), ELT (Extract, Load, Transform), and data
integration tools typically integrate data & Apply validation policies as part of
their workflow.
• These validation rules are executed as data is extracted from one source and
loaded into another.
• In case of ELT, after extract and load are completed and transformation
happens in the database. Popular tools include dbt or FiveTran.
• These tools are popular for integrating data from multiple sources together,
often for integrating into a data warehouse, they can’t handle incoming real-
time data streams.
• These validations have higher data infrastructure costs and more engineering
time effort to build and maintain data validation rules.
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 14
 4.Leveraging Data Observability tools
• Data observability tools like Telmai enable you to customize data
validation workflows precisely for your needs.
• You can automatically run any data validation workflow on a schedule
(or on-demand) and get alerted if your data falls outside historical
ranges or your predefined conditions.
• Plus Telmai’s ML-based learning enables you to detect data quality
issues you couldn’t have even predicted would be a problem!
• Unlike traditional monitoring tools, observability tools provide 24/7,
end-to-end visibility into your systems and proactively spot potential
issues so that you can mitigate them before they become too serious.
• https://atlan.com/know/data-observability-tools/
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 15
 Addressing Data-hiding Techniques
• Why Data hiding:-
• Ensures confidentiality of sensitive data in cyberspace.
• Prevents unauthorized access to private information.
• Mitigates risk of data breaches and cyberattacks.
• Facilitates secure communication channels.
• Protects digital assets and intellectual property.
• Support authentication and verification processes.
• Enhances the organization’s overall cyber security posture.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 16

 Data hiding techniques
• Encryption. It utilizes cryptographic algorithms to convert data into ciphertext,
making it unreadable to parties without the correct decryption key. Encryption
ensures that only authorized users with the correct key can access the original
version of the data.
• Steganography. It refers to hiding information within other data or media, such
as images, audio files, or videos. Since hackers cannot assume the specific
embedding method, they cannot detect the hidden data.
• Obfuscation. This method alters the data structure, format, or logic to make
data more difficult to understand, therefore protecting sensitive information
from unauthorized access or tampering.
• Data masking. It refers to replacing sensitive information with fictional or
scrambled data that maintains the same structure and format.
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 17
 Data hiding :Summary
• Data hiding is the practice of concealing information within other data,
structures, or media to prevent unauthorized users from detecting or
accessing the information.
• Users can apply data hiding across various domains and contexts,
including information hiding in programming, invisible ink, digital art
and design, and cybersecurity.
• For instance, data hiding can protect sensitive information from
unauthorized access, tampering, or theft, ensure privacy, or even
maintain intellectual property rights.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 18

 Network forensics: An overview
• Network forensics is a subset of digital forensics;Most attacks move through the
network before hitting the target and they leave some trace. According to
Locard’s principle, “every contact leaves a trace,” in cyberspace.
• Network forensics can be generally defined as a science of discovering and
retrieving evidential information in a networked environment about a crime in
such a way as to make it admissible in court.
• These major steps in network forensics involves:
Obtain information, strategize, collect evidence, analyze and finally report.
• Network forensics can be particularly useful in cases of network leakage, data
theft or suspicious network traffic. It focuses on the investigation and analysis
of traffic in a network that is suspected to be compromised (e.g., DDoS attacks)

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 19

 Network forensics: An overview
• Two methods of network forensics are:
1.“Catch it as you can” method: All network traffic is captured. It
guarantees that there is no omission of important network events. This
process is time-consuming and reduces storage efficiency as storage
volume grows
2.“Stop, look and listen” method: Administrators watch each data packet
that flows across the network but they capture only what is considered
suspicious and deserving of an in-depth analysis. While this method does
not consume much space, it may require significant processing power.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 20

 performing live acquisitions
• Investigators focus on two primary sources for performing live
acquisitions of network data in n/w forensics:
1.Full-packet data capture: This is the direct result of the “Catch it as
you can” method. Large enterprises usually have large networks and it
can be counterproductive for them to keep full-packet capture for
prolonged periods of time anyway.
2.Log files: These files reside on web servers, proxy servers, Active
Directory servers, firewalls, Intrusion Detection Systems (IDS), DNS
and Dynamic Host Control Protocols (DHCP). Unlike full-packet
capture, logs do not take up so much space.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 21

 Performing live acquisitions
• Log files provide useful information about activities that occur on the network, like
IP addresses, TCP ports and Domain Name Service (DNS). Log files also show site
names which can help forensic experts see suspicious source and destination pairs,
• Exmaple :- if the server is sending and receiving data from an unauthorized
server/client. In addition with data, suspicious application activities — like a browser
using ports other than port 80, 443 or 8080 for communication — are also found on
the log files. Log analysis sometimes requires both scientific and creative processes
to tell the story of the incident.
• Network forensics is also dependent on event logs which show time-sequencing.
Investigators determine timelines using information and communications recorded
by network control systems. Analysis of network events often reveals the source of
the attack.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 22

 Developing standard procedures for network forensics

• Network forensics aim at finding out causes and impacts of cyber

attacks by capturing, recording, and analyzing of network traffic and
audit files.Identification of attack patterns requires investigators to
understand application and network protocols.
• Applications and protocols include:
1.Web protocols (e.g., http and https)
2.File transfer protocols (e.g., Server Message Block/SMB and Network
File System/NFS)
3.Email protocols, (e.g., Simple Mail Transfer Protocol/SMTP)
4.Network protocols (e.g., Ethernet, Wi-Fi and TCP/IP)

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 23

 Network forensics tools
1. EMailTrackerPro shows location of the device from which the email is sent.
2. Web Historian provides information about the upload/download of files on
visited websites.
3. Wireshark can capture and analyze network traffic between devices.
4. Network Miner to perform advanced Network Traffic Analysis (NTA) by
providing extracted artifacts in an intuitive user interface.
5. Splunk performs capturing, indexing, and correlating the real time data in a
searchable container and produces graphs, alerts, dashboards and
visualizations.
https://resources.infosecinstitute.com/topics/digital-forensics/network-forensics-
tools/
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 24
 The Honeynet
• A honeynet is a network set up to catch a hacker's
attention. It's designed to look, feel, and act just
like a network packed tight with valuable
resources. It contains plenty of monitoring tools.
• Honeynet can be a standalone network, or you
can create a so-called virtual honeynet. Here,
you'll create something that appears to be an
entire network. In reality, it resides on a single
server, Illusion is created.
• Building a realistic trap for a hacker isn't easy.
Honeynet’s rely on a series of elements, all
working together seamlessly.
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 25
 Honeynets Working & Elements
• We discussed Building a realistic trap for a hacker isn't easy. Honeynets rely
on a series of elements, all working together so. Honeynets contain:
1.Honey pots. These computer systems are set up to trap hackers. Sometimes, they're
used for research purposes. And sometimes, they're decoys that lure(trick somebody
to go somewhere or do something, attract) hackers away from valuable resources.
When plenty of pots come together, a net is formed.
2.Applications and services. Hackers must be convinced that they've entered a valid,
worthwhile environment.
3.No authorized activity or users. A true honeynet has no use aside from trapping
hackers.
4.Honeywalls. You must be able to study and learn from the honeynet attack. The
system should keep accurate records of traffic moving into and out of the honeypot.
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 26
 Benefits/Advantages & Risk of Honeypots
• Benefits/Advantages:-
1.Honeypots can provide early warning of attacks.
2.Honeypots can help organizations understand attacker tactics.
3.Honeypots can help identify security vulnerabilities.
4.Honeypots can be used for training and education.
• Risk:-
1. Honeypots can be costly and time-consuming to implement.
2.Honeypots can create additional attack surfaces.
3. Honeypots can be ineffective against sophisticated attackers.
4.Honeypots can generate false positives.
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 27
 Types of Honeypots(6)
1. High-Interaction Honeypots:-They provide attackers with a high degree
of interaction and can capture important information about the attacker’s
tactics and techniques. an be expensive and time-consuming to maintain,
but they can provide insight into attacker behaviour.
2. Low-Interaction Honeypots:-they can still effectively detect and alert the
security team to the presence of attackers. designed to be lightweight and
easy to set up and maintain. used as an early warning system. providing
security personnel with alerts that indicate potential attacks.
3. Virtual Honeypots:-These honeypots are virtual machines that are
isolated from systems and resources. They can simulate various systems
and services and are often used for research and training.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 28

 Types of Honeypots(6)
4. Sticky Honeypots:-designed to be difficult for attackers to detect and remove.
typically integrated into systems and services and can provide insight into
attacker behaviour. they can also be risky as they are connected to systems and
resources.
5. Watering Hole Honeypots:-These honeypots target specific types of attackers.
typically set up on websites or other online resources known to be frequented by
a particular group of attackers. ffectively detect and prevent attacks from targeted
groups, but they can also be time-consuming and expensive to set up and
maintain.
6. Pure Honeypots:-oneypot that is completely passive and does not generate any
network traffic on its own. designed to be as unobtrusive and undetectable as
possible. They wait for an attacker to interact with them and log all of the
attacker’s actions.
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 29
 The honeynet project
• The Honeynet Project is a leading international 501(c)(3) non-profit
security research organization, dedicated to investigating the latest
attacks and developing open source security tools to improve Internet
security.
• With chapters around the world, volunteers have contributed to fight
against malware (such as Confickr), discovering new attacks and
creating security tools used by businesses and government agencies all
over the world.

https://www.honeynet.org/

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 30

 Computer Forensic tools
1. Encase 1 to 16
2. Helix 17-30
3. FTK 31-54
4. Autopsy 56-81
5. Sleuth kit Forensic Browser 85-114
6. FIRE 116-135
7. WinHex 138-149

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 31

 Computer Forensic tools-Case Study
Min 5 pages description on each tool by allocated roll numbers.
1.Tools support & details in which OS,hardware,software any other
2.Description of tool
3.Use of tool
4.Application of tool (Th)
5.Real time application of tool (possibly demo)
6.Advangage/limitation/risk of tool
7.Comparision with any other one tool (complusory)
8.Summary of tool in brief (min 1 page)
9.Reference link/websites
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 32
 Unit 3:- Computer Forensics analysis and validation
• Computer Forensics analysis and validation: Determining what
data to collect and analyse, validating forensic data, addressing data-
hiding techniques.
• Network Forensics: Network forensics overview, performing live
acquisitions, developing standard procedures for network forensics,
using network tools, examining the honeynet project.
• Computer Forensic tools(Case Study): Encase, Helix, FTK,
Autopsy, Sleuth kit Forensic Browser, FIRE, Found stone Forensic
ToolKit, WinHex, Linux dd and other open source tools

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 33

 Unit 4:-Network Forensic
• Network Forensic: Collecting and analyzing network-based evidence,
• reconstructing web browsing,
• e-mail activity, and windows registry changes,
• intrusion detection, tracking offenders.
• Mobile Network Forensic: Introduction,
• Mobile Network Technology,
• Investigations, Collecting Evidence,
• Where to seek Digital Data for further Investigations,
• Interpretation of Digital Evidence on Mobile Network.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 34

 Unit 5:- Software Reverse Engineering
• Software Reverse Engineering: Defend against software targets for
viruses,
• worms and other malware,
• improving third party software library,
• identifying hostile codes-buffer overflow,
• provision of unexpected inputs.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 35

 Unit 6:- Computer crime and Legal issues
• Computer crime and Legal issues: Intellectual property.
• privacy issues.
• Criminal Justice system for forensic.
• audit/investigative.
• situations and digital crime procedure/standards for extraction,
preservation, and deposition of legal evidence in a court of law.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 36