INTRODUCTION TO CYBER FORENSICS

• Computer forensics is the application of

investigation and analysis techniques to gather
and preserve evidence.
• Forensic examiners typically analyze data from
personal computers, laptops, personal digital
assistants, cell phones, servers, tapes, and any
other type of media.
• This process can involve anything from breaking
encryption.
• executing search warrants with a law enforcement
team.
• To recovering and analyzing files from hard drives .
• That will be critical evidence in the most serious
civil and criminal cases.
• The results of forensic examinations are included
in reports.
 DIGITAL FORENSICS
• Digital Forensics is defined as the process of preservation,
identification, extraction, and documentation of computer
evidence which can be used by the court of law.
• Evidence might be required for a wide range of computer
crimes and misuses.

• Multiple methods
• Discovering data on computer system
• Recovering deleted, encrypted, or damaged file information
 Computer Forensics Examples
• Recovering thousands of deleted emails
• Recovering evidence post formatting hard
drive.
• Performing investigation after multiple users
had taken over the system.
• Digital Forensics helps the forensic team to analyzes,
inspect, identifies.
• preserve the digital evidence residing on various types of
electronic devices.
• THE NEED FOR COMPUTER FORENSICS
• Computer forensics is also important because it can save
your organization money From a technical standpoint.
• The main goal of computer forensics is to identify, collect,
preserve, and analyze data .
• preserves the integrity of the evidence collected so it can
be used effectively in a legal case.
CYBER FORENSICS AND DIGITAL EVIDENCE

• Digital evidence is information stored or

transmitted in binary form that may be relied
on in court.
• It can be found on a computer hard drive, a
mobile phone, among other places.
• Digital evidence is commonly associated with
electronic crime, or e-crime, such as child
pornography or credit card fraud.
• In an effort to fight e-crime and to collect
relevant digital evidence for all crimes.
• law enforcement agencies are incorporating
the collection and analysis of digital evidence,
also known as computer forensics.
• Law enforcement agencies are need to train
officers to collect digital evidence.
Various techniques that are used for e-mail
forensic :
• Header Analysis
• Bait Tactics
• Server Investigation
• Network Device Investigation
• Software Embedded Identifiers
• Sender Mailer Fingerprints
 Header Analysis

• To investigate cases related to cyber-crimes

where emails are being used
• digital forensic experts scan relevant emails for
evidence.
• Since criminals often forge messages to avoid
detection.
• email forensics experts need to perform email
header analysis to extract and collect crucial
evidence.
• Email headers contain vital information of the
path that the message has traversed before
reaching its final destination.
• This information includes recipients' and
senders' names, time of sending/receiving
email message, email client, internet service
provider (ISP), IP address of the sender, etc.
• SPF stands for Sender Policy Framework and is
another great email authentication technology
used in email delivery and email security.
• DMARC stands for
Domain-based Message Authentication, Reportin
g, and Conformance
. It is a relatively new email authentication
protocol that protects your domain from
unauthorized use, also known as email spoofing.
• DKIM, SPF, and DMARC are all email authentication
technologies that are free to use for your
organization.
• These technologies can be very useful for your
organization and for domains out in the in the
cyber world.
• DKIM stands for DomainKeys Identified Mail, which
is an email authentication method. This method is
used to detect spoofed, or fake sender email
addresses
• Bait Tactics
• Bait tactic is an email investigation technique that’s used when the location of a
suspect or cybercriminal is unknown. In this, the investigators send an email that
contains a http: “<img src>” tag to the suspect. The image source is at a computer
that’s monitored by the investigators. When the suspect opens the email, the
computer’s IP address is registered in a log entry on the HTTP server that hosts the
image. The investigators can use the IP address to track the suspect.
• Sometimes, suspects take precautionary measures like using a proxy server to
protect their identity. In that case, the IP address of the proxy server is recorded.
However, the log on the proxy server can be analyzed to track the suspect. If the log
isn’t available either, then the investors can send an email that contains either of
the following:
• HTML page with an Active X Object
• Embedded Java Applet that’s configured to run on the recipient’s computer
• Both of these can record the IP address of the suspect’s computer and send the
same to the email address of the investigators.
• Server Investigation – In this investigation, copies
of delivered e-mails and server logs are
investigated to identify source of an e-mail
message
• servers store the copies of e-mail and server logs
only for some limited periods
• Further, SMTP servers which store data like credit
card number and other data pertaining to owner of
a mailbox can be used to identify person behind an
e-mail address.
• Network Device Investigation – In this form of
e-mail investigation, logs maintained by the
network devices such as routers, firewalls and
switches are used to investigate the source of
an e-mail message.
• ZoneAlarm Free Firewall 2017
• Private Eye [Mac]
• Tinywall
• Anti NetCut3 Comodo Free Firewall
• Software Embedded Identifiers – Some
information about the creator of e-mail,
attached files or documents may be included
with the message by the e-mail software used
by the sender for composing e-mail.
• The investigation can reveal, Windows logon
username, MAC address, etc.
• Sender Mailer Fingerprints – X-headers are
email headers that are added to messages
along with standard headers
like Subject and To.
• and can be used to identify the software
that’s handling the email at the client such as
Outlook or Opera Mail.
Forensic analysis of E-Mail
• An E-Mail system is a combination of
hardware and software that controls the flow
of E-Mail. Two most important components of
an email system are:
• E-Mail server
• E-Mail gateway
• E-Mail servers are computers that forward,
collect, store, and deliver email to their
clients.
• E-Mail gateways are the connections between
email servers.
• Mail server software is a software which
controls the flow of email. Mail client is the
software which is used to send and receive
(read) emails.
• An email contains two parts:
• Header
• Body
• Email header is very important from forensics
point of view. A full header view of an email
provides the entire path email’s journey from
its source to destination. The header also
includes IP and other useful information.
Header is a sequence of fields (key-value pair).
• The body of email contains actual message. Headers can be
easily spoofed by spammers. Header protocol analysis is
important for investigating evidence. After getting the
source IP address we find the ISP’s details. By contacting
ISP, we can get further information like:
• Name
• Address
• Contact number
• Internet facility
• Type of IP address
• Any other relevant information
 EMAIL FORENSICS TOOLS
• MiTec Mail Viewer
• OST and PST Viewer (offline storage table)
( Personal Storage Table)
• eMailTrackerPro
• EmailTracer
DIGITAL FORENSICS LIFECYCLE:
Forensic life cycle phases are:
1. Preparation and identification
2. Collection and recording
3. Storing and transporting
4. Examination/investigation
5. Analysis, interpretation, and attribution
6. Reporting
7. Testifying
 1. Preparation and identification
• Different files
• Files and file systems
• Processes and files
• Log files
 2. Collection and recording
• Mobile phone
• Digital cameras
• Hard drives
• CDs
• USB memory devices
Non-obvious sources can be:
• Digital thermometer settings
• Black boxes inside automobiles
• RFID tags
 3. Storing and transporting
• Image computer-media using a write-blocking
tool to ensure that no data is added to the
suspect device
Things that can go wrong in storage include:
• Decay over time (natural or unnatural)
• Environmental changes (direct or indirect)
• Fires
• Floods
• Loss of power to batteries
Analysis, interpretation, and attribution
forensics tools:
• Forensics Tool Kit (FTK)
• EnCase
• Scalpel (file carving tool)
• The Sleuth Kit (TSK)
• Autospy
Forensic analysis includes the following activities:
• Manual review of data on the media
• Windows registry inspection
• Discovering and cracking passwords
• Performing keyword searches related to crime
• Extracting emails and images
Types of digital analysis:
• Media analysis
• Media management analysis
• File system analysis
• Application analysis
• Network analysis
• Image analysis
• Video analysis
Reporting Some of the general elements in the report are:
• Identity of the report agency
• Case identifier or submission number
• Case investigator
• Identity of the submitter
• Date of report
• Descriptive list of items submitted for examination
• Identity and signature of the examiner
• Brief description of steps taken during examination
• Results / conclusions
 Testifying

• This phase involves presentation and cross-

examination of expert witnesses. An expert
witness can testify.
 FORENSICS INVESTIGATION
• Forensics are the scientific methods used to
solve a crime
• Forensic investigation is the gathering and
analysis of all crime-related physical evidence
• Investigators will look at blood, fluid, or
fingerprints, residue, hard drives, computers,
or other technology to establish how a crime
took place
TYPES OF FORENSICS INVESTIGATION
1.Forensic Accounting / Auditing
2.Computer or Cyber Forensics
3. Crime Scene Forensics
4. Forensic Archaeology
5.Forensic Dentistry
6. Forensic Entomology
7. Forensic Graphology
8.Forensic Pathology
9.Forensic Psychology
10.Forensic Science
11.Forensic Toxicology
CHALLENGES IN COMPUTER FORENSICS
• Technical challenges
• Legal challenges
• Resource Challenges
• As technology develops crimes and criminals are also
developed with it.
• Digital forensic experts use forensic tools for
collecting evidence against criminals
• and criminalsuse such tools for hiding, altering or
removing the traces of their crime, in digital forensic
this process is called Anti- forensics technique
 Technical challenges

1 .Encryption : It is legitimately used for ensuring

the privacy of information by keeping it
hidden from an unauthorized user/person.
Unfortunately, it can also be used by criminals
to hide their crimes .
2. Data hiding in storage space :Criminals usually
hide chunks of data inside the storage medium
in invisible form by using system commands,
and programs.
3 .Covert Channel: A covert channel is a
communication protocol which allows an
attacker to bypass intrusion detection
technique and hide data over the network.
The attacker used it for hiding the connection
between him and the compromised system.
 LEGAL CHALLENGES
• 1 Absence of guidelines and standard :
In India, there are no proper guidelines for
the collection and acquisition of digital
evidence. The investigating agencies and
forensic laboratories are working on the
guidelines of their own
• 2 Limitation of the Indian Evidence Act, 1872
Other Legal Challenges
• Privacy Issues
• Admissibility in Courts
• Preservation of electronic evidence
• Power for gathering digital evidence
• Analyzing a running computer
 Resource Challenges
• As the rate of crime increases the number of
data increases
• and the burden to analyze such huge data is
also increasing on a digital forensic expert
because digital evidence is more sensitive as
compared to physical evidence it can easily
disappear
 Types of Resource Challenges are:
• Change in technology:Due to rapid change in
technology like operating systems, application
software and hardware.
• reading of digital evidence becoming more
difficult because new version software’s are
not supported to an older version and the
software.
• Volume and replication
The confidentiality, availability, and integrity of
electronic documents are easily get
manipulated.
The combination of wide-area networks and the
internet form a big network that allows
flowing data beyond the physical boundaries.
 Procedure for a forensic audit investigation

• 1. Plan the investigation

• Identify what fraud, if any, is being carried out
• Determine the time period during which the fraud has
occurred
• Discover how the fraud was concealed
• Identify the perpetrators of the fraud
• Quantify the loss suffered due to the fraud
• Gather relevant evidence that is admissible in the court
• Suggest measures that can prevent such frauds in the
company in future
•
 2. Collect evidence
• By the conclusion of the audit, the forensic
auditor is required to understand the possible
type of fraud that has been carried out and
how it has been committed. The evidence
collected should be adequate enough to prove
the identity of the fraudster(s) in court
• Substantive techniques – For example, doing a
reconciliation, review of documents, etc
• Analytical procedures – Used to compare trends over
a certain time period or to get comparative data from
different segments
• Computer-assisted audit techniques – Computer
software programs that can be used to identify fraud
• Understanding internal controls and testing them so
as to understand the loopholes which allowed the
fraud to be perpetrated.
 3. Interview the suspect(s)

• Reporting: The report should include the findings of

the investigation, a summary of the evidence, an
explanation of how the fraud was perpetrated, and
suggestions on how internal controls can be improved
to prevent such frauds in the future. The report needs
to be presented to a client so that they can proceed to
file a legal case if they so desire.
• Court proceedings :The forensic auditor needs to be
present during court proceedings to explain the
evidence collected and how the suspect was
identified.