Forensics
Forensics
Forensics
Introduction of Computer Forensics: Digital
Forensics Science, Need for Computer Forensics,
Cyberforensics and digital evidence, Digital
Forensic Lifecycle, OSI 7 Layer Models to
computer Forensics
• Forensics: The study or science of solving crimes
by using scientific knowledge or methods.
• Forensic techniques are used in the investigation
of cybercrimes.
• Cyber Forensics is simply application of computer
investigation and analysis techniques in the
interest of determining potential legal evidence.
• Cyberforensics plays a key role in investigation of
cybercrime.
• Evidence” in the case of “cyberoffenses” is
extremely important from legal perspective.
• The application of computer for investigating
computer-based crime has led to development of
a new field called computer forensics.
• Computer forensics is primarily concerned with
the systematic “identification”, “acquisition”,
“preservation”, and “analysis” of digital evidence
typically after an unauthorized access to
computer.
• Computer forensics experts need digital evidence
in cases involving data acquisition, preservation,
recovery, analysis and reporting, intellectual
property theft, computer misuse.
Digital Forensics Science
Computer forensics:
It is the lawful and ethical seizure, acquisition,
analysis, reporting and safeguarding of data and
metadata derived from digital devices which may
contain information that is notable and perhaps
of evidentiary value to the trier of fact in
managerial, administrative, civil and criminal
investigations.
In other words, it is the collection of techniques
and tools used to find evidence in a Computer’.
Digital forensics:
It is the use of scientifically derived and proven
methods toward the preservation, collection,
validation, identification, analysis, interpretation,
documentation and presentation of digital evidence
derived from digital sources for the purpose of
facilitation or furthering the reconstruction of events
found to be criminal, or helping to anticipate
unauthorized actions shown to be disruptive to
planned operations.
The role of digital forensics is to:
– Uncover and document evidence and leads.
– Corroborate evidence discovered in other ways
– Assist in showing a pattern of events (data mining
has an application here).
– Connect attack and victim computers.
– Reveal an end-to-end path of events leading to a
compromise attempt, successful or not.
– Extract data that may be hidden, deleted or
otherwise not directly available.
The typical scenarios involved are:
– Employee Internet abuse
– data leak/data breach — unauthorized disclosure
of corporate information and data.
– industrial espionage (corporate “spying” activities);
– damage assessment
– criminal fraud and deception Cases;
– criminal cases (many criminals simply store
information on computers, intentionally or
unwittingly)
– copyright violation.
The kind of data we‘ “see” using forensics tools
Using digital forensics techniques, one can:
– Corroborate and clarify evidence otherwise
discovered.
– Generate investigative leads for follow-up and
verification in other ways.
– Provide help to verify an intrusion hypothesis.
– Eliminate incorrect assumptions.
The Need for Computer Forensics
• The convergence of Information and Communications Technology
(ICT) advances and the pervasive use of computers worldwide
together have brought about many advantages to mankind.
• Tremendously high technical capacity of modern
computers/computing devices provides avenues for misuse as
well as opportunities for committing crime.
• This has lead to new risks for computer users and also increased
opportunities for social harm.
• The users, businesses and organizations worldwide have to live
with a constant threat from hackers who use a variety of
techniques and tools to break into computer systems, steal
information, change data and cause havoc.
• The widespread use of computer forensics is the
result of two factors:
– The increasing dependence of law enforcement on
digital evidence and
– The ubiquity of computers that followed from the
microcomputer revolution.
• The media, on which clues related to cybercrime
reside, would vary from case to case.
• There are many challenges for the forensics
investigator because storage devices are getting
miniaturized due to advances in electronic
technology; for example, external storage devices
such as mini hard disks
• Looking for digital forensics evidence (DFE) is like
looking for a needle in the haystack.
• Here is a way to illustrate why there is always the need
for forensics software on suspect media
– The capacity of a typical regular hard disk is 500 GB
(gigabytes).
– In an A4 size page, there are approximately 4,160 bytes (52
lines x 80 Characters = 4,160 bytes assuming 1 byte per
character).
– This is equivalent to 4 KB (kilobytes).
– An A4 size of paper sheet has thickness of 0.004 inches.
– The printout of 500 GB would be 500,000 inches!
– It would be virtually impossible to “retrieve” relevant
forensics data from this heap!!
chain of custody
• The basic idea behind ensuring “chain of
custody" is to ensure that the “evidence" is
NOT tampered with.
• The recovery of a “crime weapon" at the
murder scene would be an example of “chain
of custody."
Chain of custody Case Study
– Officer Amar collects the knife and places it into a container, then gives it
to forensics technician Balan.
– Forensics technician Balan takes the knife to the laboratory and collects
fingerprints and other evidence from the knife.
– He then gives the knife and all evidence gathered from the knife to
evidence clerk Charu.
– Charu then stores the evidence until it is needed, documenting everyone
who has accessed the original evidence (the knife and original copies of
the lifted fingerprints).
– The chain of custody requires that from the moment the evidence is
collected, every transfer of evidence from one person to another person
should be documented as it helps to prove that nobody else could have
accessed that evidence.
– It is advisable to keep the number of evidence transfers as low as
possible.
– In the courtroom, if the defendant challenges the chain of custody of the
evidence, it can be proven that the knife in the evidence room is the
same knife as found at the crime scene. However, if due to some
discrepancies it cannot be proven who had the knife at a particular point
in time, then the chain of custody is broken.
Documentation must include
– Conditions under which the evidence is collected
– The identity of all those who handled the evidence
– Duration of evidence custody
– Security conditions while handling or storing the
evidence
– The manner in which evidence is transferred to
subsequent custodians each time such a transfer
occurs.
Cyberforensics and Digital Evidence
• Cyberforensics can be divided into two domains:
1. Computer forensics;
2. Network forensics.
• Network forensics is the study of network traffic
to search for truth in civil,criminal and
administrative matters to protect users and
resources from exploitation, invasion of privacy
and any other crime fostered by the continual
expansion of network connectivity.
As compared to the “physical” evidence, “digital
evidence” is different in nature because it has
some unique characteristics.
– First of all, digital evidence is much easier to
change.
– Second, “perfect” digital copies can be made
without harming original.
– The integrity of digital evidence can be proven.
– It is convenient and possible to create a defensible
“clone” of storage device.
• There are many forms of cybercrimes.
• In case of computer crimes/cybercrimes,
computer forensics helps.
• Computer forensics experts know the techniques
to retrieve the data from files listed in standard
directory search, hidden files, deleted files,
deleted E-Mail and passwords, login IDs,
encrypted files, hidden partitions, etc.
• Typically, the evidences reside on computer
systems, user created files, user protected files,
computer created files and on computer
networks.
Computer systems have the following:
1. Logical file system that consists of
File system: It includes files, volumes, directories and folders, file
allocation tables (FAT) as in the older version of Windows Operating
System, clusters, partitions, sectors.
Random access memory.
Physical storage media.
2. User created files:
It consists of address books, audio/video files, calendars,
database files, spread sheets, E-Mails, Internet bookmarks,
documents and text files.
3. Computer created files: It consists of backups, cookies,
configuration files, history files, log files, swap files, system
files, temporary files, etc.
4. Computer networks: It consists of the Application Layer, the
Transportation Layer, the Network Layer, the Datalink Layer.
The Rules of Evidence
According to the “Indian Evidence Act 1872,
“Evidence” means and includes:
1. All statements which the court permits or
requires to be made before it by witnesses, in
relation to matters of fact under inquiry, are
called oral evidence.
2. All documents that are produced for the
inspection of the court are called
documentary evidence.
• Legal community believes that “electronic evidence” is a
new breed of evidence.
• The law of evidence as per Indian Evidence Act of 1872
may not hold good for electronic evidence.
• Some lawyers express doubts and apprehensions about
the process of leading electronic evidence in the courts.
• The traditional principles of leading evidence, along with
certain newly added provisions in the Indian Evidence
Act 1972 through the Information Technology Act (ITA)
2000, constitute the body of law applicable to electronic
evidence.
• The challenges, however, need to be understood from
the “rules of evidence” perspective.
• There are number of contexts involved in
actually identifying a piece of digital evidence:
– Physical context: It must be definable in its
physical form, that is, it should reside on a specific
piece of media.
– Logical context: It must be identifiable as to its
logical position, that is, where does it reside
relative to the file system.
– Legal context: We must place the evidence in the
correct context to read its meaning.
The path taken by digital evidence can be
conceptually depicted as
• Digital evidence originates from a number of sources
such as seized computer hard drives and backup media,
real-time E-Mail messages, chat room logs, Internet
service provider records, webpages, digital network
traffic, local and virtual databases, digital directories,
wireless devices, memory cards, digital cameras, etc.
• Once the extraction of the digital evidence has been
accomplished, protecting the digital integrity becomes
paramount concern for investigators.
• it is important to “isolate” the potential evidence.
• Some important tips are — do not turn ON the
computer or review media, restrict physical and remote
access, unplug computer power, network and phone
line, and document times, people and steps taken.
Some guidelines for the (digital) evidence collection phase:
1. Adhere to your site’s security policy and engage the appropriate incident handling and law
enforcement personnel.
2. Capture a picture of the system as accurately as possible.
3. Keep detailed notes with dates and times. If possible,
4. Note the difference between the system clock and Coordinated Universal Time (UTC).
5. Be prepared to testify (perhaps years later) outlining all actions you took and at what times.
Detailed notes will be vital.
6. Minimize changes to the data as you are collecting it. This is not limited to content changes;
avoid updating file or directory access times.
7. Remove external avenues for change.
8. When confronted with a choice between collection and analysis you should do collection first
and analysis later.
9. Needless to say, your procedures should be implementable. If possible, procedures should be
automated for reasons of speed and accuracy. Being methodical always helps.
10. For each device, a systematic approach should be adopted to follow the guidelines laid down
in your collection procedure. Speed will often be critical; therefore, where there are a number
of devices requiring examination, it may be appropriate to spread the work among your team
to collect the evidence in parallel.
11. Proceed from the volatile to the less volatile; order of volatility is as follows:
a. Registers, cache
b. routing table, Address Resolution Protocol (ARP) cache, process table, kernel statistics, memory;
c. temporary file systems; disk;
d. remote logging and monitoring data that is relevant to the system in question;
e. physical configuration and network topology;
f. archival media
12. You should make a bit-level copy of the system’s media. If you wish to do forensics analysis
you should make a bit-level copy of your evidence copy .
Digital Forensics Life Cycle
• As per FBI’s (Federal Bureau of Investigation) view,
digital evidence is present in nearly every crime scene.
• That is why law enforcement must know how to
recognize, seize, transport and store original digital
evidence to preserve it for forensics examination.
• The cardinal rules to remember are that evidence:
– is admissible;
– is authentic;
– is complete;
– is reliable;
– is understandable and believable.
Digital Forensics Process
Digital forensics evidence consists of exhibits.
The exhibits are introduced as evidence by either side.
Testimony is presented to establish the process.
The party must show the evidence.
Digital forensics evidence can be challenged.
Forensics experts formulate a cost proposal.
Proposed timeline of activities, lists of anticipated
deliverables and a plan for production and turnover of
evidence.
Submission of a preliminary risk analysis for the
forensics service being proposed.
Phases in Computer Forensics/Digital
Forensics
1. Preparation and identification
2. Collection and recording
3. Storing and transporting
4. Examination/investigation
5. Analysis, interpretation and attribution
6. Reporting
7. Testifying
Preparing for the Evidence and Identifying the Evidence
• In is order to be processed and applied, evidence must
first be identified as evidence.
• There an enormous amount of potential evidence
available for a legal matter, and it is also possible that the
vast majority of the potential evidence may never get
identified.
• Every sequence of events within a single computer might
cause interactions with files and the file systems in which
they reside, other processes and the programs they are
executing and the files they produce and manage, and
log files and audit trails of various sorts.
• If the evidence cannot be identified as relevant evidence,
it may never be collected or processed at all
Collecting and Recording Digital Evidence
• Digital evidence can be collected from many sources.
• Obvious sources include computers, cell phones, digital cameras,
hard drives, CD-ROM, USB memory devices and so on.
• Non-obvious sources include settings of digital thermometers,
black boxes inside automobiles, RFID tags and webpages.
• Special care must be taken when handling computer evidence:
most digital information is easily changed, and once changed it is
usually impossible to detect that a change has taken place unless
other measures have been taken.
• It is common practice to calculate a cryptographic hash of an
evidence file and to record that hash elsewhere, usually in an
investigator’s notebook, so that one can establish at a later
point.
Storing and Transporting Digital Evidence
1. Image computer media using a write-blocking tool to
ensure that no data is added to the suspect device
2. Establish and maintain the chain of custody
3. Document everything that has been done
4. Only use tools and methods that have been tested
and evaluated to validate their accuracy and reliability.
5. Care must be taken in transportation to prevent
spoliation (in a hot car, digital media tends to lose bits).
6. Care must be taken to preserve chain of custody and
assure that a witness can testify accurately about what
took place.
Examining/Investigating Digital Evidence
Special care must be taken to ensure that the forensics specialist has the legal authority to seize,
copy and examine the data.
Sometimes authority stems from a search warrant.
As a general rule, one should not examine digital information unless one has the legal authority to
do so.
Amateur forensics examiners should keep this in mind before starting any unauthorized
investigation.
Analysis, interpretation and attribution of digital forensics evidence can be reconciled with non-
digital evidence.
Digital forensics evidence can be externally stipulated.
Open-source tools are available to conduct analysis of open ports, mapped drives on the live
computer system.
Holding unpowered RAM below −60°C will help preserve the residual data by an order of
magnitude, thus improving the chances of successful recovery. However, it is impractical to do this
during a field examination.
Examples of common digital analysis types
include:
– Media analysis
– Media management analysis:
– File system analysis:
– Application analysis
– Network analysis
– Image analysis
– Video analysis
Reporting
A report is generated.
The report may be in a written form or an oral testimony (or combination of the two).
Evidence, analysis, interpretation and attribution to be presented in the form of expert reports,
depositions and testimony.
.
Precautions to be Taken when Collecting Electronic
Evidence
• we have established how important the
digital/computer evidence is for cyberforensics.
• Therefore collection of the evidence must happen
with due care.
• Special measures should be taken while conducting a
forensics investigation if it is desired for the results to
be used in a court of law.
• One of the most important measure is to ensure that
evidence has been accurately collected and there is a
clear chain of custody.
• In general the following principles applicable
Principle 1: No action taken by law enforcement agencies or their agents should change
data held on a computer or storage media, which may subsequently be relied upon in
court.
Principle 4: The person in-charge of the investigation (the case officer) has overall
responsibility for ensuring that the law and these principles are adhered to.
Relevance of the 0SI 7 Layer Model to
Computer Forensics
• The OSI 7 Layer Model is useful from
computer forensics perspective because it
addresses th: network protocols and network
communication processes.
• To effectively perform forensics network
analysis, forensics professionals must have a
strong understanding of underlying network
processes and protocols.
The steps taken by attackers who hack networks
are
Step 1: Foot Printing
Step 2: Scanning and Probing
Step 3: Gaining Access
Step 4: Privilege
Step 5: Exploit
Step 6: Retracting
Step 7: Installing Backdoors
Step 1: Foot Printing
•Foot printing includes a combination of tools and techniques used
to create a full profile of the organization’s security posture.
•These include its domain names, IP addresses and network blocks.
•Some of the tools used for foot printing are SamSpade, nslookup,
traceroute and neotrace.
•Once the IP address and domain names are known, a hacker will
typically perform a series of scans or probes to gather more
information about individual machines for the purpose of gaining
unauthorized access to the system at a later date.
•These scans may include ping sweeps, TCP/UDP scans and OS
identification. All of these actions can be performed with a single
tool called Nmap.
•The tool called “Metasploit” was developed as an automated tool
to provide useful information to people who perform penetration
testing.
Step 2: Scanning and Probing
•The hacker will typically send a ping echo request packet
to a series of target IP addresses.
•The machines assigned to one of these IP address will send
out echo response thereby confirming that there is a live
machine associated with that address.
•Similarly, a TCP scan sends a TCP synchronization request
to a series of ports and to the machines that provide the
associated service to respond.
•Finally, using tools such as Nmap, the hackers can
determine device type and OS details by interpreting the
responses.
•System scanning and probing can provide insights about
the easiest path into the targeted system to a hacker.
Step 3: Gaining Access
•The hacker’s ultimate goal is to gain access to system
so that he can perform some malicious action, such as
stealing credit card information, downloading
confidential files or manipulating critical data.
•As each device and OS in network has a unique
security posture, the information provided during
system scanning and probing can give the hacker
insight as the easiest path into your system.
• Gaining access takes advantage of specific security
weaknesses in the system to allow access via an
individual machine.
Step 4: Privilege
•When a hacker gains access to the system, he will only have
the privileges granted to the user or account that is running
the process that has been exploited.
•Gaining access to root or administrator will allow the hacker
more access or greater power throughout the network.
•All hackers, therefore, would like to gain root or administrator
privileges on the network.
•An exploited application that is running under a root user will
give the hacker immediate root access.
•However, if the application that is exploited is not running
under a root, the hacker must perform additional actions to
earn it.
• This usually entails trying to crack the passwords.
Step 5: Exploit
•Gaining root access gives the hacker full control on the
network.
•Every hacker seems to have his/her own reasons for hacking.
•Some hackers do it for fun or a challenge, some do it for
financial gain and others do it to “get even”
•Exploiting the system, therefore, will take many forms.
•Hackers who do it for fun or a challenge will generally change
a webpage or leave a “calling card” to let his peers know that
he/ she was successful.
•Hackers try to break into systems for financial rewards.
•This will generally help them to download valuable
information that can later be sold to other parties.
Step 6: Retracting
• Hackers do not want to be caught and sent to
jail.
• Therefore, the next step in the hacker
methodology is covering tracks.
• The hacker will usually take the time and
effort to modify system logs to hide his/her
actions and try to mislead forensics
investigators that a crime has been
committed.
Step 7: Installing Backdoors
•Most hackers will try creating provisions for
entry into the network/hacked system for later
use.
•This, they will do by installing a backdoor to
allow them access in the future.
•A backdoor is a security hole deliberately left in
place to allow access from an uncommon path.
•These can usually be easily detected by skilled
security professionals.