CS - 6004 Cyber Forensics 1 PDF

VELTECH HIGHTECH Dr.RANGARAJAN Dr.
SAKUNTHALA ENGINEERING COLLEGE

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CS6004- CYBER FORENSICS

UNIT I NETWORK LAYER SECURITY &TRANSPORT LAYER SECURITY
IPSec Protocol - IP Authentication Header - IP ESP - Key Management Protocol for IPSec. Transport
layer Security: SSL protocol, Cryptographic Computations – TLS Protocol.
1.IPSec Protocol
➢ IPSec is designed to protect communication in a secure manner by using TCP/IP.

➢ The IPSec protocol is a set of security extensions developed by the IETF and it provides privacy and
authentication services at the IP layer by using modern cryptography.
➢ There are two main transformation types that form the basics of IPSec:
✓ The Authentication Header (AH) and
✓ The Encapsulating Security Payload (ESP).
➢ Both AH and ESP are two protocols that provide connectionless integrity, data origin
authentication, confidentiality and an anti-replay service.
➢ These protocols may be applied alone or in combination to provide a desired set of security services
for the IP layer. They are configured in a data structure called a Security Association (SA).
➢ The basic components of the IPSec security architecture are explained in terms of the following
functionalities:
✓ Security Protocols for AH and ESP

✓ Security Associations for policy management and traffic processing
✓ Manual and automatic key management for the Internet Key Exchange (IKE), the Oakley key
determination protocol and ISAKMP.
✓ Algorithms for authentication and encryption
➢ The seven-group documents describing the set of IPSec protocols are explained in the following:
✓ Architecture: The main architecture document covers the general concepts, security
requirements, definitions and mechanisms defining IPSec technology.
✓ ESP: This document covers the packet format and general issues related to the use of the ESP
for packet encryption and optional authentication. This protocol document also contains
default values if appropriate, and dictates some of the values in the Domain of Interpretation
(DOI).
✓ AH: This document covers the packet format and general issue related to the use of AH for
packet authentication. This document also contains default values such as the default padding
contents, and dictates some of the values in the DOI document.
✓ Encryption algorithm: This is a set of documents that describe how various encryption
algorithms are used for ESP.
Specifically:
– Specification of the key sizes and strengths for each algorithm.

– Any available estimates on performance of each algorithm.
– General information on how this encryption algorithm is to be used in ESP.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 1

VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE
Figure -Document overview that defines IPsec.
2. IP Authentication Header NOV /DEC 2016)

➢ The IP AH is used to provide data integrity and authentication for IP packets.
➢ It also provides protection against replays.
The AH provides authentication for the IP header, as well as for upper-level protocol
➢ (TCP, UDP) data.
2.1 AH Format
The IPSec AH format is shown in Figure.

Figure: IPSec AH format.
The following six fields comprise the AH format:

➢ Next header (8 bits): This field identifies the type of the next payload after the AH. The value of this
field is chosen from the set of IP numbers defined in the Internet Assigned Number Authority
(IANA).
➢ Payload length (8 bits): This field specifies the length of the AH in 32-bit words, minus 2. The default
length of the authentication data field is 96 bits, or three 32-bit words.
➢ Reserved (16 bits): This field is reserved for future use. It must be set to ‘zero’.
SPI (32 bits): This field uniquely identifies the SA for this datagram, in combination
➢ with the destination IP address and security protocol (AH).
➢ Sequence number (32 bits): This field contains the monotonically increasing counter value which
provides an anti-replay function.
➢ Authentication data (variable): This field is a variable-length field that contains the Integrity Check
Value (ICV) or MAC for this packet. This field must be an integral multiple of 32-bit words. It may
include explicit padding. This padding is included to ensure that the length of AH is an integral
multiple of 32 bits (IPv4) or 64 bits (IPv6).
3. IP ESP
➢ The ESP header is designed to provide security services in IPv4 and IPv6.
➢ ESP can be applied in combination with the IP AH or through the use of tunnel mode. Security
services are provided between a pair of hosts, between a pair of security gateways or between a
security gateway and a host.
➢ The ESP header is inserted after the IP header and before the upper-layer protocol header (transport
mode) or before an encapsulated IP header (tunnel mode).
➢ ESP is used to provide confidentiality (encryption), data authentication, integrity and anti-replay

service, and limited traffic flow confidentiality.
3.1 ESP Packet Format
Figure IPSec ESP format.
➢ SPI (32 bits): The set of SPI values in the range 1 – 255 is reserved by the IANA for future use.
The SPI field in the ESP packet format is mandatory and always present.
➢ Sequence number (32 bits): This field contains a monotonically increasing counter value. This
provides an anti-replay function. It is mandatory and is always present even if the receiver does
not elect to enable the anti-replay service for a specific SA.
➢ Payload data (variable): This variable-length field contains data described by the next header
field. The field is an integral number of bytes in length. If the algorithm requires an initialization
vector (IV) to encrypt payload, then this data may be carried explicitly in the payload field.
➢ Padding : This field for encryption requires several factors:
✓ Pad length: This field indicates the number of pad bytes immediately preceding it.
The range of valid values is 0 – 255, where a value of 0 indicates that no padding
bytes are present. This field is mandatory.
✓ Next header (8 bits): This field identifies the type of data contained in the payload
data field, i.e. an extension header in IPv6 or an upper-layer protocol identifier, The
next header field is mandatory.
✓ Authentication data (variable): This is a variable-length field containing an ICV
com-putted over the ESP packet minus the authentication data. The length of this
field is specified by the authentication function selected. The field is optional and is
included only if the authentication service has been selected for the SA in question/8
4. Key Management Protocol for IPsec

➢ The key management mechanism of IPsec involves the determination and distribution of a secret key.
Key establishment is at the heart of data protection that relies on cryptography. A secure key
distribution for the Internet is an essential part of packet protection.
4.1 OAKLEY Key Determination Protocol
➢ Oakley a refinement of the Diffie – Hellman key exchange algorithm, it is a method to establish an
authentication key exchange.
➢ The Oakley protocol is truly used to establish a shared key with an assigned identifier and associated
authenticated identities for the two parties.
➢ Oak-ley can be used directly over the IP protocol or over UDP protocol using a well-known port
number assignment available.
➢ Oakley uses the cookies for two purposes:
✓ anti-clogging (denial of service)
✓ Key naming.
➢ The anti-clogging tokens provide a form of source address identification for both parties. The
construction of the cookies prevents an attacker from obtain a cookie using a real IP address and UDP
port.
Oakley employs nonces to ensure against replay attacks. Each nonce is a pseudorandom number which is
generated by the transmitting entity. The nonce payload contains this random data used to guarantee
liveness during a key exchange and protect against replay attacks
4.2 ISAKMP
➢ ISAKMP defines a framework for SA management and cryptographic key establishment for the
Internet.
➢ This framework consists of defined exchange, payloads and processing guidelines that occur within a
given DOI.
➢ ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete SAs.
➢ It also defines payloads for exchanging key generation and authentication data.
4.3 ISAKMP Header
➢ Initiator Cookie (64 bits)

This field is the cookie of entity that initiated SA establishment, SA notification, and SA deletion.

➢ Responder Cookie (64 bits)

This field is the cookie of entity that is corresponded to an SA establishment request, SA notification,
or SA deletion.
➢ Next Payload (8 bits)
This field indicates the type of the first payload in the message
➢ Major Version (4 bits)
This field indicates the Major version of the ISAKMP protocol in use. Set the Major version to 1
according to ISAKMP Internet-Draft.
➢ Minor Version (4 bits)
This field indicates the Minor version of ISAKMP protocol in use. Set the Minor version to 0
according to implementations based on the ISAKMP Internet-Draft.
➢ Exchange Type (8 bits)
This field indicates the type of exchange being used. This dictates the message and payload orderings
in the ISAKMP exchanges.
➢ Flags (8 bits)
This field indicates specific options that are set for the ISAKMP exchange. The Flags are specified in
the Flags field beginning with the least significant bit: the encryption bit is bit 0 of the Flags field, the
commit bit is bit 1, and authentication only bit is bit 2 of the Flags field. The remaining bits of the
Flags field must be set to 0 prior to transmission.
➢ Message ID (32 bits)
Message ID is used to identify protocol state during Phase 2 negotiations. This value is randomly
generated by the initiator of the phase 2 negotiation. During Phase 1 negotiation, this value must be set
to 0.
➢ Length (32 bits)
Length of total message (header || payload) is 32 bits. Encryption can expand the size of an ISAKMP
message.
5. SSL Protocol (NOV/DEC 2017)
➢ SSL is a layered protocol. Is a two layered protocol.

➢ At the lower level, the SSL Record Protocol is layered on top of some reliable transport protocol such
as TCP. A higher-level protocol can layer on top of the SSL protocol transparently.
➢ The SSL Record Protocol takes the upper-layer application message to be transmitted, fragments the
data into manageable blocks, optionally compresses the data, applies an MAC, encrypts, adds a
header, and transmits the result to TCP. The received data is
5.1 Session and Connection States

There are two defined specifications: SSL session and SSL connection.
5.1.1 SSL session
➢ An SSL session is an association between a client and a server. Sessions are created by the
Handshake Protocol. They define a set of cryptographic security parameters, which can be shared
among multiple connections. Sessions are used to avoid the
➢ The session state is defined by the following elements:
✓ Session identifier: This is a value generated by a server that identifies an active or

resemble session state.
✓ Peer certificate: This is an X.509 v3 certificate of the peer. This element of the state may

be null.
✓ Compression method: This is the algorithm used to compress data prior to encryption.
✓ Cipher spec: This specifies the bulk data encryption algorithm (such as null, DES, etc.)
and a hash algorithm (such as MD5 or SHA-1) used for MAC computation. It also defines
cryptographic attributes such as the hash size.
✓ Master secret: This is a 48-byte secret shared between the client and server. It represents
secure secret data used for generating encryption keys, MAC secrets and IVs.
✓ Is resembled: This designates a flag indicating whether the session can be used to initiate
new connections.
5.1.2 SSL connection
➢ A connection is a transport (in the OSI layering model definition) that provides a suitable type of
service. For SSL, such connections are peer-to-peer relationships. The connections are transient.
Every connection is associated with one session.
➢ The connection state is defined by the following elements:

✓ Server and client random: These are byte sequences that are chosen by the server and
client for each connection.
➢ Server write MAC secret: This indicates the secret key used in
➢
SSL SSL Change
SSL Alert
Handshake Cipher Spec HTTP
Protocol
Protocol Protocol
✓ MAC operations on data sent by the server.

✓ Client write MAC secret: This represents the secret key used in MAC operations on data
sent by the client.
✓ Server write key: This is the conventional cipher key for data encrypted by the server and
decrypted by the client.
✓ Client write key: This is the conventional cipher key for data encrypted by the client and
decrypted by the server.
✓ Initialization vectors:This field is first initialized by the SSL Handshake Protocol.
Thereafter the final cipher text block from each record is preserved for use as the IV with
the following record. The IV is XORed with the first plaintext block prior to encryption.
✓ Sequence numbers: Each party maintains separate sequence numbers for transmitted and
received messages for each connection. When a party sends or receives a change cipher
spec message, the appropriate sequence number is set to zero. Sequence numbers may not
exceed 264 − 1.
6. Cryptographic Computations
6.1 Computing the Master Secret

➢ For all key exchange methods, the same algorithm is used to convert the premaster secret into the
master secret.
➢ In order to create the master secret, a premaster secret is first exchanged between two parties and then

the master secret is calculated from it.

➢ The master secret is always exactly 48 bytes (384 bits) shared between the client and server. But the
length of the premaster secret is not fixed and will vary depending on the key exchange method.
➢ There are two ways for the exchange of the premaster secret:
✓ RSA: When RSA is used for server authentication and key exchange, a 48-byte pre-master secret
is generated by the client, encrypted with the server’s public key and sent to the server. The
server decrypts the cipher text (of the premaster secret) using its private key to recover the
premaster secret. Both parties then convert the premaster secret into the master secret as specified
below.
✓ Diffie –Hellman: A conventional Diffie – Hellman computation is performed. Both client and
server generate a Diffie-Hellman common key. This negotiated key is used as the premaster
secret and is converted into the master secret, as specified below.
➢ The client and server then compute the master secret as follows:
➢ master_secret=MD5(pre_master_secret||SHA(‘A’||pre_master_secret||
ClientHello.random||ServerHello.random))||MD5(pre_master_secret||SHA(‘BB’||
pre_master_secret||ClientHello.random||ServerHello.random))||
MD5(pre_master_secret||SHA(‘CCC’||pre_master_secret||
ClientHello.random||ServerHello.random))
➢ Where ClientHello.random and ServerHello.random are the two nonce values exchanged in the initial
hello messages.

6.2 Converting the Master Secret into Cryptographic Parameters

➢ Cipher Spec specifies the bulk data encryption algorithm and a hash algorithm used for MAC
computation, and defines cryptographic attributes such as the hash size.
➢ To generate the key material, the following is computed:
key_block=MD5(master_secret||SHA(‘A’||master_secret||
ServerHello.random||ClientHello.random))||
MD5(master_secret||SHA(‘BB’||master_secret||
ServerHello.random||ClientHello.random))||
MD5(master_secret||SHA(‘CCC’||master_secret||
ServerHello.random||ClientHello.random))||. . .
Figure Generation of key block.
➢ Until enough output has been generated. Note that the generation of the key block from the master
secret uses the same format for generation of the master secret from the premaster secret. Above
Figure illustrates the steps for generation of the key block from the master secret.
7 TLS Protocol (NOV/DEC 2017)
➢ The TLS v1 protocol itself is based on the SSLv3 protocol specification as published by Netscape.
Many of the algorithm-dependent data structures and rules are very close so that the differences
between TLSv1 and SSLv3 are not dramatic.
7.1 HMAC Algorithm

➢ A Keyed-hashing Message Authentication Code (HMAC) is a secure digest of some data protected
by a secret. Forging the HMAC is infeasible without knowledge of the MAC secret.
➢ HMAC can be used with a variety of different hash algorithms, namely MD5 and SHA-1, denoting
these as HMAC MD5(secret, data) and HMAC SHA-1(secret, data).
➢ There are two differences between the SSLv3 and TLSMAC schemes. TLS makes use of the HMAC
algorithm defined in RFC 2104.
HMAC = H [(K ⊕ opad)||H [(K ⊕ ipad)||M]]
Where
✓ ipad = 00110110(0x36) repeated 64 times (512 bits)
✓ opad = 01011100(0x5c) repeated 64 times (512 bits)
✓ H = one-way hash function for TLS (either MD5 or SHA-1) M = message
input to HMAC
✓ K = padded secret key equal to the block length of the hash code (512 bits for
MD5 and SHA-1)
➢ The following explains the HMAC equation:
✓ Append zeros to the end of K to create a b-byte string (i.e. if K = 160 bits in length and b = 512
bits, then K will be appended with 352 zero bits or 44 zero bytes 0x00).
✓ XOR (bitwise exclusive-OR) K with ipad to produce the b-bit block computed in step 1.
✓ Append M to the b-byte string resulting from step 2.
✓ Apply H to the stream generated in step 3.
✓ XOR (bitwise exclusive-OR) K with opad to produce the b-byte string computed in step 1.
✓ Append the hash result H from step 4 to the b-byte string resulting from step 5.
✓ Apply H to the stream generated in step 6 and output the result.
➢ Below figure illustrates the overall operation of HMAC – MD5 or HMAC – SHA-1.

Figure Overall operation of HMAC computation using either MD5 or SHA-1 (message length
computation based on _i ||M).
Example 8.1 HMAC – SHA-1 computation using RFC method:

Data : 0x 7104f218 a3192e65 1cf7025d 8011bf79 4a19
Key : 0x 31fa7062 c45113e3 2679fd13 53b71264
– A B C D E
IV 67452301 efcdab89 98badcfe 10325476 c3d2e1f0

H [(K ⊕ ipad)||M] 8efeef30 f64b360f 77fd8236 273f0784 613bbd4b
H [(K ⊕ opad)||H [(K ⊕ 31db10b8 ed346850 d0f0b7dd 50fd71f4 2dacd24c
ipad)||M]]
HMAC – SHA-1 = 0x 31 db10b8 ed346850 d0f0b7dd 50fd71f4 2dacd24c
➢ The alternative operation for computation of either HMAC – MD5 or HMAC – SHA-1 is described in
the following:

Figure Alternative operation of HMAC computation using MD5 (message length computation is based
on M only).
✓ Append zeros to K to create a b-bit string K_, where b = 512 bits.

✓ XOR K_ (padding with zero) with ipad to produce the b-bit block.
✓ Apply the compression function f(IV, K_⊕ ipad) to produce (IV)i = 128 bits.
✓ Compute the hash code h with (IV)i and Mi .
✓ Raise the hash value computed from step 4 to a b-bit string.
✓ XOR K_ (padded with zeros) with opad to produce the b-bit block.
✓ Apply the compression function f(IV, K_⊕ opad) to produce (IV)o = 128 bits.
✓ Compute the HMAC with (IV)o and the raised hash value resulting from step 5.
Example 8.2 HMAC-MD5 computation using alternative method: Data : 0x 2143f501
f014a713 c1059e23 7123fd68

Key : 0x 31fa7062 c45113e3 2679fd13 53b71264
296 INTERNET SECURITY
– A B C D
IV 67452301 efcdab89 98badcfe 10325476

f[(K ⊕ ipad), I V ] = (I V )i 13fbaf34 034879ab 35e73505 526a8d28
H [M, (I V )i] 90c6d9b0 0f281bc8 94d04b33 7f0f4265

f[(K ⊕ opad), I V ] = (I V )o 5f8647d7 fa8e9afa bffa4989 3cd471d1

H [H [M, (I V )i ], (I V )o] 2c47cd5b 68830268 7d255059 45c7bef0
HMAC – MD5 = 0x 2c47cd5b 68830268 7d255059 45c7bef0
➢ For TLS, the MAC computation encompasses the fields indicated in the following expression:
HMAC_hash(MAC_write_secret,seq_num||TLScompressed.type||TLSCompressed.version||T
LSCompressed.length|| TLSCompressed.fragment)
➢ Note that the MAC calculation includes all of the fields covered by the SSLv3 computation, plus the
field TLSCompressed.version, which is the version of the protocol being employed.
UNIT II- E-MAIL SECURITY & FIREWALLS

PGP - S/MIME - Internet Firewalls for Trusted System: Roles of Firewalls – Firewall related
terminology- Types of Firewalls - Firewall designs - SET for E-Commerce Transactions.
1.PGP
➢ Pretty Good Privacy (PGP) was invented by Philip Zimmermann who released version 1.0 in
1991.
➢ . PGP is widely used in the individual and commercial versions that run on a variety of
platforms throughout the computer community.
➢ PGP uses a combination of symmetric secret-key and asymmetric public-key encryption to
provide security services for electronic mail and data files.
➢ It also provides data integrity services for messages and data files by using digital signature,
encryption, compression (zip) and radix-64 conversion (ASCII Armor).

1.1Confidentiality via Encryption

➢ In PGP, each symmetric key, known as a session key, is used only once. A new session key
is generated as a random 128-bit number for each message.
➢ Figure illustrates the sequence, which is described as follows:
Figure: PGP confidentiality computation scheme with compression/decompression Algorithms.

➢ The sender creates a message.
➢ The sending PGP generates a random 128-bit number to be used as a session key for this
message only.
➢ The session key is encrypted with RSA, using the recipient’s public key.
➢ The sending PGP encrypts the message, using CAST-128 or IDEA or 3DES, with the session
key. Note that the message is also usually compressed.
➢ The receiving PGP uses RSA with its private key to decrypt and recover the session key.
➢ The receiving PGP decrypts the message using the session key. If the message was
compressed, it will be decompressed.
1.2 Authentication via Digital Signature

➢ The digital signature uses a hash code of the message digest algorithm, and a public-key
signature algorithm.
➢ Below Figure illustrates the digital signature service provided by PGP. The sequence is as
follows

Figure: PGP authentication computation scheme using compression algorithm

➢ The sender creates a message.
➢ SHA-1 is used to generate a 160-bit hash code of the message.
➢ The hash code is encrypted with RSA using the sender’s private key and a digital signature is
produced.
➢ The binary signature is attached to the message.
➢ The receiver uses RSA with the sender’s public key to decrypt and recover the hash code.
➢ The receiver generates a new hash code for the received message and compares it with the
decrypted hash code. If the two match, the message is accepted as authentic.
1.3 PGP Packet Headers
MSB Packet tag Packet length
7 6 5 4 3 2 1 0
Content tag Length

1
(4 bits) type
Content tag
2 (6 bits)
1 Old format packets: content tag (bits 5, 4, 3, 2); length type (bits 1,0)
2 New format packets: content tag (bits 5, 4, 3, 2, 1, 0)
0 – Reserved 8 – Compressed data packet

1 – Session key packet encrypted by public key 9 – Symmetrically encrypted data packet
2 – Signature packet 10 – Marker packet
3 – Session key packet encrypted by symmetric 11 – Literal data packet
key 12 – Trust packet
4 – One-pass signature packet 13 – User ID packet
5 – Secret-key packet 14 – Public sub key packet
6 – Public-key packet 60 ∼ 63 – Private or experimental values
7 – Secret-sub key packet

➢ A PGP message is constructed from a number of packets. A packet is a chunk of data which has a
tag specifying its meaning. Each packet consists of a packet header of variable length, followed by
the packet body.
➢ The first octet of the packet header is called the packet tag as shown in Figure 9.4.
The MSB is ‘bit 7’ (the leftmost bit) whose mask is 0x80 (10000000) in hexadecimal. PGP 2.6.x
only uses old format packets.
➢ Hence, software that interoperates with PGP 2.6.x must only use old format
packets. These packets have 4 bits of content tags, but new format packets have 6 bits of content
tags.
1.4 PGP Packet Structure

➢ A PGP file consists of a
✓ Message packet,
✓ Signature packet and
✓ Session key packet.
➢ Message Packet
This packet includes the actual data to be transmitted or stored as well as a header that includes
control information generated by PGP such as a filename and a timestamp. A timestamp specifies
the time of creation. The message component consists of a single literal data packet.
➢ Signature Packet
This packet describes a binding between some public key and some data. The most common
signatures are a signature of a file or a block of text, and a signature that is a certification of a user
ID.
➢ The signature includes the following components:
Timestamp: This is the time at which the signature was created.
Message digest (or hash code): A hash code represents the 160-bit SHA-1 digest, encrypted with
sender A’s private key. The hash code is calculated over the signature timestamp concatenated with
the data portion of the message component.
➢ Session Key Packets

This component includes the session key and the identifier of the receiver’s public key that was
used by the sender to encrypt the session key. A public-key-encrypted session key packet, EKPb
(Ks), holds the session key used to encrypt a message.
Content
Message Signature Session key

packet packet packet
Leading two Key ID Key ID

M T FN H(M) T KS
octets of H(M) of KPa of KPb
E E
KS KP
a b

ZIP
E
KS
Radix-64 conversion function
Operation
M : Data T : Timestamp
FN : Filename H(M) : Message digest
KS: Session key EKSa : Encryption with user A’s private key
E
KP : Encryption with user B’s public key
B
Figure PGP message format.
2. S/MIME
➢ S/MIME provides a way to send and receive 7-bit MIME data. S/MIME can be used with any
system that transports MIME data.
➢ It can also be used by traditional mail user agents (MUAs) to add cryptographic security services to
mail that is sent, and to interpret cryptographic security services in mail that is received.
2.1 Definitions
➢ ASN.1: Abstract Syntax Notation One, as defined in ITU-T X.680 – 689.
➢ BER: Basic Encoding Rules for ASN.1, as defined in ITU-T X.690.
➢ DER: Distinguished Encoding Rules for ASN.1, as defined in ITU-T X.690.
➢ Certificate: A type that binds an entity’s distinguished name to a public key with a digital signature.
This type is defined in the PKIX certificate and CRL profile. The certificate also contains the
distinguished name of the certificate issuer (the signer), an issuer-specific serial number, the
issuer’s signature algorithm identifier, a validity period and extensions also defined in that
certificate.
➢ CRL: The Certificate Revocation List that contains information about certificates whose validity the
issuer has prematurely revoked. The information consists of an issuer name, the time of issue, the
next scheduled time of issue, a list of certificate serial numbers and their associated revocation
times, and extensions as defined in Chapter 6. The CRL is signed by the issuer.
➢ Attribute certificate: An X.509 AC is a separate structure from a subject’s PKIXcertificate. A
subject may have multiple X.509 ACs associated with each of its PKIX certificates. Each X.509 AC
binds one or more attributes with one of the subject’s PKIXs.
➢ Sending agent: Software that creates S/MIME CMS objects, MIME body parts that contains CMS
objects, or both.
➢ Receiving agent: Software that interprets and processes S/MIME CMS objects, MIME parts that
contain CMS objects, or both.
➢ S/MIME agent: User software that is a receiving agent, a sending agent, or both.
2.2 Enhanced Security Services for S/MIME

✓ Triple Wrapped Message

✓ Security Services with Triple Wrapping
✓ Signed Receipts
✓ Receipt Request Creation
2.3 Triple Wrapped Message
➢ A triple wrapped message is one that has been signed, then encrypted and then signed again.
The signers of the inner and outer signatures may be different entities or the same entity.
➢ The S/MIME specification does not limit the number of nested encapsulations, so there may be
more than three wrappings.
➢ The inside signature is used for content integrity, non-repudiation with proof of origin, and
binding attributes to the original content.
➢ The outside signature provides authentication and integrity for information that is processed hop
by hop, where each hop is an intermediate entity such as a mail list agent.
➢ The steps to create a triple wrapped message are as follows:
1. Start with the original content (a message body).
2. Encapsulate the original content with the appropriate MIME content-type headers.
3. Sign the inner MIME headers and the original content resulting from step 2.
4. Add an appropriate MIME construct to the signed message from step 3. The resulting
message is called the inside signature.
✓ If it is signed using multipart/signed, the MIME construct added consists of a
content type of multipart/signed with parameters, the boundary, the step 2 result,
a content type of application/pkcs7-signature, optional MIME headers, and a
body part that is the result of step 3.
✓ If it is instead signed using application/pkcs7-mime, the MIME construct added
consists of a content type of application/pkcs7-mime with parameters, optional
MIME headers and the result of step 3.
5. Encrypt the step 4 result as a single block, turning it into an application/pkcs7-mime
object.
6. Add the appropriate MIME headers: a content type of application/pkcs7-mime with
parameters, and optional MIME headers such as Content-Transfer-Encoding and Content-
Disposition.
7. Sign the step 6 result (the MIME headers and the encrypted body) as a single block.
8. Using the same logic as in step 4, add an appropriate MIME construct to the signed
message from step 7. The resulting message is called the outside signature, and is also the
triple wrapped message.
➢ A triple wrapped message has many layers of encapsulation. The structure differs depending on the
choice of format for the signed portions of the message. Because of the way that MIME
encapsulates data, the layers do not appear in order

2.4 Security Services with Triple Wrapping

➢ If a signed receipt is requested for a triple wrapped message, the receipt request must be in the
inside signature, not in the outside signature.
➢ A security label is included in the signed attributes of any Signed Data object. A security label
attribute may be included in either the inner signature or the outer signature, or both.
➢ The inner security label is used for access control decisions related to the original plaintext
content. The inner signature provides authentication and cryptographically protects the integrity of
the original signer’s security label that is in the inside body.
➢ The outer security label is used for access control and routing decisions related to the encrypted
message.
2.5 Signed Receipts

➢ Returning a signed receipt provides to the originator proof of delivery of a message, and allows the
originator to demonstrate to a third party that the recipient was able to Verify the signature of the
original message
➢ This receipt is bound to the original message through the signature. Consequently, this service may
be requested only if a message is signed. The receipt sender may optionally also encrypt a receipt to
provide confidentiality between the sender and recipient of the receipt.
➢ The interaction steps in a typical transaction are:
✓ Sender creates a signed message including a receipt request attribute.
✓ Sender transmits the resulting message to the recipient(s).
✓ Recipient receives message and determines if there are a valid signature and receipt request
in the message.
✓ Recipient creates a signed receipt.
✓ Recipient transmits the resulting signed receipt message to the sender.
✓ Sender receives the message and validates that it contains a signed receipt for the original
message
2.6 Receipt Request Creation

➢ Multilayer S/MIME messages may contain multiple Signed Data layers. Receipts are requested
only for the innermost Signed Data layer in a multilayer S/MIME message such as a triple wrapped
message.
3. Internet Firewalls for Trusted Systems
3.1 FIREWALL DESIGN PRINCIPLES

➢ Definition: Firewall is software or hardware based network security system that controls the
incoming and outgoing network traffic, based on applied rule set.
➢ A firewall establishes a barrier between a trusted secure internal network and another network.
➢ Firewalls can be an effective means of protecting a local system or network of systems from
network-based security threats while at the same time affording access to the outside world via wide
area networks and the Internet.

3.2 Roles of Firewalls

✓ Centralized data processing system, with a central mainframe supporting a number of directly
connected terminals
✓ Local area networks (LANs) interconnecting PCs and terminals to each other and the mainframe
✓ Premises network, consisting of a number of LANs, interconnecting PCs, servers, and perhaps a
mainframe or two
✓ Enterprise-wide network, consisting of multiple, geographically distributed premises networks
interconnected by a private wide area network (WAN)
✓ Internet connectivity, in which the various premises networks all hook into the Internet and may
or may not also be connected by a private WAN
3.3 FIREWALL CHARACTERISTICS

The following design goals for a firewall:
1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved
by physically blocking all access to the local network except via the firewall. Various
configurations are possible available in fire wall.
2. Only authorized traffic, as defined by the local security policy, will be allowed to pass. Various
types of firewalls are used, which implement various types of security policies, as explained later
in this chapter.
3. The firewall itself is immune to penetration. This implies the use of a hardened system with a
secured operating system. Trusted computer systems are suitable for hosting a firewall and often
required in government applications
3.4 Firewall controls:
Firewalls use to control access and enforce the site’s security policy. Originally, firewalls focused
primarily on service control, but they have since evolved to provide all four:
1. Service control: Determines the types of Internet services that can be accessed, inbound or
outbound. The firewall may filter traffic on the basis of IP address, protocol, or port number;
may provide proxy software that receives and interprets each service request before passing it on;
or may host the server software itself, such as a Web or mail service.
2. Direction control: Determines the direction in which particular service requests may be initiated
and allowed to flow through the firewall.
3. User control: Controls access to a service according to which user is attempting to access it.
This feature is typically applied to users inside the firewall perimeter (local users). It may also be

applied to incoming traffic from external users; the latter requires some form of secure
authentication technology, such as is provided in IPsec.
4. Behavior control: Controls how particular services are used. For example, the firewall may
filter e-mail to eliminate spam, or it may enable external access to only a portion of the
information on a local Web server.
3.5 Capabilities of firewall:
The following capabilities are within the scope of a firewall:
1. A firewall defines a single choke point that keeps unauthorized users out of the protected
network, prohibits potentially vulnerable services from entering or leaving the network, and
provides protection from various kinds of IP spoofing and routing attacks. The use of a single
choke point simplifies security management because security capabilities are consolidated on a
single system or set of systems.
2. A firewall provides a location for monitoring security-related events. Audits and alarms can be
implemented on the firewall system.
3. A firewall is a convenient platform for several Internet functions that are not security related.
These include a network address translator, which maps local addresses to Internet addresses,
and a network management function that audits or logs Internet usage.
4. A firewall can serve as the platform for IPsec.
3.6 Limitations of Firewalls:
Firewalls have their limitations
1. The firewall cannot protect against attacks that bypass the firewall. Internal systems may have
dial-out capability to connect to an ISP. An internal LAN may support a modem pool that
provides dial-in capability for travelling employees and telecommuters.
2. The firewall may not protect fully against internal threats, such as a disgruntled employee or an
employee who unwittingly cooperates with an external attacker.
3. An improperly secured wireless LAN may be accessed from outside the organization. An
internal firewall that separates portions of an enterprise network cannot guard against wireless
communications between local systems on different sides of the internal firewall.
4. A laptop, PDA, or portable storage device may be used and infected outside the corporate
network, and then attached and used internally.
3.7 TYPES OF FIREWALLS:

➢ Packet Filtering Firewall
➢ Application Level Gateway
➢ Circuit Level Gateway
3.7.1 Packet Filtering Firewall:
Packet filtering firewall applies a set of rules to each incoming and outgoing IP packet and then
forwards or discards the packet .The firewall is typically configured to filter packets going in both
directions (from and to the internal network). Filtering rules are based on information contained in a
network packet:
➢ Source IP address: The IP address of the system that originated the IP packet (e.g., 192.178.1.1)

➢ Destination IP address: The IP address of the system the IP packet is trying to reach (e.g.,
192.168.1.2)
➢ Source and destination transport-level address: The transport-level (e.g., TCP or UDP) port
number, which defines applications such as SNMP or TELNET
➢ IP protocol field: Defines the transport protocol
➢ Interface: For a firewall with three or more ports, which interface of the firewall the packet
came from or which interface of the firewall the packet is destined for.
➢ possible default policies
Default = discard: That which is not expressly permitted is prohibited.
Default = forward: That which is not expressly prohibited is permitted.
Attacks on Packet Filters

➢ IP address spoofing: fake source address to be trusted add filters on router to block
➢ Source routing attacks: attacker sets a route other than default block source routed packets.
➢ Tiny fragment attacks: split header info over several tiny packets, either discard or reassemble
before check

3.7.2 Application Level Gateway (or Proxy)

•Have application specific gateway / proxy
•Has full access to Protocol
User requests service from proxy
Proxy validates request as legal
Then actions request and returns result to user
Can log / audit traffic at application level?
•Need separate proxies for each service
Some services naturally support proxying
Others are more problematic.
3.7.3 Circuit Level Gateway:

➢ It is a stand a-lone system or it can be a specialized function performed by an application level
gate way for certain applications.
➢ It does not permit end to end TCP connection; this relays two TCP connections, one between
itself and a TCP user on an inner host, and one between itself and TCP user on outside host.
➢ Once the two connections are established, the gateway typically relays TCP segments from one
connection to the other without examining the content.
Example: Circuit level gateway example is implementation of the SOCKS package.

SOCKS:
➢ This protocol designed to provide a framework for client-server application in both the TCP &
UDP domains to conveniently and securely use the services of a Network firewall.

➢ SOCKS server, which runs on a UNIX based firewall.

➢ SOCKS client library, which runs on internal hosts protected by the firewall.
➢ The implementation of the SOCKS protocol typically involves the recompilation or re-linking of
TCP-based client applications to use the appropriate encapsulation routines in the SOCKS
library.
➢ The SOCKS service is located on TCP port 1080
Firewall Design Configurations

In the screened host firewall, single-homed bastion configuration, the firewall consists of two systems: a
packet-filtering router and a bastion host. The router is configured so that
1. For traffic from the Internet, only IP packets destined for the bastion host are allowed in.
2. For traffic from the internal network, only IP packets from the bastion host are allowed out.
Bastion Host:
A bastion host is a system identified by the firewall administrator as a critical strong point in the
network's security. Typically, the bastion host serves as a platform for an application-level or circuit-
level gateway. Common characteristics of a bastion host include the following:
➢ The bastion host hardware platform executes a secure version of its operating system, making it a
trusted system.
➢ Only the services that the network administrator considers essential are installed on the bastion
host. These include proxy applications such as Telnet, DNS, FTP, SMTP, and user
authentication.
➢ The bastion host may require additional authentication before a user is allowed access to the
proxy services. In addition, each proxy service may require its own authentication before
granting user access.
➢ Each proxy is configured to support only a subset of the standard application's command set.
Screened host firewall:

➢ In the screened host firewall, single-homed bastion configuration (Figure 20.2a), the firewall
consists of two systems: a packet-filtering router and a bastion host. Typically, the router is
configured so that
1. For traffic from the Internet, only IP packets destined for the bastion host are allowed in.

2. For traffic from the internal network, only IP packets from the bastion host are allowed out.
➢ The bastion host performs authentication and proxy functions. This configuration has greater
security than simply a packet-filtering router or an application-level gateway alone, for two reasons.
➢ First, this configuration implements both packet-level and application-level filtering, allowing for
considerable flexibility in defining security policy. Second, an intruder must generally penetrate two
separate systems before the security of the internal network is compromised.
➢ This configuration also affords flexibility in providing direct Internet access. For example, the
internal network may include a public information server, such as a Web server, for which a high
level of security is not required.
➢ In that case, the router can be configured to allow direct traffic between the information server and
the Internet.
SECURE ELECTRONIC TRANSACTION [SET]
➢ SET is an open encryption and security specification designed to protect credit card transactions on
the Internet. SET is not itself a payment system.
➢ Rather it is a set of security protocols and formats that enables users to employ the existing credit
card payment infrastructure on an open network, such as the Internet, in a secure fashion.
SET provides three services:

➢ Provides a secure communications channel among all parties involved in a transaction
➢ Provides trust by the use of X.509v3 digital certificates
➢ Ensures privacy because the information is only available to parties in a transaction when and
where necessary
Key Features of SET
➢ Confidentiality of information
➢ Integrity of data
➢ Cardholder account authentication
➢ Merchant authentication
SET Participants
1. Cardholder:A cardholder is an authorized holder of a payment card (e.g., MasterCard, Visa)
that has been issued by an issuer.
2. Merchant:A merchant is a person or organization that has goods or services to sell to the
cardholder.

3. Issuer:This is a financial institution, such as a bank, that provides the cardholder with the
payment card.
4. Acquirer:This is a financial institution that establishes an account with a merchant and processes
payment card authorizations and payments.
5. Payment gateway:This is a function operated by the acquirer or a designated third party that
processes merchant payment messages.
6. Certification authority (CA):This is an entity that is trusted to issue X.509v3 public-key
certificates for cardholders, merchants, and payment gateways.
Dual Signature
➢ The purpose of the dual signature is to link two messages that are intended for two different
recipients. In this case, the customer wants to send the order information (OI) to the merchant and
the payment information (PI) to the bank.
➢ The merchant does not need to know the customer's credit card number, and the bank does not need
to know the details of the customer's order. The customer is afforded extra protection in terms of
privacy by keeping these two items separate. However, the two items must be linked in a way that
can be used to resolve disputes if necessary.
➢ The link is needed so that the customer can prove that this payment is intended for this order and not
for some other goods or service.
➢ The customer takes the hash (using SHA-1) of the PI and the hash of the OI. These two hashes are
then concatenated and the hash of the result is taken.
➢ Finally, the customer encrypts the final hash with his or her private signature key, creating the dual
signature. The operation can be summarized as
DS = E(PRc, [H(H(PI)||H(OI)])
➢ Where PRc is the customer's private signature key. Now suppose that the merchant is in possession
of the dual signature (DS), the OI, and the message digest for the PI (PIMD).
➢ The merchant also has the public key of the customer, taken from the customer's certificate. Then
the merchant can compute the quantities

Payment Processing
Following transactions:
➢ Purchase request
➢ Payment authorization
➢ Payment capture
Purchase Request
➢ Before the Purchase Request exchange begins, the cardholder has completed browsing, selecting,
and ordering. The end of this preliminary phase occurs when the merchant sends a completed order
form to the customer.
➢ The purchase request exchange consists of four messages:
✓ Initiate Request,
✓ Initiate Response,
✓ Purchase Request,
✓ Purchase Response.

Purchase Request – Customer
PURCHASE REQUEST – MERCHANT
➢ verifies cardholder certificates using ca sigs

➢ verifies dual signature using customer's public signature key to ensure order has not been tampered
with in transit & that it was signed using cardholder's private signature key
➢ processes order and forwards the payment information to the payment gateway for authorization
(described later)
➢ sends a purchase response to cardholder
Purchase Request – Merchant

PAYMENT GATEWAY AUTHORIZATION

➢ verifies all certificates
➢ decrypts digital envelope of authorization block to obtain symmetric key & then decrypts
authorization block
➢ verifies merchant's signature on authorization block
➢ decrypts digital envelope of payment block to obtain symmetric key & then decrypts payment block
➢ verifies dual signature on payment block
➢ verifies that transaction id received from merchant matches that in pi received (indirectly) from
customer
➢ requests & receives an authorization from issuer
➢ sends authorization response back to merchant
PAYMENT CAPTURE
➢ merchant sends payment gateway a payment capture request
➢ gateway checks request
➢ then causes funds to be transferred to merchants account
➢ notifies merchant using capture response

UNIT III INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime.
Introduction to Identity Theft & Identity Fraud. Types of CF techniques - Incident and incident response
methodology - Forensic duplication and investigation. Preparation for IR: Creating response tool kit and
IR team. - Forensics Technology and Systems - Understanding Computer Investigation – Data
Acquisition.
Introduction to Traditional Computer Crime, Traditional problems associated with Computer

Crime.
Computer Crime
➢ Computer crime is any criminal offense, activity or issue that involves computers
➢ Computer misuse tends to fall into two categories
✓ Computer is used to commit a crime
✓ Computer itself is a target of a crime. Computer is the victim. Computer Security Incident
Computer is used to commit a crime
➢ Computer is used in illegal activities: child pornography, threatening letters, e-mail spam or
harassment, extortion, fraud and theft of intellectual property, embezzlement – all these crimes
leave digital tracks
➢ Investigation into these types of crimes include searching computers that are suspected of being
involved in illegal activities
➢ Analysis of gigabytes of data looking for specific keywords, examining log files to see what
happened at certain times
Computer Security Incident
➢ Unauthorized or unlawful intrusions into computing systems

➢ Scanning a system - the systematic probing of ports to see which ones are open
➢ Denial–of–Service (DoS) attack - any attack designed to disrupt the ability of authorized users to
access data
➢ Malicious Code – any program or procedure that makes unauthorized modifications or triggers
unauthorized actions (virus, worm, Trojan horse)
Computer Forensics
➢ Involves the preservation, identification, extraction, documentation, and interpretation of

computer media for evidentiary and/or root cause analysis.

➢ Multiple methods of
✓ Discovering data on computer system
✓ Recovering deleted, encrypted, or damaged file information
✓ Monitoring live activity
✓ Detecting violations of corporate policy
Traditional problems associated with Computer Crime
Hacking
➢ Hacking is a crime, which entails cracking systems and gaining unauthorized access to the data
stored in them. Hacking had witnessed a 37 per cent increase this year.
Cyber Squatting
➢ Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune.
Phishing
➢ Phishing is just one of the many frauds on the Internet, trying to fool people into parting with their
money.
➢ Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions, requesting
them to enter their Username, Password or other personal information to access their Account for
some reason.
➢ The fraudster then has access to the customer's online bank account and to the funds contained in
that account.
Cyber Stalking
➢ Cyber Stalking is use of the Internet or other electronic means to stalk someone.
➢ This term is used interchangeably with online harassment and online abuse.
➢ Stalking generally involves harassing or threatening behavior that an individual engages in
repeatedly, such as following a person, appearing at a person's home or place of business, making
harassing phone calls, leaving written messages or objects, or vandalizing a person's property.
Vishing
➢ Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward.
➢ Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals.
Introduction to Identity Theft & Identity Fraud.

Identity theft:
➢ Someone steals your personal information

➢ Uses it without permission
➢ Can damage your finances, credit history and reputation
How do you know if your identity was stolen?
➢ mistakes on accounts or your Explanation of Medical benefits

➢ regular bills go missing
➢ calls from debt collectors for debts that aren’t yours
➢ notice from the IRS
➢ calls or mail about accounts in your minor child’s name
How to reduce identity theft
➢ Keep your important papers secure.

➢ Be careful with your mail.
➢ Shred sensitive documents.
➢ Don’t over share on social networking sites.
Things to do
STEP 1: Place an initial fraud alert on your credit report. Contact any one of the three nationwide credit
reporting companies.
Step 2: Order your credit reports. Contact each of the three credit reporting companies. ID theft victims
get a copy of their reports for free. Read your reports carefully and correct any errors.
Step 3: Create an Identity Theft Report. Gives you rights that help you to recover more quickly file a
police report.
Types of CF techniques

Incident and incident response methodology
➢ Incident Response: Actions taken to deal with an incident.

➢ Structure and Organization Incidents create pandemonium
➢ Incidents occur in bursts
➢ Efficiency
➢ Facilitates the process of responding to incidents
➢ Facilitates dealing with the unexpected.
➢ Legal Considerations.
Incident response life cycle
2. DETECTION
1. PREPERATION
3. CONTAINMENT
6. Follow-up
4. ERADICTION
5. RECOVERY

Preparation
➢ Setting up a reasonable set of defenses and controls based on threads.

➢ Creating a set of procedures to deal with the incident efficiently.
➢ Obtaining the resources and personnel to deal with the problem.
➢ Establish an infrastructure to support incident response activity.
Detection
➢ Intrusion Detection Systems

➢ Detection Software
➢ Reporting
Containment
➢ Strategies
✓ Shutting down a system
✓ Disconnect from the network
✓ Change filtering rules of firewalls
✓ Disabling or deleting compromised accounts
✓ Increasing monitoring levels
✓ Setting traps
✓ Striking back at the attacker’s system
➢ Adhering to containment procedures.
➢ Record all actions
➢ Define acceptable risks in advance
Eradication
➢ Eliminate the cause of the incident. Software available for most viruses, worm attacks.
Recovery
➢ Return compromised systems back to its normal mission status.

➢ Recovery procedures: Safest is:
✓ Full rebuilt for system files.
✓ Restore data from last backup.
➢ Record every action.
➢ Keep users aware of status.
➢ Advise appropriate people of major developments that might affect them.
➢ Adhere to policy regarding media contact.

➢ Return logging to normal level.

➢ Install patches for any exploited vulnerability.
Follow-Up
➢ Perform a post mortem analysis on each significant incident.

✓ Exact description and timeline.
✓ Adequacy of staff response.
✓ What information was needed at what time?
✓ What would the staff do differently?
✓ How was interaction with management?
✓ What was the damage?
Forensic duplication and investigation
➢ Forensic Duplicate: File that contains every bit of information from the source in a raw bit
stream format.
➢ Qualified Duplicate: Same as above, but allows embedded metadata or certain types of
compression.
➢ Tools that create forensic duplicates
✓ dd
✓ FTK Imager, Access Data
✓ Dfcldd, US DOD Computer Forensics Lab version of the dd command.
➢ Tools that create qualified forensic duplicate output files:
✓ Safe Back
✓ Encase
✓ FTK Imager
Restored Image
➢ A restored image is what you get when you restore a forensic duplicate or a qualified forensic
duplicate to another storage medium.
➢ Mismatched drive geometries can cause problems.
✓ Mismatched drive geometries can cause problems.
HD Development
➢ When hard drives grew beyond 512MB, the PC-BIOS needed to be updated (to recognize larger
drives).
➢ Safeback, EnCase, FTK Imager, and dd will create a restored image from the qualified forensic
duplicate.
➢ EnCase and dd images may not need to be restored.

Mirror Image
➢ Created from hardware that does at bit for bit copy from one hard drive to another.
Legal Issues
➢ Tools used for forensic duplication must pass the legal tests for reliability.
➢ Note, when tool is generally accepted by others in the field, it is easier to prove that information
was gathered in a reliable, accurate manner.
Preparation FOR IR
Incident Response Team
No. IRTMember Role in IRT
1. Senior Management Apart fromprovidingthe team the authority for

operation, themanagement has to makebusiness-
relateddecisionsbasedon input fromthe othermembers of
the team.
2. InformationSecurity Assess the extentof the damage incurred
andperformcontainment, basic forensics,and
3. IT/MIS Minimise
recovery. the impact to systemend users, and to assist
theInformationSecurity team with technicalissues.
4. ITAuditor Understand the cause ofthe incident, ensure

proceduresarecomplied with, andwork with
IT/Securityto eradicate theincident.
5. Security Assess physical damageincurred,
investigatephysicalevidence, and guardevidence during a
forensics investigationto maintain a chain ofevidence.
6. Legal Ensure the usabilityofanyevidence collected

duringaninvestigation if the company chooses totake
legalaction.Therole also includesproviding
adviceregardingliability issuesintheevent that an
incidentaffects customers, vendors,and/orthe general
7. Human Resource Provide
public. advice
insituationsinvolvingemployees.HRwillonlybe involved
in handling the incident if anemployee is foundtobe
responsible for the intrusion.

8. Public Relations
Communicate with team leaders to have an
accurateunderstanding of the issueandthe
company’sstatusbeforecommunicating with the press
and/orinforming thestockholdersofthe currentsituation.
9. Financial Auditor Assess the damageincurred interms of monetary value,
whichis frequently required for insurancecompanies or if
thecompany intends to presschargesagainst the
perpetrator.
FORENSICS TECHNOLOGY AND SYSTEMS
➢ Computer forensics has become a buzz word in today’s world of increased concern for security.
It seems that any product that can remotely be tied to network or computer security is quickly
labeled as a “forensics” system.
➢ This phenomenon makes designing clear incident response plans and corporate security plans
that support computer forensics difficult.
✓ Intrusion detection systems
✓ Firewall security systems
✓ Storage area network security systems
✓ Network disaster recovery systems
✓ Public key infrastructure security systems
✓ Wireless network security systems
✓ Satellite encryption security systems
✓ Instant messaging (IM) security systems
✓ Net privacy systems
✓ Identity management security systems
✓ Identity theft prevention systems
✓ Biometric security systems
✓ Homeland security systems
Planning Your Investigation

✓ Acquire the floppy disk from George’s manager.
✓ Complete an evidence form and establish a chain of custody.
✓ Transport the evidence to your computer forensics lab.
✓ Secure your evidence in an approved secure container.
✓ Prepare your forensic workstation.
✓ Obtain the evidence from the secure evidence container.
✓ Make a forensic copy of the evidence floppy disk.
✓ Return the evidence floppy disk to the secure evidence container.
✓ Process the copied floppy disk with your computer forensics tools
Data Acquisition
➢ Data acquisition involves gathering signals from measurement sources and digitizing the signals
for storage, analysis, and presentation on a PC.
➢ Data acquisition systems come in many different PC technology forms to offer flexibility when
choosing your system. You can choose from PCI, PXI, PCI Express, PXI Express, PCMCIA,
USB, wireless, and Ethernet data acquisition for test, measurement, and automation applications.
➢ All industrial processing systems, factories, machinery, test facilities, and vehicles consist of
hardware components and computer software whose behavior follow the laws of physics as we
understand them.
➢ These systems contain thousands of mechanical and electrical phenomena that are continuously
changing; they are not steady state.
➢ The measurable quantities that represent the characteristics of all systems are called variables.
The proper functioning of a particular system depends on certain events in time and the
parameters of these variables.
➢ Often, we are interested in the location, magnitude, and speed of the variables, and we use
instruments to measure them.
➢ We assign the variables units of measure such as volts, pounds, and miles per hour, to name a
few.

UNIT IV EVIDENCE COLLECTION AND FORENSICS TOOLS
Processing Crime and Incident Scenes – Working with Windows and DOS Systems. Current Computer
Forensics Tools: Software/ Hardware Tools.
Processing Crime and Incident Scenes
Identifying Digital Evidence
➢ Digital evidence Can be any information stored or transmitted in digital form

➢ U.S. courts accept digital evidence as physical evidence – Digital data is a tangible object
➢ Some require that all digital evidence be printed out to be presented in court
➢ General tasks investigators perform when working with digital evidence
✓ Identify digital information or artifacts that can be used as evidence
✓ Collect, preserve, and document evidence
✓ Analyze, identify, and organize evidence
✓ Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably
➢ Collecting computers and processing a criminal or incident scene must be done systematically
Understanding Rules of Evidence
➢ Consistent practices help verify your work and enhance your credibility
➢ Comply with your state’s rules of evidence or with the Federal Rules of Evidence
➢ Evidence admitted in a criminal case can be used in a civil suit, and vice versa
➢ Keep current on the latest rulings and directives on collecting, processing, storing, and admitting
digital evidence
➢ Data you discover from a forensic examination falls under your state’s rules of evidence
✓ Or the Federal Rules of Evidence

➢ Digital evidence is unlike other physical evidence because it can be changed more easily
✓ The only way to detect these changes is to compare the original data with a duplicate
➢ Most federal courts have interpreted computer records as hearsay evidence
✓ Hearsay is secondhand or indirect evidence
➢ Computer records must be shown to be authentic and trustworthy
✓ To be admitted into court
➢ Computer-generated records are considered authentic
✓ If the program that created the output is functioning correctly
➢ Collecting evidence according to the proper steps of evidence control helps ensure that the computer
evidence is authentic
➢ When attorneys challenge digital evidence
✓ Often they raise the issue of whether computer generated records were altered
➢ Or damaged after they were created
➢ One test to prove that computer-stored records are authentic is to demonstrate that a specific person
created the records
✓ The author of a Microsoft Word document can be identified by using file metadata
Types of Evidence
✓ Direct evidence
✓ Circumstantial evidence
✓ Class evidence
✓ Individual evidence
Direct evidence
➢ It includes firsthand observations such as eyewitness accounts or police dashboard video cameras.
✓ Example: a witness states that she saw a defendant pointing a gun at a victim during a
robbery. In court, direct evidence involves testimony by a witness about what that
witness personally saw, heard, or did. Confessions are also considered direct evidence.

Circumstantial evidence
➢ It is indirect evidence that can be used to imply a fact but that does not directly prove it. No one,
other than the suspect and victim, actually sees when circumstantial evidence is left at the crime
scene.
➢ But circumstantial evidence found at a crime scene may provide a link between a crime scene and a
suspect.
✓ Example: finding a suspect’s gun at the site of a shooting is circumstantial evidence of
the suspect’s presence there. Circumstantial evidence can be either physical or biological
in nature. Physical evidence includes impressions such as fingerprints, footprints, shoe
prints, tire impressions, and tool marks.
Class evidence
➢ Narrows an identity to a group of persons or things. Knowing the ABO blood type of a sample of
blood from a crime scene tells us that one of many persons with that blood type may have been
there. It also allows us to exclude anyone with a different blood type.
Individual evidence
➢ Narrows an identity to a single person or thing. Individual evidence typically has such a unique
combination of characteristics that it could only belong to one person or thing, such as a fingerprint.
Common examples of trace evidence.
✓ Animal or human hair

✓ Fingerprints
✓ Soil or plant material (pollen)
✓ Body fluids such as mucus, semen, saliva, or blood
✓ Fiber or debris from clothing
✓ Paint chips, broken glass, or chemicals such as drugs or explosives
✓ Evidence

✓ Direct Circumstantial
✓ Physical Biological
✓ It is relatively easy to recover DNA from cigarette ends found at the scene of a crime.
Working with Windows and DOS Systems.
➢ 3 types of file systems have been File Systems used by Windows: FAT, FAT32, NTFS
FAT x
➢ File Allocation Table – family of file systems for DOS/Windows operating systems
➢ FAT table – stores info. on status of all clusters on the disk = ‘table of content’
➢ x = 12, 16, 32 – number of bits used for cluster identification/numbering bit-size of each FAT table
entry


NTFS File System

➢ NTFS – New Technology File System – introduced for Windows NT and Vista
➢ file and folder permissions – folder and file access can be controlled individually
➢ file encryption – NTFS enables strong encryption of files and folders extremely resistant to
attacks
➢ file compression – NTFS enables lossy compression on both files and folders
➢ disk efficiency – NTFS supports smaller cluster size than FAT32
➢ greater reliability – NTFS writes a log of change being made to files and folders (NTFS
journal), which helps the OS to recover from system failures

Windows Registry
➢ critical part of any Windows OSs - hierarchical database containing configuration information about:
➢ system hardware;
✓ installed software (programs);
✓ property settings;
✓ Profile for each user, etc.
➢ OS uses instructions stored in the registry to determine how installed hardware and software should
function
➢ e.g. typical software comes with a Windows installer that writes to the registry during installation
➢ system must be restarted for changes to take place
Current Computer Forensics Tools: Software/ Hardware Tools.

➢ computer forensics tools can also be classified into various categories:
✓ Disk and data capture tools

✓ File viewers
✓ File analysis tools
✓ Registry analysis tools
✓ Internet analysis tools
✓ Email analysis tools
✓ Mobile devices analysis tools
✓ Mac OS analysis tools
✓ Network forensics tools
✓ Database forensics tools
➢ Digital Forensics Framework

✓ Digital Forensics Framework is another popular platform dedicated to digital
forensics.
✓ The tool is open source and comes under GPL License. It can be used either by
professionals or non-experts without any trouble.

✓ It can be used for digital chain of custody, to access the remote or local devices,
forensics of Windows or Linux OS, recovery hidden of deleted files, quick search for
files’ Meta data, and various other things.
➢ Open Computer Forensics Architecture

✓ Open Computer Forensics Architecture (OCFA) is another popular distributed open-
source computer forensics framework. This framework was built on Linux platform
and uses postgreSQL database for storing data.
✓ It was built by the Dutch National Police Agency for automating digital forensics
process. It is available to download under GPL license.
➢ CAINE
✓ CAINE (Computer Aided Investigative Environment) is the Linux distro created for
digital forensics. It offers an environment to integrate existing software tools as
software modules in a user friendly manner. This tool is open source.
➢ X-Ways Forensics
✓ X-Ways Forensics is an advanced platform for digital forensics examiners. It runs on

all available version of Windows. It claims to not be very resource hungry and to
work efficiently. If we talk about the features, find the key features in the list below
1. Disk imaging and cloning

2. Ability to read file system structures inside various image files
3. It supports most of the file systems including FAT12, FAT16,
FAT32, exFAT, TFAT, NTFS, Ext2, Ext3, Ext4, Next3®,
CDFS/ISO9660/Joliet, UDF
4. Automatic detection of deleted or lost hard disk partition
5. Various data recovery techniques and powerful file carving
6. Bulk hash calculation
7. Viewing and editing binary data structures using templates
8. Easy detection of and access NTFS ADS

9. Well maintained file header

10. Automated activity logging
11. Data authenticity
12. Complete case management
13. Memory and RAM analysis
14. Gallery view for pictures
15. Internal viewer for Windows registry file
➢ SANS Investigative Forensics Toolkit – SIFT
✓ SANS Investigative Forensics Toolkit or SIFT is a multi-purpose forensic operating
system which comes with all the necessary tools used in the digital forensic process. It is
built on Ubuntu with many tools related to digital forensics. Earlier this year, SIFT 3.0
was released. It comes for free or charge and contains free open-source forensic tools.
✓ In a previous post at resource.infosecinstitute.com, we already covered SIFT in detail.

You can read those posts about SIFT to know more about this digital forensics platform.
➢ EnCase
✓ EnCase is another popular multi-purpose forensic platform with many nice tools for
several areas of the digital forensic process. This tool can rapidly gather data from various
devices and unearth potential evidence. It also produces a report based on the evidence.
➢ Registry Recon
✓ Registry Recon is a popular registry analysis tool. It extracts the registry information from
the evidence and then rebuilds the registry representation. It can rebuild registries from
both current and previous Windows installations.
➢ The Sleuth Kit

✓ The Sleuth Kit is a Unix and Windows based tool which helps in forensic analysis of
computers. It comes with various tools which helps in digital forensics. These tools
help in analyzing disk images, performing in-depth analysis of file systems, and
various other things.

➢ Llibforensics
✓ Libforensics is a library for developing digital forensics applications. It was developed
in Python and comes with various demo tools to extract information from various
types of evidence.
➢ Volatility
✓ Volatility is the memory forensics framework. It used for incident response and
malware analysis. With this tool, you can extract information from running processes,
network sockets, network connection, DLLs and registry hives. It also has support for
extracting information from Windows crash dump files and hibernation files. This tool
is available for free under GPL license.
➢ WindowsSCOPE
✓ WindowsSCOPE is another memory forensics and reverse engineering tool used for
analyzing volatile memory. It is basically used for reverse engineering of malwares. It
provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and
physical memory.
➢ The Coroner’s Toolkit
✓ The Coroner’s Toolkit or TCT is also a good digital forensic analysis tool. It runs
under several Unix-related operating systems. It can be used to aid analysis of
computer disasters and data recovery.
➢ Oxygen Forensic Suite
✓ Oxygen Forensic Suite is nice software to gather evidence from a mobile phone to
support your case. This tool helps in gathering device information (including
manufacturer, OS, IMEI number, serial number), contacts, messages (emails, SMS,
MMS), and recover deleted messages, call logs and calendar information.
✓ It also lets you access and analyze mobile device data and documents. It generates
easy to understand reports for better understanding.
➢ Bulk Extractor
✓ Bulk Extractor is also an important and popular digital forensics tool. It scans the disk
images, file or directory of files to extract useful information. In this process, it ignores
the file system structure, so it is faster than other available similar kinds of tools.

✓ It is basically used by intelligence and law enforcement agencies in solving cyber

crimes.
➢ Xplico
✓ Xplico is an open source network forensic analysis tool. It is basically used to extract
useful data from applications which use Internet and network protocols.
✓ It supports most of the popular protocols including HTTP, IMAP, POP, SMTP, SIP,
TCP, UDP, TCP and others.
✓ Output data of the tool is stored in SQLite database of MySQL database. It also
supports IPv4 and IPv6 both.
➢ Mandiant RedLine
✓ Mandiant RedLine is a popular tool for memory and file analysis. It collects
information about running processes on a host, drivers from memory and gathers other
data like Meta data, registry data, tasks, services, network information and Internet
history to build a proper report.
➢ Computer Online Forensic Evidence Extractor (COFEE)
✓ Computer Online Forensic Evidence Extractor or COFEE is a tool kit developed for
computer forensic experts. This tool was developed by Microsoft to gather evidence
from Windows systems.
✓ It can be installed on a USB pen drive or external hard disk. Just plug in the USB
device in the target computer and it starts a live analysis. It comes with 150 different
tools with a GUI based interface to command the tools.
✓ It is fast and can perform the whole analysis in as few as 20 minutes. To law
enforcement agencies, Microsoft provides free technical support for the tool.
➢ P2 eXplorer
✓ P2 eXplorer is a forensic image mounting tool which aims to help investigating officers
with examination of a case. With this image, you can mount forensic images as a read-
only local and physical disc and then explore the contents of the image with file explorer.
You can easily view deleted data and unallocated space of the image.

✓ It can mount several images at a time. It supports most of the image formats including
EnCasem, safeBack, PFR, FTK DD, WinImage, Raw images from Linux DD, and
VMware images. It supports both logical and physical image types.
➢ Plain Sight
✓ Plain Sight is another useful digital forensics tool. It is a CD based Knoppix which is a
Linux distribution. Some of its uses include viewing Internet histories, data carving,
checking USB device usage, memory dumps extracting password hashes, information
gathering, examining Windows firewall configuration, seeing recent documents, and other
useful tasks. For using this too, you only need to boot from the CD and the follow the
instructions.
➢ XRY
✓ XRY is the mobile forensics tool developed by Micro Systemation. It is used to analyze
and recover crucial information from mobile devices. This tool comes with a hardware
device and software. Hardware connects mobile phones to PC and software performs the
analysis of the device and extracts data. It is designed to recover data for forensic analysis.
✓ The latest version of the tool can recover data from all kind of smart phones including
Android, iPhone and BlackBerry. It gathers deleted data like call records, images, SMS
and text messages.
➢ HELIX3
✓ HELIX3 is a live CD-based digital forensic suite created to be used in incident response. It
comes with many open source digital forensics tools including hex editors, data carving
and password cracking tools. If you want the free version, you can go for Helix3 2009R1.
After this release, this project was overtaken by a commercial vendor. So, you need to pay
for most recent version of the tool.

✓ This tool can collect data from physical memory, network connections, user accounts,
executing processes and services, scheduled jobs, Windows Fegistry, chat logs, screen
captures, SAM files, applications, drivers, environment variables and Internet history.
Then it analyzes and reviews the data to generate the complied results based on reports.
➢ Cellebrite UFED
✓ Cellebrite’s UFED solutions present a unified workflow to allow examiners, investigators
and first responders to collect, protect and act decisively on mobile data with the speed
and accuracy a situation demands – without ever compromising one for the other.
✓ The UFED Pro Series is designed for forensic examiners and investigators who require
the most comprehensive, up-to-date mobile data extraction and decoding support
available to handle the influx of new data sources.
✓ Platform agnostic, the UFED Field Series is designed to unify workflows between the
field and lab, making it possible to view access and share mobile data via in-car
workstations, laptops, tablets or a secure, self-service kiosk located at a station.

UNIT IV EVIDENCE COLLECTION AND FORENSICS TOOLS
Processing Crime and Incident Scenes – Working with Windows and DOS Systems. Current Computer
Forensics Tools: Software/ Hardware Tools.
Processing Crime and Incident Scenes
Identifying Digital Evidence
➢ Digital evidence Can be any information stored or transmitted in digital form

➢ U.S. courts accept digital evidence as physical evidence – Digital data is a tangible object
➢ Some require that all digital evidence be printed out to be presented in court
➢ General tasks investigators perform when working with digital evidence
✓ Identify digital information or artifacts that can be used as evidence
✓ Collect, preserve, and document evidence
✓ Analyze, identify, and organize evidence
✓ Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably
➢ Collecting computers and processing a criminal or incident scene must be done systematically
Understanding Rules of Evidence
➢ Consistent practices help verify your work and enhance your credibility
➢ Comply with your state’s rules of evidence or with the Federal Rules of Evidence
➢ Evidence admitted in a criminal case can be used in a civil suit, and vice versa
➢ Keep current on the latest rulings and directives on collecting, processing, storing, and admitting
digital evidence
➢ Data you discover from a forensic examination falls under your state’s rules of evidence
✓ Or the Federal Rules of Evidence

➢ Digital evidence is unlike other physical evidence because it can be changed more easily
✓ The only way to detect these changes is to compare the original data with a duplicate
➢ Most federal courts have interpreted computer records as hearsay evidence
✓ Hearsay is secondhand or indirect evidence
➢ Computer records must be shown to be authentic and trustworthy
✓ To be admitted into court
➢ Computer-generated records are considered authentic
✓ If the program that created the output is functioning correctly
➢ Collecting evidence according to the proper steps of evidence control helps ensure that the computer
evidence is authentic
➢ When attorneys challenge digital evidence
✓ Often they raise the issue of whether computer generated records were altered
➢ Or damaged after they were created
➢ One test to prove that computer-stored records are authentic is to demonstrate that a specific person
created the records
✓ The author of a Microsoft Word document can be identified by using file metadata
Types of Evidence
✓ Direct evidence
✓ Circumstantial evidence
✓ Class evidence
✓ Individual evidence
Direct evidence
➢ It includes firsthand observations such as eyewitness accounts or police dashboard video cameras.
✓ Example: a witness states that she saw a defendant pointing a gun at a victim during a
robbery. In court, direct evidence involves testimony by a witness about what that
witness personally saw, heard, or did. Confessions are also considered direct evidence.

Circumstantial evidence
➢ It is indirect evidence that can be used to imply a fact but that does not directly prove it. No one,
other than the suspect and victim, actually sees when circumstantial evidence is left at the crime
scene.
➢ But circumstantial evidence found at a crime scene may provide a link between a crime scene and a
suspect.
✓ Example: finding a suspect’s gun at the site of a shooting is circumstantial evidence of
the suspect’s presence there. Circumstantial evidence can be either physical or biological
in nature. Physical evidence includes impressions such as fingerprints, footprints, shoe
prints, tire impressions, and tool marks.
Class evidence
➢ Narrows an identity to a group of persons or things. Knowing the ABO blood type of a sample of
blood from a crime scene tells us that one of many persons with that blood type may have been
there. It also allows us to exclude anyone with a different blood type.
Individual evidence
➢ Narrows an identity to a single person or thing. Individual evidence typically has such a unique
combination of characteristics that it could only belong to one person or thing, such as a fingerprint.
Common examples of trace evidence.
✓ Animal or human hair

✓ Fingerprints
✓ Soil or plant material (pollen)
✓ Body fluids such as mucus, semen, saliva, or blood
✓ Fiber or debris from clothing
✓ Paint chips, broken glass, or chemicals such as drugs or explosives
✓ Evidence

✓ Direct Circumstantial
✓ Physical Biological
✓ It is relatively easy to recover DNA from cigarette ends found at the scene of a crime.
Working with Windows and DOS Systems.
➢ 3 types of file systems have been File Systems used by Windows: FAT, FAT32, NTFS
FAT x
➢ File Allocation Table – family of file systems for DOS/Windows operating systems
➢ FAT table – stores info. on status of all clusters on the disk = ‘table of content’
➢ x = 12, 16, 32 – number of bits used for cluster identification/numbering bit-size of each FAT table
entry


NTFS File System

➢ NTFS – New Technology File System – introduced for Windows NT and Vista
➢ file and folder permissions – folder and file access can be controlled individually
➢ file encryption – NTFS enables strong encryption of files and folders extremely resistant to
attacks
➢ file compression – NTFS enables lossy compression on both files and folders
➢ disk efficiency – NTFS supports smaller cluster size than FAT32
➢ greater reliability – NTFS writes a log of change being made to files and folders (NTFS
journal), which helps the OS to recover from system failures

Windows Registry
➢ critical part of any Windows OSs - hierarchical database containing configuration information about:
➢ system hardware;
✓ installed software (programs);
✓ property settings;
✓ Profile for each user, etc.
➢ OS uses instructions stored in the registry to determine how installed hardware and software should
function
➢ e.g. typical software comes with a Windows installer that writes to the registry during installation
➢ system must be restarted for changes to take place
Current Computer Forensics Tools: Software/ Hardware Tools.

➢ computer forensics tools can also be classified into various categories:
✓ Disk and data capture tools

✓ File viewers
✓ File analysis tools
✓ Registry analysis tools
✓ Internet analysis tools
✓ Email analysis tools
✓ Mobile devices analysis tools
✓ Mac OS analysis tools
✓ Network forensics tools
✓ Database forensics tools
➢ Digital Forensics Framework

✓ Digital Forensics Framework is another popular platform dedicated to digital
forensics.
✓ The tool is open source and comes under GPL License. It can be used either by
professionals or non-experts without any trouble.

✓ It can be used for digital chain of custody, to access the remote or local devices,
forensics of Windows or Linux OS, recovery hidden of deleted files, quick search for
files’ Meta data, and various other things.
➢ Open Computer Forensics Architecture

✓ Open Computer Forensics Architecture (OCFA) is another popular distributed open-
source computer forensics framework. This framework was built on Linux platform
and uses postgreSQL database for storing data.
✓ It was built by the Dutch National Police Agency for automating digital forensics
process. It is available to download under GPL license.
➢ CAINE
✓ CAINE (Computer Aided Investigative Environment) is the Linux distro created for
digital forensics. It offers an environment to integrate existing software tools as
software modules in a user friendly manner. This tool is open source.
➢ X-Ways Forensics
✓ X-Ways Forensics is an advanced platform for digital forensics examiners. It runs on

all available version of Windows. It claims to not be very resource hungry and to
work efficiently. If we talk about the features, find the key features in the list below
16. Disk imaging and cloning

17. Ability to read file system structures inside various image files
18. It supports most of the file systems including FAT12, FAT16,
FAT32, exFAT, TFAT, NTFS, Ext2, Ext3, Ext4, Next3®,
CDFS/ISO9660/Joliet, UDF
19. Automatic detection of deleted or lost hard disk partition
20. Various data recovery techniques and powerful file carving
21. Bulk hash calculation
22. Viewing and editing binary data structures using templates
23. Easy detection of and access NTFS ADS

24. Well maintained file header

25. Automated activity logging
26. Data authenticity
27. Complete case management
28. Memory and RAM analysis
29. Gallery view for pictures
30. Internal viewer for Windows registry file
➢ SANS Investigative Forensics Toolkit – SIFT
✓ SANS Investigative Forensics Toolkit or SIFT is a multi-purpose forensic operating
system which comes with all the necessary tools used in the digital forensic process. It is
built on Ubuntu with many tools related to digital forensics. Earlier this year, SIFT 3.0
was released. It comes for free or charge and contains free open-source forensic tools.
✓ In a previous post at resource.infosecinstitute.com, we already covered SIFT in detail.

You can read those posts about SIFT to know more about this digital forensics platform.
➢ EnCase
✓ EnCase is another popular multi-purpose forensic platform with many nice tools for
several areas of the digital forensic process. This tool can rapidly gather data from various
devices and unearth potential evidence. It also produces a report based on the evidence.
➢ Registry Recon
✓ Registry Recon is a popular registry analysis tool. It extracts the registry information from
the evidence and then rebuilds the registry representation. It can rebuild registries from
both current and previous Windows installations.
➢ The Sleuth Kit

✓ The Sleuth Kit is a Unix and Windows based tool which helps in forensic analysis of
computers. It comes with various tools which helps in digital forensics. These tools
help in analyzing disk images, performing in-depth analysis of file systems, and
various other things.

➢ Llibforensics
✓ Libforensics is a library for developing digital forensics applications. It was developed
in Python and comes with various demo tools to extract information from various
types of evidence.
➢ Volatility
✓ Volatility is the memory forensics framework. It used for incident response and
malware analysis. With this tool, you can extract information from running processes,
network sockets, network connection, DLLs and registry hives. It also has support for
extracting information from Windows crash dump files and hibernation files. This tool
is available for free under GPL license.
➢ WindowsSCOPE
✓ WindowsSCOPE is another memory forensics and reverse engineering tool used for
analyzing volatile memory. It is basically used for reverse engineering of malwares. It
provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and
physical memory.
➢ The Coroner’s Toolkit
✓ The Coroner’s Toolkit or TCT is also a good digital forensic analysis tool. It runs
under several Unix-related operating systems. It can be used to aid analysis of
computer disasters and data recovery.
➢ Oxygen Forensic Suite
✓ Oxygen Forensic Suite is nice software to gather evidence from a mobile phone to
support your case. This tool helps in gathering device information (including
manufacturer, OS, IMEI number, serial number), contacts, messages (emails, SMS,
MMS), and recover deleted messages, call logs and calendar information.
✓ It also lets you access and analyze mobile device data and documents. It generates
easy to understand reports for better understanding.
➢ Bulk Extractor
✓ Bulk Extractor is also an important and popular digital forensics tool. It scans the disk
images, file or directory of files to extract useful information. In this process, it ignores
the file system structure, so it is faster than other available similar kinds of tools.

✓ It is basically used by intelligence and law enforcement agencies in solving cyber

crimes.
➢ Xplico
✓ Xplico is an open source network forensic analysis tool. It is basically used to extract
useful data from applications which use Internet and network protocols.
✓ It supports most of the popular protocols including HTTP, IMAP, POP, SMTP, SIP,
TCP, UDP, TCP and others.
✓ Output data of the tool is stored in SQLite database of MySQL database. It also
supports IPv4 and IPv6 both.
➢ Mandiant RedLine
✓ Mandiant RedLine is a popular tool for memory and file analysis. It collects
information about running processes on a host, drivers from memory and gathers other
data like Meta data, registry data, tasks, services, network information and Internet
history to build a proper report.
➢ Computer Online Forensic Evidence Extractor (COFEE)
✓ Computer Online Forensic Evidence Extractor or COFEE is a tool kit developed for
computer forensic experts. This tool was developed by Microsoft to gather evidence
from Windows systems.
✓ It can be installed on a USB pen drive or external hard disk. Just plug in the USB
device in the target computer and it starts a live analysis. It comes with 150 different
tools with a GUI based interface to command the tools.
✓ It is fast and can perform the whole analysis in as few as 20 minutes. To law
enforcement agencies, Microsoft provides free technical support for the tool.
➢ P2 eXplorer
✓ P2 eXplorer is a forensic image mounting tool which aims to help investigating officers
with examination of a case. With this image, you can mount forensic images as a read-
only local and physical disc and then explore the contents of the image with file explorer.
You can easily view deleted data and unallocated space of the image.

✓ It can mount several images at a time. It supports most of the image formats including
EnCasem, safeBack, PFR, FTK DD, WinImage, Raw images from Linux DD, and
VMware images. It supports both logical and physical image types.
➢ Plain Sight
✓ Plain Sight is another useful digital forensics tool. It is a CD based Knoppix which is a
Linux distribution. Some of its uses include viewing Internet histories, data carving,
checking USB device usage, memory dumps extracting password hashes, information
gathering, examining Windows firewall configuration, seeing recent documents, and other
useful tasks. For using this too, you only need to boot from the CD and the follow the
instructions.
➢ XRY
✓ XRY is the mobile forensics tool developed by Micro Systemation. It is used to analyze
and recover crucial information from mobile devices. This tool comes with a hardware
device and software. Hardware connects mobile phones to PC and software performs the
analysis of the device and extracts data. It is designed to recover data for forensic analysis.
✓ The latest version of the tool can recover data from all kind of smart phones including
Android, iPhone and BlackBerry. It gathers deleted data like call records, images, SMS
and text messages.
➢ HELIX3
✓ HELIX3 is a live CD-based digital forensic suite created to be used in incident response. It
comes with many open source digital forensics tools including hex editors, data carving
and password cracking tools. If you want the free version, you can go for Helix3 2009R1.
After this release, this project was overtaken by a commercial vendor. So, you need to pay
for most recent version of the tool.

✓ This tool can collect data from physical memory, network connections, user accounts,
executing processes and services, scheduled jobs, Windows Fegistry, chat logs, screen
captures, SAM files, applications, drivers, environment variables and Internet history.
Then it analyzes and reviews the data to generate the complied results based on reports.
➢ Cellebrite UFED
✓ Cellebrite’s UFED solutions present a unified workflow to allow examiners, investigators
and first responders to collect, protect and act decisively on mobile data with the speed
and accuracy a situation demands – without ever compromising one for the other.
✓ The UFED Pro Series is designed for forensic examiners and investigators who require
the most comprehensive, up-to-date mobile data extraction and decoding support
available to handle the influx of new data sources.
✓ Platform agnostic, the UFED Field Series is designed to unify workflows between the
field and lab, making it possible to view access and share mobile data via in-car
workstations, laptops, tablets or a secure, self-service kiosk located at a station.

UNIT V ANALYSIS AND VALIDATION

Validating Forensics Data – Data Hiding Techniques – Performing Remote Acquisition – Network
Forensics – Email Investigations – Cell Phone and Mobile Devices Forensics
VALIDATING FORENSICS DATA
➢ Software validation is a part of the design validation for a finished device. Consider software
validation to be confirmation by examination and provision of objective evidence that software
specifications conform to user needs and intended uses, and that the particular requirements
implemented through software can be consistently fulfilled.
➢ Impractical, software validation activities may occur both during, as well as at the end of the
software development lifecycle to ensure that all requirements have been fulfilled.
➢ The validation of software typically includes evidence that all software requirements have
been implemented correctly and completely a conclusion that software is validate dashingly
dependent upon comprehensive software testing, inspections, analyses, and other verification
tasks performed at each stage of the software development lifecycle.
➢ Data validation is the process of ensuring that a program operates on clean, correct and useful
data. It uses routines, often called "validation rules" "validation constraints" or "check routines",
that check for correctness, meaningfulness, and security of data that are input to the system.
➢ The rules may be implemented through the automated facilities of a data dictionary, or by the
inclusion of explicit application program validation logic. Data validation (data vetting, data
cleaning) the process of checking that data conforms to specification. It is usually the first process
undertaken on raw data.
➢ The following are among the kinds of checks that may be carried out: number and type of
characters in a data item; range of values of a data item; correctness of check character(s);
consistency between one data item and others in the same record; correctness of check totals for
individual records; correctness of batch controls.
Validation methods

➢ Allowed character checks only expected characters are present in a field. For example a numeric
field may only allow the digits 0-9, the decimal point and perhaps a minus sign or commas.
➢ A text field such as a personal name might disallow characters such as < and >, as they could be
evidence of a markup-based security attack. An e-mail address might require at least one @ sign and
various other structural details. Regular expressions are effective ways of implementing such checks.
(See also data type checks below)Batch totals Checks for missing records.
➢ Numerical fields may be added together for all records in a batch. The batch total is entered and the
computer checks that the total is correct, e.g., add the 'Total Cost' field of a number of transactions
together.
➢ Cardinality Checks that record has a valid number of related records. For example if Contact record
classified as a Customer it must have at least one associated Order (Cardinality > 0). If order does
not exist for a "customer" record then it must be either changed to "seed" or the order must be
created.
➢ This type of rule can be complicated by additional conditions. For example if contact record in
Payroll database is marked as "former employee", then this record must not have any associated
salary payments after the date on which employee left organization (Cardinality = 0).
➢ Check digits Used for numerical data. An extra digit is added to a number which is calculated from
the digits. The computer checks this calculation when data are entered. For example the last digit of
an ISBN for a book is a check digit calculated modulus 10.
➢ Consistency checks Checks fields to ensure data in these fields corresponds, e.g., If Title = "Mr.",
then Gender = "M".
➢ Control totals this is a total done on one or more numeric fields which appears in every record. This
is a meaningful total, e.g., add the total payment for a number of Customers.
➢ Cross-system consistency checks Compares data in different systems to ensure it is consistent, e.g.,
the address for the customer with the same id is the same in both systems.
➢ The data may be represented differently in different systems and may need to be transformed to a
common format to be compared,
➢ e.g., one system may store customer name in a single Name field as 'Doe, John Q', while another in
three different fields: First_Name (John), Last_Name (Doe) and Middle_Name (Quality); to
compare the two, the validation engine would have to transform data from the second system to
match the data from the first, for example, using SQL: Last_Name || ', ' || First_Name ||

substr(Middle_Name, 1, 1) would convert the data from the second system to look like the data from
the first 'Doe, John Q'
➢ Data type checks Checks the data type of the input and give an error message if the input data does
not match with the chosen data type, e.g., In an input box accepting numeric data, if the letter 'O' was
typed instead of the number zero, an error message would appear.
➢ File existence check Checks that a file with a specified name exists. This check is essential for
programs that use file handling.
➢ Format or picture check Checks that the data is in a specified format (template), e.g., dates have to
be in the format DD/MM/YYYY. Regular expressions should be considered for this type of
validation.
➢ Hash totals this is just a batch total done on one or more numeric fields which appears in every
record. This is a meaningless total, e.g., add the Telephone Numbers together for a number of
Customers.
➢ Limit check Unlike range checks, data are checked for one limit only, upper OR lower, e.g., data
should not be greater than 2 (<=2).
➢ Logic check Checks that an input does not yield a logical error, e.g., an input value should not be 0
when it will divide some other number somewhere in a program.
➢ Presence check Checks that important data is actually present and have not been missed out, e.g.,
customers may be required to have their telephone numbers listed.
➢ Range check Checks that the data is within a specified range of values, e.g., the month of a person's
date of birth should lie between 1 and 12.
➢ Referential integrity In modern Relational database values in two tables can be linked through
foreign key and primary key. If values in the primary key field are not constrained by database
internal mechanism,[4] then they should be validated. Validation of the foreign key field checks that
referencing table must always refer to a valid row in the referenced table.[5]
➢ Spelling and grammar check looks for spelling and grammatical errors.
➢ Uniqueness check Checks that each value is unique. This can be applied to several fields (i.e.
Address, First Name, and Last Name).
➢ Table look up check A table look up check takes the entered data item and compares it to a valid list
of entries that are stored in a database table.

DATA HIDING
➢ Data hiding is the process of making data difficult to find while also keeping it accessible for future
use. "Obfuscation and encryption of data give an adversary the ability to limit identification and
collection of evidence by investigators while allowing access and use to themselves."
➢ Some of the more common forms of data hiding include encryption, steganography and other
various forms of hardware/software based data concealment. Each of the different data hiding
methods makes digital forensic examinations difficult. When the different data hiding methods are
combined, they can make a successful forensic investigation nearly impossible.
Encryption
➢ One of the more commonly used techniques to defeat computer forensics is data encryption. In a
presentation he gave on encryption and anti-forensic methodologies the Vice President of Secure
Computing, Paul Henry, referred to encryption as a "forensic expert's nightmare".
➢ The majority of publicly available encryption programs allow the user to create virtual encrypted
disks which can only be opened with a designated key. Through the use of modern encryption
algorithms and various encryption techniques these programs make the data virtually impossible to
read without the designated key.
➢ File level encryption encrypts only the file contents. This leaves important information such as file
name, size and timestamps unencrypted. Parts of the content of the file can be reconstructed from
other locations, such as temporary files, swap file and deleted, unencrypted copies.
➢ Most encryption programs have the ability to perform a number of additional functions that make
digital forensic efforts increasingly difficult. Some of these functions include the use of a key file,
full-volume encryption, and plausible deniability. The widespread availability of software containing
these functions has put the field of digital forensics at a great disadvantage.
Steganography
➢ Steganography is a technique where information or files are hidden within another file in an attempt
to hide data by leaving it in plain sight. "Steganography produces dark data that is typically buried
within light data (e.g., a non-perceptible digital watermark buried within a digital photograph)."

➢ Some experts have argued that the use of steganography techniques are not very widespread and
therefore shouldn't be given a lot of thought. Most experts will agree that steganography has the
capability of disrupting the forensic process when used correctly.
➢ According to Jeffrey Carr, a 2007 edition of Technical Mujahid (a bi-monthly terrorist publication)
outlined the importance of using a steganography program called Secrets of the Mujahedeen.
According to Carr, the program was touted as giving the user the capability to avoid detection by
current steganalysis programs.
➢ It did this through the use of steganography in conjunction with file compression. Other forms of
data hiding other forms of data hiding involve the use of tools and techniques to hide data
throughout various locations in a computer system. Some of these places can include "memory,
slack space, hidden directories, bad blocks, alternate data streams, (and) hidden partitions."
➢ One of the more well known tools that is often used for data hiding is called Slacker (part of the
Metasploit framework). Slacker breaks up a file and places each piece of that file into the slack space
of other files, thereby hiding it from the forensic examination software.
➢ Another data hiding technique involves the use of bad sectors. To perform this technique, the user
changes a particular sector from good to bad and then data is placed onto that particular cluster. The
belief is that forensic examination tools will see these clusters as bad and continue on without any
examination of their contents.
PERFORMING REMOTE ACQUISITION
➢ In addition to the steady acquisition and live acquisition, there is also another type of acquisition,
which is remote acquisition. Remote acquisition is done through a network connection and involves
a client server type of architecture.
➢ In many cases, you install a client on a machine from which you want to retrieve the data. Remote
acquisition is a form of live acquisition, especially because it requires that the computing device in
form of a host or a host computer is still up and running.
➢ So the acquisition is only done while the computer is on. The current trend is that live and remote
acquisitions are becoming more important and popular due to the encryption problem. Static
acquisitions are now becoming more difficult, especially because the data is often encrypted when a

computing device is turned off. So, what this means is. That by the time you're trying to do a static
acquisition, it may be too late to retrieve the data out of a storage device.
NETWORK FORENSICS
➢ Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of
computer network traffic for the purposes of information gathering, legal evidence, or intrusion
detection. Unlike other areas of digital forensics, network investigations deal with volatile and
dynamic information. Network traffic is transmitted and then lost, so network forensics is often a
pro-active investigation.
➢ Network forensics generally has two uses. The first, relating to security, involves monitoring a
network for anomalous traffic and identifying intrusions. An attacker might be able to erase all log
files on a compromised host; network-based evidence might therefore be the only evidence available
for forensic analysis.
➢ The second form relates to law enforcement. In this case analysis of captured network traffic can
include tasks such as reassembling transferred files, searching for keywords and parsing human
communication such as emails or chat sessions.
➢ Network forensics is the capture, recording and analysis of network events in order to discover the
source of security attacks or other problem incidents. (The term, attributed to firewall expert Marcus
Ranum, is borrowed from the legal and criminology fields where forensics pertains to the
investigation of crimes.) According to SimsonGarfinkel, author of several books on security,
network forensics systems can be one of two kinds: Catch-it-as-you-can" systems, in which all
packets passing through a certain traffic point are captured and written to storage with analysis being
done subsequently in batch mode. This approach requires large amounts of storage, usually
involving a RAID system.
➢ "Stop, look and listen" systems, in which each packet is analyzed in a rudimentary way in memory
and only certain information saved for future analysis. This approach requires less storage but may
require a faster processor to keep up with incoming traffic.
➢ Both approaches require significant storage and the need for occasional erasing of old data to make
room for new. The open source programs tcpdump and windump as well as a number of commercial
programs can be used for data capture and analysis.

➢ One concern with the "catch-it-as-you-can" approach is one of privacy since all packet information
(including user data) is captured. Internet service providers (ISPs) are expressly forbidden by the
Electronic Communications Privacy Act (ECPA) from eavesdropping or disclosing intercepted
contents except with user permission, for limited operations monitoring, or under a court order. The
U.S. FBI's Carnivore is a controversial example of a network forensics tool.
EMAIL INVESTIGATION
➢ When investigating email, we usually start with the piece of email itself and analyze the headers of
the email. Since each SMTP server that handles a message adds lines on top of the header, we start
at the top and work our way backward in time.
➢ Inconsistencies between the data that subsequent SMTP servers supposedly created can prove that
the email in question is faked. Another investigation is that of the header contents itself. If a message
does not have these, then it is faked. If possible, one can obtain another email following supposedly
the same path as the email under investigation and see whether these idiosyncratic lines have
changed. While it is possible that the administrator of an SMTP node changed the behavior or even
the routing, these changes tend to be far and in between. For example, in the following email that I
sent to myself (with altered addresses), we find a large number of optional lines that the hotmail
server added, in particular the X-fields.
➢ Without these fields, the message did not originate through the bay area hot mail server.The
Message-ID field is also highly characteristic. Notice that hotmail also includes the originating IP
address. A simple check for this IP address might also prove that the message is a fake. (Though in
fact, it is not.)
Return-path: <tschwarz@hotmail.com>
Received: from MGW2.scu.edu [129.210.251.18]
by gwcl-22.scu.edu; Wed, 28 Dec 2005 20:12:45 -0800
Received: from hotmail.com (unverified [64.4.43.63]) by MGW2.scu.edu
(Vircom SMTPRS 4.2.425.10) with ESMTP id <C0066471627@MGW2.scu.edu> for
<tjschwarz@scu.edu>;
Wed, 28 Dec 2005 20:12:44 -0800
X-Modus-Blacklist: 64.4.43.63=OK;tschwarz@hotmail.com=OK
X-Modus-Trusted: 64.4.43.63=NO
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Wed, 28 Dec 2005 20:12:44 -0800

Message-ID: <BAY17-F13177DD86E6CA033897367C4290@phx.gbl>
Received: from 129.210.18.34 by by17fd.bay17.hotmail.msn.com with HTTP;
Thu, 29 Dec 2005 04:12:43 GMT
X-Originating-IP: [129.210.18.34]
X-Originating-Email: [tschwarz@hotmail.com]
X-Sender: tschwarzsj@hotmail.com
From: "Thomas Schwarz, S.J." <tschwarz@hotmail.com>
To: tschwarz@scu.edu
Bcc:
Subject: Test
Date: Thu, 29 Dec 2005 04:12:43 +0000
Mime-Version: 1.0
Content-Type: text/plain; char set=iso-8859-1; format=flowed
X-OriginalArrivalTime: 29 Dec 2005 04:12:44.0119 (UTC) FILETIME=[1E30EE70:01C60C2E]
Test
➢ In general, it is impossible to prove that an email is genuine, but one can build a good case that it is
genuine. Usually, spoofers are simply not that good.
➢ In a case where someone maintains that email appearing to originate from that some-one is faked,
the date and the originating IP address could create a presumption that the email is not faked.
➢ But even in this case, the only thing one can deduce for sure is that the email originated from
someone who could put a packet with that return address on the network.
➢ As administrators get more concerned about fake mail, they put in access restrictions and also place
warnings in headers, as the following example shows. (For Spam protection, I changed the email
addresses used.)
De: <tschwarz@scu.edu>
Enviado el: Wednesday, December 28, 2005 11:19:47 PM
Ir al mensaje anterior | Ir al mensajesiguiente | Eliminar | Bandeja de entrada
Received: from CPSJ-EXCHANGE-1.calprov.org ([65.116.151.145]) by bay0-mc10-

f12.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 28 Dec 2005 15:19:15 -0800
Received: from endor.engr.scu.edu ([129.210.16.1]) by CPSJ-EXCHANGE-1.calprov.org with
Microsoft SMTPSVC(5.0.2195.6713); Wed, 28 Dec 2005 15:19:14 -0800
Received: from bobadilla.engr.scu.edu (bobadilla.engr.scu.edu [129.210.18.34])by
endor.engr.scu.edu (8.13.5/8.13.5) with SMTP id jBSNA9h7023258for tschwarzsj@calprov.org;
Wed, 28 Dec 2005 15:19:47 -0800
X-Message-Info: JGTYoYF78jFYzNJ5n6DdPGvy0zsH8v3C7lhJalOirZc=
X-Authentication-Warning: endor.engr.scu.edu: bobadilla.engr.scu.edu [129.210.18.34] didn't use
HELO protocol

Return-Path: tschwarz@scu.edu
X-OriginalArrivalTime: 28 Dec 2005 23:19:14.0587 (UTC) FILETIME=[1E1796B0:01C60C05]
Analysis of source machine
➢ Besides analyzing the email message itself, analyzing the machine from which an email might have
originated my yield some proof. We will see this when we come to discuss hard drive evidence.
Analysis of Logs
➢ Even more fundamental and important than these methods are the logs that SMTP servers (and some
email programs) maintain. Law enforcement has here an advantage over private investigators
because they can subpoena ISP records.
➢ Unfortunately, ISP servers tend to not store the log data for a long time. It therefore makes sense to
warn an ISP about a coming subpoena so that they can safe-guard the log entry. A lucky investigator
might be able to trace back a message through SMTP servers to the first one that handled the
message.
➢ If this server belonged to an ISP, then information from RADIUS logs might give the name of the
subscriber. Otherwise, the investigator might connect the IP of the originating machine to a suspect.
In case of criminal enterprises such as spammers, fraudsters, phishers, etc. this investigation will be
very difficult because the originating message is often from a hacked machine that is controlled by
another hacked machine.
➢ The investigator needs to spend considerable resources and talents to follow such a trail through
various jurisdictions. It is possible to even set up a website in a way that cannot be traced to a
person, for example using untraceable or stolen credit cards.
➢ Here is an example of a typical smtp log from endor. Chris Tracy - a truly talented and helpful
systems administrator - sent me fake mail:
Dec 31 18:26:15 endorsendmail[30597]: k012OV1i030597: from=evil@evil.com, size=147, class=0,

nrcpts=1, msgid=<200601010225.k012OV1i030597@endor.engr.scu.edu>, proto=SMTP,
daemon=MTA, relay=c-24-12-227-211.hsd1.il.comcast.net [24.12.227.211]
Dec 31 18:26:15 endorspamd[28512]: spamd: connection from localhost [127.0.0.1] at port 42865
Dec 31 18:26:15 endorspamd[28512]: spamd: setuid to tschwarz succeeded
Dec 31 18:26:15 endorspamd[28512]: spamd: processing message
<200601010225.k012OV1i030597@endor.engr.scu.edu> for tschwarz:1875
Dec 31 18:26:15 endorspamd[28512]: spamd: clean message (4.6/5.0) for tschwarz:1875 in 0.2
seconds, 525 bytes.
Dec 31 18:26:15 endorspamd[28512]: spamd: result: . 4 -
MSGID_FROM_MTA_ID,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL
scantime=0.2,size=525,user=tschwarz,uid=1875,required_score=5.0,rhost=localhost,raddr=127.0.0
.1,rport=42865,mid=<200601010225.k012OV1i030597@endor.engr.scu.edu>,autolearn=no
Dec 31 18:26:15 endorspamd[21352]: prefork: child states: II
Dec 31 18:26:15 endorsendmail[30726]: k012OV1i030597: to=tschwarz@engr.scu.edu,
delay=00:01:02, xdelay=00:00:00, mailer=local, pri=30464, dsn=2.0.0, stat=Sent

Information Technology Email Investigation Guidelines
➢ This document describes the Information Technology policies and procedures related to handling of
emails related to transgressions of law or of questionable content.
➢ Pursuant to the Computing Access Agreement, Information Technology does not monitor email
content or email accounts. Minimal, short-lived logging is done on the system for performance and
operational use showing messages queued for delivery or system load. Email account contents may
be accessed for technical reasons (assisting users or system troubleshooting) without the knowledge
of the owner.
➢ Information Technology does not officially investigate or trace emails unless directed or requested to
do so from College authority offices like Campus Police, Human Resources, or Student Life. In
general all issues with objectionable email of a harassing or illegal nature must be routed through
one of these authorities, typically Campus Police.
➢ Members of the College community who contact Information Technology about this issue are
directed to retain the message in its original form within their account and contact Campus Police.
Campus Police then typically makes an incident report and determines whether the incident warrants
action by Information Technology.
➢ The majority of information used for tracing email is extracted from the message header. The header
format is a documented standard and is constructed as a product of message delivery by all involved
delivery agents (from the initiating client through to the final accepting server). To some degree this
information can be used to verify the legitimacy of a message. To a lesser degree this information
can be used to trace the message origin. However, mail clients are easily reconfigured to obscure the
identity of the sender, semi-anonymous email agents (like Yahoo! and Hotmail) are widely used, and
determined individuals can certainly add enough invalid header information to make determinations
very difficult.
➢ Emails originating from The College of New Jersey systems are typically easier to trace than
messages originating from off-campus sites (this includes Yahoo! and Hotmail as well as emails
from other personal or commercial systems).
➢ Information Technology NTS staff will review the message headers to determine origin, destination,
or ownership of the message as required. College UNIX account contents may be reviewed to
determine what roles investigation-specified users and potential suspects play in the investigation.

➢ In the event that an email must be traced through an off-campus system, Information Technology
must request the assistance of other agencies. For email originating from or destined to other sites,
respective system administrators at those sites may be contacted for assistance. Information
Technology staff often contact system administrators at these sites and may be able to acquire the
necessary information. Certain commercial email systems require legal documents before they will
release account information. For these services (like AOL, Yahoo! or Hotmail) a court order or
subpoena may be required to obtain the user identity and/or message contents of the suspect account.
Campus Police handles acquiring legally binding documents and may acquire those documents and
possibly the related account information before contacting Information Technology.
➢ Information Technology NTS staff maintain close contact with Campus Police (or the appropriate
investigating agency) throughout the division’s action in the investigation. Information retrieved by
Information Technology is provided to the investigators with explanation as required.
➢ In most cases the action taken against an individual determined guilty of a violation of the
Computing Access Agreement is determined by College authorities. The typical action is to lock the
user account for a specified period of time.
CELL PHONE AND MOBILE DEVICE FORENSICS
➢ In the information age, every byte of data matters. Cell phones are capable of storing a wealth of
personal information, often intentionally, and sometimes unintentionally. This holds true for almost
all mobile devices, such as PDAs and iPhones as well.
➢ Cell phone forensic experts specialize in the forensic retrieval of data from cell phones and other
mobile devices in a manner that preserves the evidence under forensically acceptable conditions,
ensuring that it is court-admissible.
➢ A cell phone forensic investigation includes possible full data retrieval dependent upon the cell
phone or PDA model. The cell phone and PDA forensic engineers at Kessler International will
conduct a thorough examination of the data found on the cell phone’s SIM/USIM, the cell phone
body itself, and any optional memory cards. Some of the kinds of data that may be retrieved and
examined during a cell phone forensic investigation, even after being deleted, include:
✓ Call times; dialed and received calls, and call durations

• Text messages recovery of SMS message recovery

• Contact names & phone numbers

• Address book entries; residential addresses and email addresses
• Photos & graphics
• Videos
➢ Law enforcement officials and legal firms realize the importance of evidence contained on cell
phones and other mobile devices, and how it can greatly affect the outcome of a trial.
➢ Whether working to document evidence of “white collar crime” or tasked by law enforcement to
extract data for a criminal trial, the integrity of the firm selected for cell phone forensics is as
important as the integrity of the data recovered.
➢ More and more court cases are being won with the proper submittal of electronic evidence, so it’s
imperative that the cell phone forensic investigator understands the legal issues and imperatives
surrounding electronic evidence gathering.
Why and when to call Kessler International
➢ Parents should contact us if they suspect that their child is misusing the device or being harassed by
someone contacting or photographing them without their consent. Kessler will discreetly investigate
and, if necessary, assist law enforcement by providing court-admissible data to corroborate legal
claims.
➢ Kessler International can perform mobile phone forensics if an individual suspects his or her spouse
of cheating. Data such as placed & received calls and phone call times, text messages, photos and
other incriminating evidence can be retrieved from the spouse’s cell phone or mobile device.
➢ Companies and corporations should contact us to perform cell phone forensics if they suspect
espionage by a competitor or disgruntled employee.
➢ Business owners who distribute cell phones to their executives and sales staff may contact us to
perform cell phone forensics to determine if these devices are being inappropriately used to view
and/or download porn, or defying restricted Internet usage company policies.
➢ Individuals may contact Kessler International if they suspect they have been the victim of e-stalking,
the subject of inappropriate and non-consensual digital photography and other forms of digital
harassment.

➢ Kessler International’s forensic cell/mobile phone, PDA, and computer investigations are discreet,
controlled, thorough and fully documented. Our professional staff is both certified and highly-
experienced in their respective forensic disciplines.
➢ Forensic cell phone audits by Kessler International’s professionals yield superior results as our
techniques and procedures far exceed those used in routine data recovery investigations.
➢ Our forensic examinations will document the evidence that the client needs and the respective
circumstance requires. For all your cell phone forensic investigative needs, Kessler International is
the company to call.
A Leader in the Field of Cell Phone Forensics
➢ For over 25 years, Kessler International has been a leader in the field of digital forensics. The cell
phone forensic engineers at Kessler International are fully trained in proper evidence handling and
litigation support services. Our broad knowledge of these complex electronic systems combined with
extensive legal training demonstrates the high standards Kessler International maintains.
➢ These standards are critical to providing the data that support an accurate presentation of the facts.
Kessler has built its rock-solid reputation on it. Remember, when the bar is set high, Kessler
International is the company to call.
➢ The explosive growth in the availability and use of cell phones and other mobile devices
➢ Coupled with the expanded capabilities of these devices has made this area of digital forensics
increasingly important. For many years now, cell phones have been a recorder of information, often
related to criminal or other nefarious behaviors, not to mention often being the instrument and,
occasionally, the target of that behavior.
➢ Mobile devices contain a plethora of data, including contact lists, phone and Internet browsing
history, text and multimedia messages, e-mail, photographs and videos, geo location information,
and much more. Indeed, smart phones are mobile Internet terminals and contain more probative
information per byte examined than most computers.
➢ Examination and analysis of cell phones requires a very different forensic process than that applied
to computers.
➢ Every step from seizure to preservation to transport to the exam itself requires processes and tools to
ensure minimal alteration to the original evidence.

➢ The complexity in performing a thorough exam of a mobile device and the analysis of the contents
should not be underestimated; while computers today largely employ only two or three different
operating systems (depending upon how you count), there are at least six major operating systems
used on mobile phones that are still in circulation.
➢ Gary has been conducting mobile phone forensic examinations since 2006. Most of this work has
been on behalf of the local, state, and federal law enforcement community in Vermont and Florida,
including the U.S. Attorney's Office and Internet Crimes Against Children (ICAC) Task Force.
➢ Gary has also examined mobile devices on behalf of clients in civil litigations. Gary has acted as an
expert witness in several federal criminal cases, as well as numerous civil matters.
➢ Gary is also a frequent speaker at conferences about the process of mobile device forensics. He has
also conducted many training courses on mobile phone and Smartphone forensics.
➢ Gary Kessler Associates is capable of performing logical and physical analysis of most types of cell
phones, tablets, GPS devices, and other mobile devices. In conjunction with partners, GKA is able to
provide a broad range of services, including chip-off examinations and analysis of call detail records
and cell tower information.
➢ Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or
data from a mobile device under forensically sound conditions. The phrase mobile device usually
refers to mobile phones; however, it can also relate to any digital device that has both internal
memory and communication ability, including PDA devices, GPS devices and tablet computers.
➢ The use of phones in crime was widely recognized for some years, but the forensic study of mobile
devices is a relatively new field, dating from the early 2000s. A proliferation of phones (particularly
smart phones) on the consumer market caused a demand for forensic examination of the devices,
which could not be met by existing computer forensics techniques.
➢ Mobile devices can be used to save several types of personal information such as contacts, photos,
calendars and notes, SMS and MMS messages. Smart phones may additionally contain video, email,
web browsing information, location information, and social networking messages and contacts.
➢ There is growing need for mobile forensics due to several reasons and some of the prominent
reasons are:
✓ Use of mobile phones to store and transmit personal and corporate information
✓ Use of mobile phones in online transactions

✓ Law enforcement, criminals and mobile phone devices
➢ Mobile device forensics can be particularly challenging on a number of levels:[3]

➢ Evidential and technical challenges exist. for example, cell site analysis following from the use of a
mobile phone usage coverage, is not an exact science.
➢ Consequently, whilst it is possible to determine roughly the cell site zone from which a call was
made or received, it is not yet possible to say with any degree of certainty, that a mobile phone call
emanated from a specific location e.g. a residential address.
✓ To remain competitive, original equipment manufacturers frequently change mobile

phone form factors, operating system file structures, data storage, services, peripherals,
and even pin connectors and cables. As a result, forensic examiners must use a different
forensic process compared to computer forensics.
✓ Storage capacity continues to grow thanks to demand for more powerful "mini
computer" type devices.
✓ Not only the types of data but also the way mobile devices are used constantly evolve.
✓ Hibernation behavior in which processes are suspended when the device is powered off
or idle but at the same time, remaining active.


CS - 6004 Cyber Forensics 1 PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

CS - 6004 Cyber Forensics 1 PDF

Caricato da

Copyright:

Formati disponibili

VELTECH HIGHTECH Dr.RANGARAJAN Dr.

SAKUNTHALA ENGINEERING COLLEGE

CS6004- CYBER FORENSICS

➢ IPSec is designed to protect communication in a secure manner by using TCP/IP.

✓ Security Protocols for AH and ESP

– Specification of the key sizes and strengths for each algorithm.

VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 1

Figure -Document overview that defines IPsec.

2. IP Authentication Header NOV /DEC 2016)

➢ (TCP, UDP) data.

VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 2

Figure: IPSec AH format.

The following six fields comprise the AH format:

➢ with the destination IP address and security protocol (AH).

VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 3

service, and limited traffic flow confidentiality.

3.1 ESP Packet Format

Figure IPSec ESP format.

4. Key Management Protocol for IPsec

VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 4

4.3 ISAKMP Header

➢ Initiator Cookie (64 bits)

VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 5

➢ Responder Cookie (64 bits)

5. SSL Protocol (NOV/DEC 2017)

➢ SSL is a layered protocol. Is a two layered protocol.

5.1 Session and Connection States

✓ Session identifier: This is a value generated by a server that identifies an active or

VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 6

➢ The connection state is defined by the following elements:

✓ MAC operations on data sent by the server.

6.1 Computing the Master Secret

VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 7

the master secret is calculated from it.

VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 8

6.2 Converting the Master Secret into Cryptographic Parameters

Figure Generation of key block.

7 TLS Protocol (NOV/DEC 2017)

7.1 HMAC Algorithm

VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 9

HMAC = H [(K ⊕ opad)||H [(K ⊕ ipad)||M]]

VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 10

Example 8.1 HMAC – SHA-1 computation using RFC method:

IV 67452301 efcdab89 98badcfe 10325476 c3d2e1f0

HMAC – SHA-1 = 0x 31 db10b8 ed346850 d0f0b7dd 50fd71f4 2dacd24c

VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 11

✓ Append zeros to K to create a b-bit string K_, where b = 512 bits.

Example 8.2 HMAC-MD5 computation using alternative method: Data : 0x 2143f501

f014a713 c1059e23 7123fd68

IV 67452301 efcdab89 98badcfe 10325476

VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 12

f[(K ⊕ opad), I V ] = (I V )o 5f8647d7 fa8e9afa bffa4989 3cd471d1

HMAC – MD5 = 0x 2c47cd5b 68830268 7d255059 45c7bef0

UNIT II- E-MAIL SECURITY & FIREWALLS

VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 13

1.1Confidentiality via Encryption

Figure: PGP confidentiality computation scheme with compression/decompression Algorithms.

1.2 Authentication via Digital Signature

VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 14

Figure: PGP authentication computation scheme using compression algorithm

1.3 PGP Packet Headers

MSB Packet tag Packet length

Content tag Length