Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1.IPSec Protocol
➢ The seven-group documents describing the set of IPSec protocols are explained in the following:
✓ Architecture: The main architecture document covers the general concepts, security
requirements, definitions and mechanisms defining IPSec technology.
✓ ESP: This document covers the packet format and general issues related to the use of the ESP
for packet encryption and optional authentication. This protocol document also contains
default values if appropriate, and dictates some of the values in the Domain of Interpretation
(DOI).
✓ AH: This document covers the packet format and general issue related to the use of AH for
packet authentication. This document also contains default values such as the default padding
contents, and dictates some of the values in the DOI document.
✓ Encryption algorithm: This is a set of documents that describe how various encryption
algorithms are used for ESP.
Specifically:
2.1 AH Format
The IPSec AH format is shown in Figure.
➢ Payload length (8 bits): This field specifies the length of the AH in 32-bit words, minus 2. The default
length of the authentication data field is 96 bits, or three 32-bit words.
➢ Reserved (16 bits): This field is reserved for future use. It must be set to ‘zero’.
SPI (32 bits): This field uniquely identifies the SA for this datagram, in combination
➢ Sequence number (32 bits): This field contains the monotonically increasing counter value which
provides an anti-replay function.
➢ Authentication data (variable): This field is a variable-length field that contains the Integrity Check
Value (ICV) or MAC for this packet. This field must be an integral multiple of 32-bit words. It may
include explicit padding. This padding is included to ensure that the length of AH is an integral
multiple of 32 bits (IPv4) or 64 bits (IPv6).
3. IP ESP
➢ The ESP header is designed to provide security services in IPv4 and IPv6.
➢ ESP can be applied in combination with the IP AH or through the use of tunnel mode. Security
services are provided between a pair of hosts, between a pair of security gateways or between a
security gateway and a host.
➢ The ESP header is inserted after the IP header and before the upper-layer protocol header (transport
mode) or before an encapsulated IP header (tunnel mode).
➢ ESP is used to provide confidentiality (encryption), data authentication, integrity and anti-replay
➢ SPI (32 bits): The set of SPI values in the range 1 – 255 is reserved by the IANA for future use.
The SPI field in the ESP packet format is mandatory and always present.
➢ Sequence number (32 bits): This field contains a monotonically increasing counter value. This
provides an anti-replay function. It is mandatory and is always present even if the receiver does
not elect to enable the anti-replay service for a specific SA.
➢ Payload data (variable): This variable-length field contains data described by the next header
field. The field is an integral number of bytes in length. If the algorithm requires an initialization
vector (IV) to encrypt payload, then this data may be carried explicitly in the payload field.
➢ Padding : This field for encryption requires several factors:
✓ Pad length: This field indicates the number of pad bytes immediately preceding it.
The range of valid values is 0 – 255, where a value of 0 indicates that no padding
bytes are present. This field is mandatory.
✓ Next header (8 bits): This field identifies the type of data contained in the payload
data field, i.e. an extension header in IPv6 or an upper-layer protocol identifier, The
next header field is mandatory.
✓ Authentication data (variable): This is a variable-length field containing an ICV
com-putted over the ESP packet minus the authentication data. The length of this
field is specified by the authentication function selected. The field is optional and is
included only if the authentication service has been selected for the SA in question/8
➢ The key management mechanism of IPsec involves the determination and distribution of a secret key.
Key establishment is at the heart of data protection that relies on cryptography. A secure key
distribution for the Internet is an essential part of packet protection.
4.1 OAKLEY Key Determination Protocol
➢ Oakley a refinement of the Diffie – Hellman key exchange algorithm, it is a method to establish an
authentication key exchange.
➢ The Oakley protocol is truly used to establish a shared key with an assigned identifier and associated
authenticated identities for the two parties.
➢ Oak-ley can be used directly over the IP protocol or over UDP protocol using a well-known port
number assignment available.
➢ Oakley uses the cookies for two purposes:
✓ anti-clogging (denial of service)
✓ Key naming.
➢ The anti-clogging tokens provide a form of source address identification for both parties. The
construction of the cookies prevents an attacker from obtain a cookie using a real IP address and UDP
port.
Oakley employs nonces to ensure against replay attacks. Each nonce is a pseudorandom number which is
generated by the transmitting entity. The nonce payload contains this random data used to guarantee
liveness during a key exchange and protect against replay attacks
4.2 ISAKMP
➢ ISAKMP defines a framework for SA management and cryptographic key establishment for the
Internet.
➢ This framework consists of defined exchange, payloads and processing guidelines that occur within a
given DOI.
➢ ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete SAs.
➢ It also defines payloads for exchanging key generation and authentication data.
be null.
✓ Compression method: This is the algorithm used to compress data prior to encryption.
✓ Cipher spec: This specifies the bulk data encryption algorithm (such as null, DES, etc.)
and a hash algorithm (such as MD5 or SHA-1) used for MAC computation. It also defines
cryptographic attributes such as the hash size.
✓ Master secret: This is a 48-byte secret shared between the client and server. It represents
secure secret data used for generating encryption keys, MAC secrets and IVs.
✓ Is resembled: This designates a flag indicating whether the session can be used to initiate
new connections.
5.1.2 SSL connection
➢ A connection is a transport (in the OSI layering model definition) that provides a suitable type of
service. For SSL, such connections are peer-to-peer relationships. The connections are transient.
Every connection is associated with one session.
✓ RSA: When RSA is used for server authentication and key exchange, a 48-byte pre-master secret
is generated by the client, encrypted with the server’s public key and sent to the server. The
server decrypts the cipher text (of the premaster secret) using its private key to recover the
premaster secret. Both parties then convert the premaster secret into the master secret as specified
below.
✓ Diffie –Hellman: A conventional Diffie – Hellman computation is performed. Both client and
server generate a Diffie-Hellman common key. This negotiated key is used as the premaster
secret and is converted into the master secret, as specified below.
➢ The client and server then compute the master secret as follows:
➢ master_secret=MD5(pre_master_secret||SHA(‘A’||pre_master_secret||
ClientHello.random||ServerHello.random))||MD5(pre_master_secret||SHA(‘BB’||
pre_master_secret||ClientHello.random||ServerHello.random))||
MD5(pre_master_secret||SHA(‘CCC’||pre_master_secret||
ClientHello.random||ServerHello.random))
➢ Where ClientHello.random and ServerHello.random are the two nonce values exchanged in the initial
hello messages.
key_block=MD5(master_secret||SHA(‘A’||master_secret||
ServerHello.random||ClientHello.random))||
MD5(master_secret||SHA(‘BB’||master_secret||
ServerHello.random||ClientHello.random))||
MD5(master_secret||SHA(‘CCC’||master_secret||
ServerHello.random||ClientHello.random))||. . .
➢ Until enough output has been generated. Note that the generation of the key block from the master
secret uses the same format for generation of the master secret from the premaster secret. Above
Figure illustrates the steps for generation of the key block from the master secret.
➢ The TLS v1 protocol itself is based on the SSLv3 protocol specification as published by Netscape.
Many of the algorithm-dependent data structures and rules are very close so that the differences
between TLSv1 and SSLv3 are not dramatic.
➢ A Keyed-hashing Message Authentication Code (HMAC) is a secure digest of some data protected
by a secret. Forging the HMAC is infeasible without knowledge of the MAC secret.
➢ HMAC can be used with a variety of different hash algorithms, namely MD5 and SHA-1, denoting
these as HMAC MD5(secret, data) and HMAC SHA-1(secret, data).
➢ There are two differences between the SSLv3 and TLSMAC schemes. TLS makes use of the HMAC
algorithm defined in RFC 2104.
Where
✓ ipad = 00110110(0x36) repeated 64 times (512 bits)
✓ opad = 01011100(0x5c) repeated 64 times (512 bits)
✓ H = one-way hash function for TLS (either MD5 or SHA-1) M = message
input to HMAC
✓ K = padded secret key equal to the block length of the hash code (512 bits for
MD5 and SHA-1)
➢ The following explains the HMAC equation:
✓ Append zeros to the end of K to create a b-byte string (i.e. if K = 160 bits in length and b = 512
bits, then K will be appended with 352 zero bits or 44 zero bytes 0x00).
✓ XOR (bitwise exclusive-OR) K with ipad to produce the b-bit block computed in step 1.
✓ Append M to the b-byte string resulting from step 2.
✓ Apply H to the stream generated in step 3.
✓ XOR (bitwise exclusive-OR) K with opad to produce the b-byte string computed in step 1.
✓ Append the hash result H from step 4 to the b-byte string resulting from step 5.
✓ Apply H to the stream generated in step 6 and output the result.
➢ Below figure illustrates the overall operation of HMAC – MD5 or HMAC – SHA-1.
Figure Overall operation of HMAC computation using either MD5 or SHA-1 (message length
computation based on _i ||M).
– A B C D E
➢ The alternative operation for computation of either HMAC – MD5 or HMAC – SHA-1 is described in
the following:
Figure Alternative operation of HMAC computation using MD5 (message length computation is based
on M only).
– A B C D
➢ For TLS, the MAC computation encompasses the fields indicated in the following expression:
HMAC_hash(MAC_write_secret,seq_num||TLScompressed.type||TLSCompressed.version||T
LSCompressed.length|| TLSCompressed.fragment)
➢ Note that the MAC calculation includes all of the fields covered by the SSLv3 computation, plus the
field TLSCompressed.version, which is the version of the protocol being employed.
1.PGP
➢ Pretty Good Privacy (PGP) was invented by Philip Zimmermann who released version 1.0 in
1991.
➢ . PGP is widely used in the individual and commercial versions that run on a variety of
platforms throughout the computer community.
➢ PGP uses a combination of symmetric secret-key and asymmetric public-key encryption to
provide security services for electronic mail and data files.
➢ It also provides data integrity services for messages and data files by using digital signature,
encryption, compression (zip) and radix-64 conversion (ASCII Armor).
7 6 5 4 3 2 1 0
Content tag
2 (6 bits)
1 Old format packets: content tag (bits 5, 4, 3, 2); length type (bits 1,0)
2 New format packets: content tag (bits 5, 4, 3, 2, 1, 0)
➢ A PGP message is constructed from a number of packets. A packet is a chunk of data which has a
tag specifying its meaning. Each packet consists of a packet header of variable length, followed by
the packet body.
➢ The first octet of the packet header is called the packet tag as shown in Figure 9.4.
The MSB is ‘bit 7’ (the leftmost bit) whose mask is 0x80 (10000000) in hexadecimal. PGP 2.6.x
only uses old format packets.
➢ Hence, software that interoperates with PGP 2.6.x must only use old format
packets. These packets have 4 bits of content tags, but new format packets have 6 bits of content
tags.
➢ Signature Packet
This packet describes a binding between some public key and some data. The most common
signatures are a signature of a file or a block of text, and a signature that is a certification of a user
ID.
➢ The signature includes the following components:
Timestamp: This is the time at which the signature was created.
Message digest (or hash code): A hash code represents the 160-bit SHA-1 digest, encrypted with
sender A’s private key. The hash code is calculated over the signature timestamp concatenated with
the data portion of the message component.
Content
ZIP
E
KS
Operation
M : Data T : Timestamp
KS: Session key EKSa : Encryption with user A’s private key
E
KP : Encryption with user B’s public key
B
2. S/MIME
➢ S/MIME provides a way to send and receive 7-bit MIME data. S/MIME can be used with any
system that transports MIME data.
➢ It can also be used by traditional mail user agents (MUAs) to add cryptographic security services to
mail that is sent, and to interpret cryptographic security services in mail that is received.
2.1 Definitions
➢ ASN.1: Abstract Syntax Notation One, as defined in ITU-T X.680 – 689.
➢ BER: Basic Encoding Rules for ASN.1, as defined in ITU-T X.690.
➢ DER: Distinguished Encoding Rules for ASN.1, as defined in ITU-T X.690.
➢ Certificate: A type that binds an entity’s distinguished name to a public key with a digital signature.
This type is defined in the PKIX certificate and CRL profile. The certificate also contains the
distinguished name of the certificate issuer (the signer), an issuer-specific serial number, the
issuer’s signature algorithm identifier, a validity period and extensions also defined in that
certificate.
➢ CRL: The Certificate Revocation List that contains information about certificates whose validity the
issuer has prematurely revoked. The information consists of an issuer name, the time of issue, the
next scheduled time of issue, a list of certificate serial numbers and their associated revocation
times, and extensions as defined in Chapter 6. The CRL is signed by the issuer.
➢ Attribute certificate: An X.509 AC is a separate structure from a subject’s PKIXcertificate. A
subject may have multiple X.509 ACs associated with each of its PKIX certificates. Each X.509 AC
binds one or more attributes with one of the subject’s PKIXs.
➢ Sending agent: Software that creates S/MIME CMS objects, MIME body parts that contains CMS
objects, or both.
➢ Receiving agent: Software that interprets and processes S/MIME CMS objects, MIME parts that
contain CMS objects, or both.
➢ S/MIME agent: User software that is a receiving agent, a sending agent, or both.
➢ A triple wrapped message is one that has been signed, then encrypted and then signed again.
The signers of the inner and outer signatures may be different entities or the same entity.
➢ The S/MIME specification does not limit the number of nested encapsulations, so there may be
more than three wrappings.
➢ The inside signature is used for content integrity, non-repudiation with proof of origin, and
binding attributes to the original content.
➢ The outside signature provides authentication and integrity for information that is processed hop
by hop, where each hop is an intermediate entity such as a mail list agent.
➢ The steps to create a triple wrapped message are as follows:
1. Start with the original content (a message body).
2. Encapsulate the original content with the appropriate MIME content-type headers.
3. Sign the inner MIME headers and the original content resulting from step 2.
4. Add an appropriate MIME construct to the signed message from step 3. The resulting
message is called the inside signature.
✓ If it is signed using multipart/signed, the MIME construct added consists of a
content type of multipart/signed with parameters, the boundary, the step 2 result,
a content type of application/pkcs7-signature, optional MIME headers, and a
body part that is the result of step 3.
✓ If it is instead signed using application/pkcs7-mime, the MIME construct added
consists of a content type of application/pkcs7-mime with parameters, optional
MIME headers and the result of step 3.
5. Encrypt the step 4 result as a single block, turning it into an application/pkcs7-mime
object.
6. Add the appropriate MIME headers: a content type of application/pkcs7-mime with
parameters, and optional MIME headers such as Content-Transfer-Encoding and Content-
Disposition.
7. Sign the step 6 result (the MIME headers and the encrypted body) as a single block.
8. Using the same logic as in step 4, add an appropriate MIME construct to the signed
message from step 7. The resulting message is called the outside signature, and is also the
triple wrapped message.
➢ A triple wrapped message has many layers of encapsulation. The structure differs depending on the
choice of format for the signed portions of the message. Because of the way that MIME
encapsulates data, the layers do not appear in order
applied to incoming traffic from external users; the latter requires some form of secure
authentication technology, such as is provided in IPsec.
4. Behavior control: Controls how particular services are used. For example, the firewall may
filter e-mail to eliminate spam, or it may enable external access to only a portion of the
information on a local Web server.
3.5 Capabilities of firewall:
The following capabilities are within the scope of a firewall:
1. A firewall defines a single choke point that keeps unauthorized users out of the protected
network, prohibits potentially vulnerable services from entering or leaving the network, and
provides protection from various kinds of IP spoofing and routing attacks. The use of a single
choke point simplifies security management because security capabilities are consolidated on a
single system or set of systems.
2. A firewall provides a location for monitoring security-related events. Audits and alarms can be
implemented on the firewall system.
3. A firewall is a convenient platform for several Internet functions that are not security related.
These include a network address translator, which maps local addresses to Internet addresses,
and a network management function that audits or logs Internet usage.
4. A firewall can serve as the platform for IPsec.
3.6 Limitations of Firewalls:
Firewalls have their limitations
1. The firewall cannot protect against attacks that bypass the firewall. Internal systems may have
dial-out capability to connect to an ISP. An internal LAN may support a modem pool that
provides dial-in capability for travelling employees and telecommuters.
2. The firewall may not protect fully against internal threats, such as a disgruntled employee or an
employee who unwittingly cooperates with an external attacker.
3. An improperly secured wireless LAN may be accessed from outside the organization. An
internal firewall that separates portions of an enterprise network cannot guard against wireless
communications between local systems on different sides of the internal firewall.
4. A laptop, PDA, or portable storage device may be used and infected outside the corporate
network, and then attached and used internally.
➢ Destination IP address: The IP address of the system the IP packet is trying to reach (e.g.,
192.168.1.2)
➢ Source and destination transport-level address: The transport-level (e.g., TCP or UDP) port
number, which defines applications such as SNMP or TELNET
➢ IP protocol field: Defines the transport protocol
➢ Interface: For a firewall with three or more ports, which interface of the firewall the packet
came from or which interface of the firewall the packet is destined for.
➢ possible default policies
Default = discard: That which is not expressly permitted is prohibited.
Default = forward: That which is not expressly prohibited is permitted.
2. For traffic from the internal network, only IP packets from the bastion host are allowed out.
➢ The bastion host performs authentication and proxy functions. This configuration has greater
security than simply a packet-filtering router or an application-level gateway alone, for two reasons.
➢ First, this configuration implements both packet-level and application-level filtering, allowing for
considerable flexibility in defining security policy. Second, an intruder must generally penetrate two
separate systems before the security of the internal network is compromised.
➢ This configuration also affords flexibility in providing direct Internet access. For example, the
internal network may include a public information server, such as a Web server, for which a high
level of security is not required.
➢ In that case, the router can be configured to allow direct traffic between the information server and
the Internet.
SECURE ELECTRONIC TRANSACTION [SET]
➢ SET is an open encryption and security specification designed to protect credit card transactions on
the Internet. SET is not itself a payment system.
➢ Rather it is a set of security protocols and formats that enables users to employ the existing credit
card payment infrastructure on an open network, such as the Internet, in a secure fashion.
3. Issuer:This is a financial institution, such as a bank, that provides the cardholder with the
payment card.
4. Acquirer:This is a financial institution that establishes an account with a merchant and processes
payment card authorizations and payments.
5. Payment gateway:This is a function operated by the acquirer or a designated third party that
processes merchant payment messages.
6. Certification authority (CA):This is an entity that is trusted to issue X.509v3 public-key
certificates for cardholders, merchants, and payment gateways.
Dual Signature
➢ The purpose of the dual signature is to link two messages that are intended for two different
recipients. In this case, the customer wants to send the order information (OI) to the merchant and
the payment information (PI) to the bank.
➢ The merchant does not need to know the customer's credit card number, and the bank does not need
to know the details of the customer's order. The customer is afforded extra protection in terms of
privacy by keeping these two items separate. However, the two items must be linked in a way that
can be used to resolve disputes if necessary.
➢ The link is needed so that the customer can prove that this payment is intended for this order and not
for some other goods or service.
➢ The customer takes the hash (using SHA-1) of the PI and the hash of the OI. These two hashes are
then concatenated and the hash of the result is taken.
➢ Finally, the customer encrypts the final hash with his or her private signature key, creating the dual
signature. The operation can be summarized as
DS = E(PRc, [H(H(PI)||H(OI)])
➢ Where PRc is the customer's private signature key. Now suppose that the merchant is in possession
of the dual signature (DS), the OI, and the message digest for the PI (PIMD).
➢ The merchant also has the public key of the customer, taken from the customer's certificate. Then
the merchant can compute the quantities
Payment Processing
Following transactions:
➢ Purchase request
➢ Payment authorization
➢ Payment capture
Purchase Request
➢ Before the Purchase Request exchange begins, the cardholder has completed browsing, selecting,
and ordering. The end of this preliminary phase occurs when the merchant sends a completed order
form to the customer.
➢ The purchase request exchange consists of four messages:
✓ Initiate Request,
✓ Initiate Response,
✓ Purchase Request,
✓ Purchase Response.
PAYMENT CAPTURE
➢ merchant sends payment gateway a payment capture request
➢ gateway checks request
➢ then causes funds to be transferred to merchants account
➢ notifies merchant using capture response
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime.
Introduction to Identity Theft & Identity Fraud. Types of CF techniques - Incident and incident response
methodology - Forensic duplication and investigation. Preparation for IR: Creating response tool kit and
IR team. - Forensics Technology and Systems - Understanding Computer Investigation – Data
Acquisition.
Computer Crime
➢ Computer crime is any criminal offense, activity or issue that involves computers
➢ Computer misuse tends to fall into two categories
✓ Computer is used to commit a crime
✓ Computer itself is a target of a crime. Computer is the victim. Computer Security Incident
➢ Computer is used in illegal activities: child pornography, threatening letters, e-mail spam or
harassment, extortion, fraud and theft of intellectual property, embezzlement – all these crimes
leave digital tracks
➢ Investigation into these types of crimes include searching computers that are suspected of being
involved in illegal activities
➢ Analysis of gigabytes of data looking for specific keywords, examining log files to see what
happened at certain times
Computer Forensics
➢ Multiple methods of
✓ Discovering data on computer system
✓ Recovering deleted, encrypted, or damaged file information
✓ Monitoring live activity
✓ Detecting violations of corporate policy
Hacking
➢ Hacking is a crime, which entails cracking systems and gaining unauthorized access to the data
stored in them. Hacking had witnessed a 37 per cent increase this year.
Cyber Squatting
➢ Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune.
Phishing
➢ Phishing is just one of the many frauds on the Internet, trying to fool people into parting with their
money.
➢ Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions, requesting
them to enter their Username, Password or other personal information to access their Account for
some reason.
➢ The fraudster then has access to the customer's online bank account and to the funds contained in
that account.
Cyber Stalking
➢ Cyber Stalking is use of the Internet or other electronic means to stalk someone.
➢ This term is used interchangeably with online harassment and online abuse.
➢ Stalking generally involves harassing or threatening behavior that an individual engages in
repeatedly, such as following a person, appearing at a person's home or place of business, making
harassing phone calls, leaving written messages or objects, or vandalizing a person's property.
Vishing
➢ Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward.
➢ Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals.
Identity theft:
Things to do
STEP 1: Place an initial fraud alert on your credit report. Contact any one of the three nationwide credit
reporting companies.
Step 2: Order your credit reports. Contact each of the three credit reporting companies. ID theft victims
get a copy of their reports for free. Read your reports carefully and correct any errors.
Step 3: Create an Identity Theft Report. Gives you rights that help you to recover more quickly file a
police report.
Types of CF techniques
2. DETECTION
1. PREPERATION
3. CONTAINMENT
6. Follow-up
4. ERADICTION
5. RECOVERY
Preparation
Detection
Containment
➢ Strategies
✓ Shutting down a system
✓ Disconnect from the network
✓ Change filtering rules of firewalls
✓ Disabling or deleting compromised accounts
✓ Increasing monitoring levels
✓ Setting traps
✓ Striking back at the attacker’s system
➢ Adhering to containment procedures.
➢ Record all actions
➢ Define acceptable risks in advance
Eradication
➢ Eliminate the cause of the incident. Software available for most viruses, worm attacks.
Recovery
Follow-Up
➢ Forensic Duplicate: File that contains every bit of information from the source in a raw bit
stream format.
➢ Qualified Duplicate: Same as above, but allows embedded metadata or certain types of
compression.
➢ Tools that create forensic duplicates
✓ dd
✓ FTK Imager, Access Data
✓ Dfcldd, US DOD Computer Forensics Lab version of the dd command.
➢ Tools that create qualified forensic duplicate output files:
✓ Safe Back
✓ Encase
✓ FTK Imager
Restored Image
➢ A restored image is what you get when you restore a forensic duplicate or a qualified forensic
duplicate to another storage medium.
➢ Mismatched drive geometries can cause problems.
✓ Mismatched drive geometries can cause problems.
HD Development
➢ When hard drives grew beyond 512MB, the PC-BIOS needed to be updated (to recognize larger
drives).
➢ Safeback, EnCase, FTK Imager, and dd will create a restored image from the qualified forensic
duplicate.
➢ EnCase and dd images may not need to be restored.
Mirror Image
➢ Created from hardware that does at bit for bit copy from one hard drive to another.
Legal Issues
➢ Tools used for forensic duplication must pass the legal tests for reliability.
➢ Note, when tool is generally accepted by others in the field, it is easier to prove that information
was gathered in a reliable, accurate manner.
Preparation FOR IR
8. Public Relations
Communicate with team leaders to have an
accurateunderstanding of the issueandthe
company’sstatusbeforecommunicating with the press
and/orinforming thestockholdersofthe currentsituation.
9. Financial Auditor Assess the damageincurred interms of monetary value,
whichis frequently required for insurancecompanies or if
thecompany intends to presschargesagainst the
perpetrator.
FORENSICS TECHNOLOGY AND SYSTEMS
➢ Computer forensics has become a buzz word in today’s world of increased concern for security.
It seems that any product that can remotely be tied to network or computer security is quickly
labeled as a “forensics” system.
➢ This phenomenon makes designing clear incident response plans and corporate security plans
that support computer forensics difficult.
✓ Process the copied floppy disk with your computer forensics tools
Data Acquisition
➢ Data acquisition involves gathering signals from measurement sources and digitizing the signals
for storage, analysis, and presentation on a PC.
➢ Data acquisition systems come in many different PC technology forms to offer flexibility when
choosing your system. You can choose from PCI, PXI, PCI Express, PXI Express, PCMCIA,
USB, wireless, and Ethernet data acquisition for test, measurement, and automation applications.
➢ All industrial processing systems, factories, machinery, test facilities, and vehicles consist of
hardware components and computer software whose behavior follow the laws of physics as we
understand them.
➢ These systems contain thousands of mechanical and electrical phenomena that are continuously
changing; they are not steady state.
➢ The measurable quantities that represent the characteristics of all systems are called variables.
The proper functioning of a particular system depends on certain events in time and the
parameters of these variables.
➢ Often, we are interested in the location, magnitude, and speed of the variables, and we use
instruments to measure them.
➢ We assign the variables units of measure such as volts, pounds, and miles per hour, to name a
few.
Processing Crime and Incident Scenes – Working with Windows and DOS Systems. Current Computer
Forensics Tools: Software/ Hardware Tools.
➢ Consistent practices help verify your work and enhance your credibility
➢ Comply with your state’s rules of evidence or with the Federal Rules of Evidence
➢ Evidence admitted in a criminal case can be used in a civil suit, and vice versa
➢ Keep current on the latest rulings and directives on collecting, processing, storing, and admitting
digital evidence
➢ Data you discover from a forensic examination falls under your state’s rules of evidence
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 39
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Types of Evidence
✓ Direct evidence
✓ Circumstantial evidence
✓ Class evidence
✓ Individual evidence
Direct evidence
➢ It includes firsthand observations such as eyewitness accounts or police dashboard video cameras.
✓ Example: a witness states that she saw a defendant pointing a gun at a victim during a
robbery. In court, direct evidence involves testimony by a witness about what that
witness personally saw, heard, or did. Confessions are also considered direct evidence.
Circumstantial evidence
➢ It is indirect evidence that can be used to imply a fact but that does not directly prove it. No one,
other than the suspect and victim, actually sees when circumstantial evidence is left at the crime
scene.
➢ But circumstantial evidence found at a crime scene may provide a link between a crime scene and a
suspect.
✓ Example: finding a suspect’s gun at the site of a shooting is circumstantial evidence of
the suspect’s presence there. Circumstantial evidence can be either physical or biological
in nature. Physical evidence includes impressions such as fingerprints, footprints, shoe
prints, tire impressions, and tool marks.
Class evidence
➢ Narrows an identity to a group of persons or things. Knowing the ABO blood type of a sample of
blood from a crime scene tells us that one of many persons with that blood type may have been
there. It also allows us to exclude anyone with a different blood type.
Individual evidence
➢ Narrows an identity to a single person or thing. Individual evidence typically has such a unique
combination of characteristics that it could only belong to one person or thing, such as a fingerprint.
✓ Direct Circumstantial
✓ Physical Biological
✓ It is relatively easy to recover DNA from cigarette ends found at the scene of a crime.
➢ 3 types of file systems have been File Systems used by Windows: FAT, FAT32, NTFS
FAT x
➢ File Allocation Table – family of file systems for DOS/Windows operating systems
➢ FAT table – stores info. on status of all clusters on the disk = ‘table of content’
➢ x = 12, 16, 32 – number of bits used for cluster identification/numbering bit-size of each FAT table
entry
Windows Registry
➢ critical part of any Windows OSs - hierarchical database containing configuration information about:
➢ system hardware;
✓ installed software (programs);
✓ property settings;
✓ Profile for each user, etc.
➢ OS uses instructions stored in the registry to determine how installed hardware and software should
function
➢ e.g. typical software comes with a Windows installer that writes to the registry during installation
➢ system must be restarted for changes to take place
✓ It can be used for digital chain of custody, to access the remote or local devices,
forensics of Windows or Linux OS, recovery hidden of deleted files, quick search for
files’ Meta data, and various other things.
➢ X-Ways Forensics
➢ EnCase
✓ EnCase is another popular multi-purpose forensic platform with many nice tools for
several areas of the digital forensic process. This tool can rapidly gather data from various
devices and unearth potential evidence. It also produces a report based on the evidence.
➢ Registry Recon
✓ Registry Recon is a popular registry analysis tool. It extracts the registry information from
the evidence and then rebuilds the registry representation. It can rebuild registries from
both current and previous Windows installations.
➢ Llibforensics
✓ Libforensics is a library for developing digital forensics applications. It was developed
in Python and comes with various demo tools to extract information from various
types of evidence.
➢ Volatility
✓ Volatility is the memory forensics framework. It used for incident response and
malware analysis. With this tool, you can extract information from running processes,
network sockets, network connection, DLLs and registry hives. It also has support for
extracting information from Windows crash dump files and hibernation files. This tool
is available for free under GPL license.
➢ WindowsSCOPE
✓ WindowsSCOPE is another memory forensics and reverse engineering tool used for
analyzing volatile memory. It is basically used for reverse engineering of malwares. It
provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and
physical memory.
➢ The Coroner’s Toolkit
✓ The Coroner’s Toolkit or TCT is also a good digital forensic analysis tool. It runs
under several Unix-related operating systems. It can be used to aid analysis of
computer disasters and data recovery.
➢ Oxygen Forensic Suite
✓ Oxygen Forensic Suite is nice software to gather evidence from a mobile phone to
support your case. This tool helps in gathering device information (including
manufacturer, OS, IMEI number, serial number), contacts, messages (emails, SMS,
MMS), and recover deleted messages, call logs and calendar information.
✓ It also lets you access and analyze mobile device data and documents. It generates
easy to understand reports for better understanding.
➢ Bulk Extractor
✓ Bulk Extractor is also an important and popular digital forensics tool. It scans the disk
images, file or directory of files to extract useful information. In this process, it ignores
the file system structure, so it is faster than other available similar kinds of tools.
✓ It can mount several images at a time. It supports most of the image formats including
EnCasem, safeBack, PFR, FTK DD, WinImage, Raw images from Linux DD, and
VMware images. It supports both logical and physical image types.
➢ Plain Sight
✓ Plain Sight is another useful digital forensics tool. It is a CD based Knoppix which is a
Linux distribution. Some of its uses include viewing Internet histories, data carving,
checking USB device usage, memory dumps extracting password hashes, information
gathering, examining Windows firewall configuration, seeing recent documents, and other
useful tasks. For using this too, you only need to boot from the CD and the follow the
instructions.
➢ XRY
✓ XRY is the mobile forensics tool developed by Micro Systemation. It is used to analyze
and recover crucial information from mobile devices. This tool comes with a hardware
device and software. Hardware connects mobile phones to PC and software performs the
analysis of the device and extracts data. It is designed to recover data for forensic analysis.
✓ The latest version of the tool can recover data from all kind of smart phones including
Android, iPhone and BlackBerry. It gathers deleted data like call records, images, SMS
and text messages.
➢ HELIX3
✓ HELIX3 is a live CD-based digital forensic suite created to be used in incident response. It
comes with many open source digital forensics tools including hex editors, data carving
and password cracking tools. If you want the free version, you can go for Helix3 2009R1.
After this release, this project was overtaken by a commercial vendor. So, you need to pay
for most recent version of the tool.
✓ This tool can collect data from physical memory, network connections, user accounts,
executing processes and services, scheduled jobs, Windows Fegistry, chat logs, screen
captures, SAM files, applications, drivers, environment variables and Internet history.
Then it analyzes and reviews the data to generate the complied results based on reports.
➢ Cellebrite UFED
✓ Cellebrite’s UFED solutions present a unified workflow to allow examiners, investigators
and first responders to collect, protect and act decisively on mobile data with the speed
and accuracy a situation demands – without ever compromising one for the other.
✓ The UFED Pro Series is designed for forensic examiners and investigators who require
the most comprehensive, up-to-date mobile data extraction and decoding support
available to handle the influx of new data sources.
✓ Platform agnostic, the UFED Field Series is designed to unify workflows between the
field and lab, making it possible to view access and share mobile data via in-car
workstations, laptops, tablets or a secure, self-service kiosk located at a station.
Processing Crime and Incident Scenes – Working with Windows and DOS Systems. Current Computer
Forensics Tools: Software/ Hardware Tools.
➢ Consistent practices help verify your work and enhance your credibility
➢ Comply with your state’s rules of evidence or with the Federal Rules of Evidence
➢ Evidence admitted in a criminal case can be used in a civil suit, and vice versa
➢ Keep current on the latest rulings and directives on collecting, processing, storing, and admitting
digital evidence
➢ Data you discover from a forensic examination falls under your state’s rules of evidence
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 52
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Types of Evidence
✓ Direct evidence
✓ Circumstantial evidence
✓ Class evidence
✓ Individual evidence
Direct evidence
➢ It includes firsthand observations such as eyewitness accounts or police dashboard video cameras.
✓ Example: a witness states that she saw a defendant pointing a gun at a victim during a
robbery. In court, direct evidence involves testimony by a witness about what that
witness personally saw, heard, or did. Confessions are also considered direct evidence.
Circumstantial evidence
➢ It is indirect evidence that can be used to imply a fact but that does not directly prove it. No one,
other than the suspect and victim, actually sees when circumstantial evidence is left at the crime
scene.
➢ But circumstantial evidence found at a crime scene may provide a link between a crime scene and a
suspect.
✓ Example: finding a suspect’s gun at the site of a shooting is circumstantial evidence of
the suspect’s presence there. Circumstantial evidence can be either physical or biological
in nature. Physical evidence includes impressions such as fingerprints, footprints, shoe
prints, tire impressions, and tool marks.
Class evidence
➢ Narrows an identity to a group of persons or things. Knowing the ABO blood type of a sample of
blood from a crime scene tells us that one of many persons with that blood type may have been
there. It also allows us to exclude anyone with a different blood type.
Individual evidence
➢ Narrows an identity to a single person or thing. Individual evidence typically has such a unique
combination of characteristics that it could only belong to one person or thing, such as a fingerprint.
✓ Direct Circumstantial
✓ Physical Biological
✓ It is relatively easy to recover DNA from cigarette ends found at the scene of a crime.
➢ 3 types of file systems have been File Systems used by Windows: FAT, FAT32, NTFS
FAT x
➢ File Allocation Table – family of file systems for DOS/Windows operating systems
➢ FAT table – stores info. on status of all clusters on the disk = ‘table of content’
➢ x = 12, 16, 32 – number of bits used for cluster identification/numbering bit-size of each FAT table
entry
Windows Registry
➢ critical part of any Windows OSs - hierarchical database containing configuration information about:
➢ system hardware;
✓ installed software (programs);
✓ property settings;
✓ Profile for each user, etc.
➢ OS uses instructions stored in the registry to determine how installed hardware and software should
function
➢ e.g. typical software comes with a Windows installer that writes to the registry during installation
➢ system must be restarted for changes to take place
✓ It can be used for digital chain of custody, to access the remote or local devices,
forensics of Windows or Linux OS, recovery hidden of deleted files, quick search for
files’ Meta data, and various other things.
➢ X-Ways Forensics
➢ EnCase
✓ EnCase is another popular multi-purpose forensic platform with many nice tools for
several areas of the digital forensic process. This tool can rapidly gather data from various
devices and unearth potential evidence. It also produces a report based on the evidence.
➢ Registry Recon
✓ Registry Recon is a popular registry analysis tool. It extracts the registry information from
the evidence and then rebuilds the registry representation. It can rebuild registries from
both current and previous Windows installations.
➢ Llibforensics
✓ Libforensics is a library for developing digital forensics applications. It was developed
in Python and comes with various demo tools to extract information from various
types of evidence.
➢ Volatility
✓ Volatility is the memory forensics framework. It used for incident response and
malware analysis. With this tool, you can extract information from running processes,
network sockets, network connection, DLLs and registry hives. It also has support for
extracting information from Windows crash dump files and hibernation files. This tool
is available for free under GPL license.
➢ WindowsSCOPE
✓ WindowsSCOPE is another memory forensics and reverse engineering tool used for
analyzing volatile memory. It is basically used for reverse engineering of malwares. It
provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and
physical memory.
➢ The Coroner’s Toolkit
✓ The Coroner’s Toolkit or TCT is also a good digital forensic analysis tool. It runs
under several Unix-related operating systems. It can be used to aid analysis of
computer disasters and data recovery.
➢ Oxygen Forensic Suite
✓ Oxygen Forensic Suite is nice software to gather evidence from a mobile phone to
support your case. This tool helps in gathering device information (including
manufacturer, OS, IMEI number, serial number), contacts, messages (emails, SMS,
MMS), and recover deleted messages, call logs and calendar information.
✓ It also lets you access and analyze mobile device data and documents. It generates
easy to understand reports for better understanding.
➢ Bulk Extractor
✓ Bulk Extractor is also an important and popular digital forensics tool. It scans the disk
images, file or directory of files to extract useful information. In this process, it ignores
the file system structure, so it is faster than other available similar kinds of tools.
✓ It can mount several images at a time. It supports most of the image formats including
EnCasem, safeBack, PFR, FTK DD, WinImage, Raw images from Linux DD, and
VMware images. It supports both logical and physical image types.
➢ Plain Sight
✓ Plain Sight is another useful digital forensics tool. It is a CD based Knoppix which is a
Linux distribution. Some of its uses include viewing Internet histories, data carving,
checking USB device usage, memory dumps extracting password hashes, information
gathering, examining Windows firewall configuration, seeing recent documents, and other
useful tasks. For using this too, you only need to boot from the CD and the follow the
instructions.
➢ XRY
✓ XRY is the mobile forensics tool developed by Micro Systemation. It is used to analyze
and recover crucial information from mobile devices. This tool comes with a hardware
device and software. Hardware connects mobile phones to PC and software performs the
analysis of the device and extracts data. It is designed to recover data for forensic analysis.
✓ The latest version of the tool can recover data from all kind of smart phones including
Android, iPhone and BlackBerry. It gathers deleted data like call records, images, SMS
and text messages.
➢ HELIX3
✓ HELIX3 is a live CD-based digital forensic suite created to be used in incident response. It
comes with many open source digital forensics tools including hex editors, data carving
and password cracking tools. If you want the free version, you can go for Helix3 2009R1.
After this release, this project was overtaken by a commercial vendor. So, you need to pay
for most recent version of the tool.
✓ This tool can collect data from physical memory, network connections, user accounts,
executing processes and services, scheduled jobs, Windows Fegistry, chat logs, screen
captures, SAM files, applications, drivers, environment variables and Internet history.
Then it analyzes and reviews the data to generate the complied results based on reports.
➢ Cellebrite UFED
✓ Cellebrite’s UFED solutions present a unified workflow to allow examiners, investigators
and first responders to collect, protect and act decisively on mobile data with the speed
and accuracy a situation demands – without ever compromising one for the other.
✓ The UFED Pro Series is designed for forensic examiners and investigators who require
the most comprehensive, up-to-date mobile data extraction and decoding support
available to handle the influx of new data sources.
✓ Platform agnostic, the UFED Field Series is designed to unify workflows between the
field and lab, making it possible to view access and share mobile data via in-car
workstations, laptops, tablets or a secure, self-service kiosk located at a station.
➢ Software validation is a part of the design validation for a finished device. Consider software
validation to be confirmation by examination and provision of objective evidence that software
specifications conform to user needs and intended uses, and that the particular requirements
implemented through software can be consistently fulfilled.
➢ Impractical, software validation activities may occur both during, as well as at the end of the
software development lifecycle to ensure that all requirements have been fulfilled.
➢ The validation of software typically includes evidence that all software requirements have
been implemented correctly and completely a conclusion that software is validate dashingly
dependent upon comprehensive software testing, inspections, analyses, and other verification
tasks performed at each stage of the software development lifecycle.
➢ Data validation is the process of ensuring that a program operates on clean, correct and useful
data. It uses routines, often called "validation rules" "validation constraints" or "check routines",
that check for correctness, meaningfulness, and security of data that are input to the system.
➢ The rules may be implemented through the automated facilities of a data dictionary, or by the
inclusion of explicit application program validation logic. Data validation (data vetting, data
cleaning) the process of checking that data conforms to specification. It is usually the first process
undertaken on raw data.
➢ The following are among the kinds of checks that may be carried out: number and type of
characters in a data item; range of values of a data item; correctness of check character(s);
consistency between one data item and others in the same record; correctness of check totals for
individual records; correctness of batch controls.
Validation methods
➢ Allowed character checks only expected characters are present in a field. For example a numeric
field may only allow the digits 0-9, the decimal point and perhaps a minus sign or commas.
➢ A text field such as a personal name might disallow characters such as < and >, as they could be
evidence of a markup-based security attack. An e-mail address might require at least one @ sign and
various other structural details. Regular expressions are effective ways of implementing such checks.
(See also data type checks below)Batch totals Checks for missing records.
➢ Numerical fields may be added together for all records in a batch. The batch total is entered and the
computer checks that the total is correct, e.g., add the 'Total Cost' field of a number of transactions
together.
➢ Cardinality Checks that record has a valid number of related records. For example if Contact record
classified as a Customer it must have at least one associated Order (Cardinality > 0). If order does
not exist for a "customer" record then it must be either changed to "seed" or the order must be
created.
➢ This type of rule can be complicated by additional conditions. For example if contact record in
Payroll database is marked as "former employee", then this record must not have any associated
salary payments after the date on which employee left organization (Cardinality = 0).
➢ Check digits Used for numerical data. An extra digit is added to a number which is calculated from
the digits. The computer checks this calculation when data are entered. For example the last digit of
an ISBN for a book is a check digit calculated modulus 10.
➢ Consistency checks Checks fields to ensure data in these fields corresponds, e.g., If Title = "Mr.",
then Gender = "M".
➢ Control totals this is a total done on one or more numeric fields which appears in every record. This
is a meaningful total, e.g., add the total payment for a number of Customers.
➢ Cross-system consistency checks Compares data in different systems to ensure it is consistent, e.g.,
the address for the customer with the same id is the same in both systems.
➢ The data may be represented differently in different systems and may need to be transformed to a
common format to be compared,
➢ e.g., one system may store customer name in a single Name field as 'Doe, John Q', while another in
three different fields: First_Name (John), Last_Name (Doe) and Middle_Name (Quality); to
compare the two, the validation engine would have to transform data from the second system to
match the data from the first, for example, using SQL: Last_Name || ', ' || First_Name ||
substr(Middle_Name, 1, 1) would convert the data from the second system to look like the data from
the first 'Doe, John Q'
➢ Data type checks Checks the data type of the input and give an error message if the input data does
not match with the chosen data type, e.g., In an input box accepting numeric data, if the letter 'O' was
typed instead of the number zero, an error message would appear.
➢ File existence check Checks that a file with a specified name exists. This check is essential for
programs that use file handling.
➢ Format or picture check Checks that the data is in a specified format (template), e.g., dates have to
be in the format DD/MM/YYYY. Regular expressions should be considered for this type of
validation.
➢ Hash totals this is just a batch total done on one or more numeric fields which appears in every
record. This is a meaningless total, e.g., add the Telephone Numbers together for a number of
Customers.
➢ Limit check Unlike range checks, data are checked for one limit only, upper OR lower, e.g., data
should not be greater than 2 (<=2).
➢ Logic check Checks that an input does not yield a logical error, e.g., an input value should not be 0
when it will divide some other number somewhere in a program.
➢ Presence check Checks that important data is actually present and have not been missed out, e.g.,
customers may be required to have their telephone numbers listed.
➢ Range check Checks that the data is within a specified range of values, e.g., the month of a person's
date of birth should lie between 1 and 12.
➢ Referential integrity In modern Relational database values in two tables can be linked through
foreign key and primary key. If values in the primary key field are not constrained by database
internal mechanism,[4] then they should be validated. Validation of the foreign key field checks that
referencing table must always refer to a valid row in the referenced table.[5]
➢ Spelling and grammar check looks for spelling and grammatical errors.
➢ Uniqueness check Checks that each value is unique. This can be applied to several fields (i.e.
Address, First Name, and Last Name).
➢ Table look up check A table look up check takes the entered data item and compares it to a valid list
of entries that are stored in a database table.
DATA HIDING
➢ Data hiding is the process of making data difficult to find while also keeping it accessible for future
use. "Obfuscation and encryption of data give an adversary the ability to limit identification and
collection of evidence by investigators while allowing access and use to themselves."
➢ Some of the more common forms of data hiding include encryption, steganography and other
various forms of hardware/software based data concealment. Each of the different data hiding
methods makes digital forensic examinations difficult. When the different data hiding methods are
combined, they can make a successful forensic investigation nearly impossible.
Encryption
➢ One of the more commonly used techniques to defeat computer forensics is data encryption. In a
presentation he gave on encryption and anti-forensic methodologies the Vice President of Secure
Computing, Paul Henry, referred to encryption as a "forensic expert's nightmare".
➢ The majority of publicly available encryption programs allow the user to create virtual encrypted
disks which can only be opened with a designated key. Through the use of modern encryption
algorithms and various encryption techniques these programs make the data virtually impossible to
read without the designated key.
➢ File level encryption encrypts only the file contents. This leaves important information such as file
name, size and timestamps unencrypted. Parts of the content of the file can be reconstructed from
other locations, such as temporary files, swap file and deleted, unencrypted copies.
➢ Most encryption programs have the ability to perform a number of additional functions that make
digital forensic efforts increasingly difficult. Some of these functions include the use of a key file,
full-volume encryption, and plausible deniability. The widespread availability of software containing
these functions has put the field of digital forensics at a great disadvantage.
Steganography
➢ Steganography is a technique where information or files are hidden within another file in an attempt
to hide data by leaving it in plain sight. "Steganography produces dark data that is typically buried
within light data (e.g., a non-perceptible digital watermark buried within a digital photograph)."
➢ Some experts have argued that the use of steganography techniques are not very widespread and
therefore shouldn't be given a lot of thought. Most experts will agree that steganography has the
capability of disrupting the forensic process when used correctly.
➢ According to Jeffrey Carr, a 2007 edition of Technical Mujahid (a bi-monthly terrorist publication)
outlined the importance of using a steganography program called Secrets of the Mujahedeen.
According to Carr, the program was touted as giving the user the capability to avoid detection by
current steganalysis programs.
➢ It did this through the use of steganography in conjunction with file compression. Other forms of
data hiding other forms of data hiding involve the use of tools and techniques to hide data
throughout various locations in a computer system. Some of these places can include "memory,
slack space, hidden directories, bad blocks, alternate data streams, (and) hidden partitions."
➢ One of the more well known tools that is often used for data hiding is called Slacker (part of the
Metasploit framework). Slacker breaks up a file and places each piece of that file into the slack space
of other files, thereby hiding it from the forensic examination software.
➢ Another data hiding technique involves the use of bad sectors. To perform this technique, the user
changes a particular sector from good to bad and then data is placed onto that particular cluster. The
belief is that forensic examination tools will see these clusters as bad and continue on without any
examination of their contents.
➢ In addition to the steady acquisition and live acquisition, there is also another type of acquisition,
which is remote acquisition. Remote acquisition is done through a network connection and involves
a client server type of architecture.
➢ In many cases, you install a client on a machine from which you want to retrieve the data. Remote
acquisition is a form of live acquisition, especially because it requires that the computing device in
form of a host or a host computer is still up and running.
➢ So the acquisition is only done while the computer is on. The current trend is that live and remote
acquisitions are becoming more important and popular due to the encryption problem. Static
acquisitions are now becoming more difficult, especially because the data is often encrypted when a
computing device is turned off. So, what this means is. That by the time you're trying to do a static
acquisition, it may be too late to retrieve the data out of a storage device.
NETWORK FORENSICS
➢ Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of
computer network traffic for the purposes of information gathering, legal evidence, or intrusion
detection. Unlike other areas of digital forensics, network investigations deal with volatile and
dynamic information. Network traffic is transmitted and then lost, so network forensics is often a
pro-active investigation.
➢ Network forensics generally has two uses. The first, relating to security, involves monitoring a
network for anomalous traffic and identifying intrusions. An attacker might be able to erase all log
files on a compromised host; network-based evidence might therefore be the only evidence available
for forensic analysis.
➢ The second form relates to law enforcement. In this case analysis of captured network traffic can
include tasks such as reassembling transferred files, searching for keywords and parsing human
communication such as emails or chat sessions.
➢ Network forensics is the capture, recording and analysis of network events in order to discover the
source of security attacks or other problem incidents. (The term, attributed to firewall expert Marcus
Ranum, is borrowed from the legal and criminology fields where forensics pertains to the
investigation of crimes.) According to SimsonGarfinkel, author of several books on security,
network forensics systems can be one of two kinds: Catch-it-as-you-can" systems, in which all
packets passing through a certain traffic point are captured and written to storage with analysis being
done subsequently in batch mode. This approach requires large amounts of storage, usually
involving a RAID system.
➢ "Stop, look and listen" systems, in which each packet is analyzed in a rudimentary way in memory
and only certain information saved for future analysis. This approach requires less storage but may
require a faster processor to keep up with incoming traffic.
➢ Both approaches require significant storage and the need for occasional erasing of old data to make
room for new. The open source programs tcpdump and windump as well as a number of commercial
programs can be used for data capture and analysis.
➢ One concern with the "catch-it-as-you-can" approach is one of privacy since all packet information
(including user data) is captured. Internet service providers (ISPs) are expressly forbidden by the
Electronic Communications Privacy Act (ECPA) from eavesdropping or disclosing intercepted
contents except with user permission, for limited operations monitoring, or under a court order. The
U.S. FBI's Carnivore is a controversial example of a network forensics tool.
EMAIL INVESTIGATION
➢ When investigating email, we usually start with the piece of email itself and analyze the headers of
the email. Since each SMTP server that handles a message adds lines on top of the header, we start
at the top and work our way backward in time.
➢ Inconsistencies between the data that subsequent SMTP servers supposedly created can prove that
the email in question is faked. Another investigation is that of the header contents itself. If a message
does not have these, then it is faked. If possible, one can obtain another email following supposedly
the same path as the email under investigation and see whether these idiosyncratic lines have
changed. While it is possible that the administrator of an SMTP node changed the behavior or even
the routing, these changes tend to be far and in between. For example, in the following email that I
sent to myself (with altered addresses), we find a large number of optional lines that the hotmail
server added, in particular the X-fields.
➢ Without these fields, the message did not originate through the bay area hot mail server.The
Message-ID field is also highly characteristic. Notice that hotmail also includes the originating IP
address. A simple check for this IP address might also prove that the message is a fake. (Though in
fact, it is not.)
Return-path: <tschwarz@hotmail.com>
Received: from MGW2.scu.edu [129.210.251.18]
by gwcl-22.scu.edu; Wed, 28 Dec 2005 20:12:45 -0800
Received: from hotmail.com (unverified [64.4.43.63]) by MGW2.scu.edu
(Vircom SMTPRS 4.2.425.10) with ESMTP id <C0066471627@MGW2.scu.edu> for
<tjschwarz@scu.edu>;
Wed, 28 Dec 2005 20:12:44 -0800
X-Modus-Blacklist: 64.4.43.63=OK;tschwarz@hotmail.com=OK
X-Modus-Trusted: 64.4.43.63=NO
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Wed, 28 Dec 2005 20:12:44 -0800
Message-ID: <BAY17-F13177DD86E6CA033897367C4290@phx.gbl>
Received: from 129.210.18.34 by by17fd.bay17.hotmail.msn.com with HTTP;
Thu, 29 Dec 2005 04:12:43 GMT
X-Originating-IP: [129.210.18.34]
X-Originating-Email: [tschwarz@hotmail.com]
X-Sender: tschwarzsj@hotmail.com
From: "Thomas Schwarz, S.J." <tschwarz@hotmail.com>
To: tschwarz@scu.edu
Bcc:
Subject: Test
Date: Thu, 29 Dec 2005 04:12:43 +0000
Mime-Version: 1.0
Content-Type: text/plain; char set=iso-8859-1; format=flowed
X-OriginalArrivalTime: 29 Dec 2005 04:12:44.0119 (UTC) FILETIME=[1E30EE70:01C60C2E]
Test
➢ In general, it is impossible to prove that an email is genuine, but one can build a good case that it is
genuine. Usually, spoofers are simply not that good.
➢ In a case where someone maintains that email appearing to originate from that some-one is faked,
the date and the originating IP address could create a presumption that the email is not faked.
➢ But even in this case, the only thing one can deduce for sure is that the email originated from
someone who could put a packet with that return address on the network.
➢ As administrators get more concerned about fake mail, they put in access restrictions and also place
warnings in headers, as the following example shows. (For Spam protection, I changed the email
addresses used.)
De: <tschwarz@scu.edu>
Enviado el: Wednesday, December 28, 2005 11:19:47 PM
Ir al mensaje anterior | Ir al mensajesiguiente | Eliminar | Bandeja de entrada
Return-Path: tschwarz@scu.edu
X-OriginalArrivalTime: 28 Dec 2005 23:19:14.0587 (UTC) FILETIME=[1E1796B0:01C60C05]
➢ Besides analyzing the email message itself, analyzing the machine from which an email might have
originated my yield some proof. We will see this when we come to discuss hard drive evidence.
Analysis of Logs
➢ Even more fundamental and important than these methods are the logs that SMTP servers (and some
email programs) maintain. Law enforcement has here an advantage over private investigators
because they can subpoena ISP records.
➢ Unfortunately, ISP servers tend to not store the log data for a long time. It therefore makes sense to
warn an ISP about a coming subpoena so that they can safe-guard the log entry. A lucky investigator
might be able to trace back a message through SMTP servers to the first one that handled the
message.
➢ If this server belonged to an ISP, then information from RADIUS logs might give the name of the
subscriber. Otherwise, the investigator might connect the IP of the originating machine to a suspect.
In case of criminal enterprises such as spammers, fraudsters, phishers, etc. this investigation will be
very difficult because the originating message is often from a hacked machine that is controlled by
another hacked machine.
➢ The investigator needs to spend considerable resources and talents to follow such a trail through
various jurisdictions. It is possible to even set up a website in a way that cannot be traced to a
person, for example using untraceable or stolen credit cards.
➢ Here is an example of a typical smtp log from endor. Chris Tracy - a truly talented and helpful
systems administrator - sent me fake mail:
➢ This document describes the Information Technology policies and procedures related to handling of
emails related to transgressions of law or of questionable content.
➢ Pursuant to the Computing Access Agreement, Information Technology does not monitor email
content or email accounts. Minimal, short-lived logging is done on the system for performance and
operational use showing messages queued for delivery or system load. Email account contents may
be accessed for technical reasons (assisting users or system troubleshooting) without the knowledge
of the owner.
➢ Information Technology does not officially investigate or trace emails unless directed or requested to
do so from College authority offices like Campus Police, Human Resources, or Student Life. In
general all issues with objectionable email of a harassing or illegal nature must be routed through
one of these authorities, typically Campus Police.
➢ Members of the College community who contact Information Technology about this issue are
directed to retain the message in its original form within their account and contact Campus Police.
Campus Police then typically makes an incident report and determines whether the incident warrants
action by Information Technology.
➢ The majority of information used for tracing email is extracted from the message header. The header
format is a documented standard and is constructed as a product of message delivery by all involved
delivery agents (from the initiating client through to the final accepting server). To some degree this
information can be used to verify the legitimacy of a message. To a lesser degree this information
can be used to trace the message origin. However, mail clients are easily reconfigured to obscure the
identity of the sender, semi-anonymous email agents (like Yahoo! and Hotmail) are widely used, and
determined individuals can certainly add enough invalid header information to make determinations
very difficult.
➢ Emails originating from The College of New Jersey systems are typically easier to trace than
messages originating from off-campus sites (this includes Yahoo! and Hotmail as well as emails
from other personal or commercial systems).
➢ Information Technology NTS staff will review the message headers to determine origin, destination,
or ownership of the message as required. College UNIX account contents may be reviewed to
determine what roles investigation-specified users and potential suspects play in the investigation.
➢ In the event that an email must be traced through an off-campus system, Information Technology
must request the assistance of other agencies. For email originating from or destined to other sites,
respective system administrators at those sites may be contacted for assistance. Information
Technology staff often contact system administrators at these sites and may be able to acquire the
necessary information. Certain commercial email systems require legal documents before they will
release account information. For these services (like AOL, Yahoo! or Hotmail) a court order or
subpoena may be required to obtain the user identity and/or message contents of the suspect account.
Campus Police handles acquiring legally binding documents and may acquire those documents and
possibly the related account information before contacting Information Technology.
➢ Information Technology NTS staff maintain close contact with Campus Police (or the appropriate
investigating agency) throughout the division’s action in the investigation. Information retrieved by
Information Technology is provided to the investigators with explanation as required.
➢ In most cases the action taken against an individual determined guilty of a violation of the
Computing Access Agreement is determined by College authorities. The typical action is to lock the
user account for a specified period of time.
➢ In the information age, every byte of data matters. Cell phones are capable of storing a wealth of
personal information, often intentionally, and sometimes unintentionally. This holds true for almost
all mobile devices, such as PDAs and iPhones as well.
➢ Cell phone forensic experts specialize in the forensic retrieval of data from cell phones and other
mobile devices in a manner that preserves the evidence under forensically acceptable conditions,
ensuring that it is court-admissible.
➢ A cell phone forensic investigation includes possible full data retrieval dependent upon the cell
phone or PDA model. The cell phone and PDA forensic engineers at Kessler International will
conduct a thorough examination of the data found on the cell phone’s SIM/USIM, the cell phone
body itself, and any optional memory cards. Some of the kinds of data that may be retrieved and
examined during a cell phone forensic investigation, even after being deleted, include:
➢ Parents should contact us if they suspect that their child is misusing the device or being harassed by
someone contacting or photographing them without their consent. Kessler will discreetly investigate
and, if necessary, assist law enforcement by providing court-admissible data to corroborate legal
claims.
➢ Kessler International can perform mobile phone forensics if an individual suspects his or her spouse
of cheating. Data such as placed & received calls and phone call times, text messages, photos and
other incriminating evidence can be retrieved from the spouse’s cell phone or mobile device.
➢ Companies and corporations should contact us to perform cell phone forensics if they suspect
espionage by a competitor or disgruntled employee.
➢ Business owners who distribute cell phones to their executives and sales staff may contact us to
perform cell phone forensics to determine if these devices are being inappropriately used to view
and/or download porn, or defying restricted Internet usage company policies.
➢ Individuals may contact Kessler International if they suspect they have been the victim of e-stalking,
the subject of inappropriate and non-consensual digital photography and other forms of digital
harassment.
➢ Kessler International’s forensic cell/mobile phone, PDA, and computer investigations are discreet,
controlled, thorough and fully documented. Our professional staff is both certified and highly-
experienced in their respective forensic disciplines.
➢ Forensic cell phone audits by Kessler International’s professionals yield superior results as our
techniques and procedures far exceed those used in routine data recovery investigations.
➢ Our forensic examinations will document the evidence that the client needs and the respective
circumstance requires. For all your cell phone forensic investigative needs, Kessler International is
the company to call.
➢ For over 25 years, Kessler International has been a leader in the field of digital forensics. The cell
phone forensic engineers at Kessler International are fully trained in proper evidence handling and
litigation support services. Our broad knowledge of these complex electronic systems combined with
extensive legal training demonstrates the high standards Kessler International maintains.
➢ These standards are critical to providing the data that support an accurate presentation of the facts.
Kessler has built its rock-solid reputation on it. Remember, when the bar is set high, Kessler
International is the company to call.
➢ The explosive growth in the availability and use of cell phones and other mobile devices
➢ Coupled with the expanded capabilities of these devices has made this area of digital forensics
increasingly important. For many years now, cell phones have been a recorder of information, often
related to criminal or other nefarious behaviors, not to mention often being the instrument and,
occasionally, the target of that behavior.
➢ Mobile devices contain a plethora of data, including contact lists, phone and Internet browsing
history, text and multimedia messages, e-mail, photographs and videos, geo location information,
and much more. Indeed, smart phones are mobile Internet terminals and contain more probative
information per byte examined than most computers.
➢ Examination and analysis of cell phones requires a very different forensic process than that applied
to computers.
➢ Every step from seizure to preservation to transport to the exam itself requires processes and tools to
ensure minimal alteration to the original evidence.
➢ The complexity in performing a thorough exam of a mobile device and the analysis of the contents
should not be underestimated; while computers today largely employ only two or three different
operating systems (depending upon how you count), there are at least six major operating systems
used on mobile phones that are still in circulation.
➢ Gary has been conducting mobile phone forensic examinations since 2006. Most of this work has
been on behalf of the local, state, and federal law enforcement community in Vermont and Florida,
including the U.S. Attorney's Office and Internet Crimes Against Children (ICAC) Task Force.
➢ Gary has also examined mobile devices on behalf of clients in civil litigations. Gary has acted as an
expert witness in several federal criminal cases, as well as numerous civil matters.
➢ Gary is also a frequent speaker at conferences about the process of mobile device forensics. He has
also conducted many training courses on mobile phone and Smartphone forensics.
➢ Gary Kessler Associates is capable of performing logical and physical analysis of most types of cell
phones, tablets, GPS devices, and other mobile devices. In conjunction with partners, GKA is able to
provide a broad range of services, including chip-off examinations and analysis of call detail records
and cell tower information.
➢ Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or
data from a mobile device under forensically sound conditions. The phrase mobile device usually
refers to mobile phones; however, it can also relate to any digital device that has both internal
memory and communication ability, including PDA devices, GPS devices and tablet computers.
➢ The use of phones in crime was widely recognized for some years, but the forensic study of mobile
devices is a relatively new field, dating from the early 2000s. A proliferation of phones (particularly
smart phones) on the consumer market caused a demand for forensic examination of the devices,
which could not be met by existing computer forensics techniques.
➢ Mobile devices can be used to save several types of personal information such as contacts, photos,
calendars and notes, SMS and MMS messages. Smart phones may additionally contain video, email,
web browsing information, location information, and social networking messages and contacts.
➢ There is growing need for mobile forensics due to several reasons and some of the prominent
reasons are:
✓ Use of mobile phones to store and transmit personal and corporate information
✓ Use of mobile phones in online transactions