CF Full Notes PDF

CS6004 CYBER FORENSICS
UNIT I NETWORK LAYER SECURITY &TRANSPORT LAYER SECURITY
IPSec Protocol - IP Authentication Header - IP ESP - Key Management Protocol for IPSec .
Transport layer Security: SSL protocol, Cryptographic Computations – TLS Protocol.
UNIT II E-MAIL SECURITY & FIREWALLS
PGP - S/MIME - Internet Firewalls for Trusted System: Roles of Firewalls – Firewall related
terminology- Types of Firewalls - Firewall designs - SET for E-Commerce Transactions.
UNIT III INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer

Crime Introduction to Identity Theft & Identity Fraud. Types of CF techniques - Incident and
incident response methodology - Forensic duplication and investigation. Preparation for IR:
Creating response tool kit and IR team. - Forensics Technology and Systems -
Understanding Computer Investigation – Data Acquisition.
UNIT IV EVIDENCE COLLECTION AND FORENSICS TOOLS
Processing Crime and Incident Scenes – Working with Windows and DOS Systems. Current
Computer Forensics Tools: Software/ Hardware Tools.
UNIT V ANALYSIS AND VALIDATION
Validating Forensics Data – Data Hiding Techniques – Performing Remote Acquisition

Network Forensics – Email Investigations – Cell Phone and Mobile Devices Forensics
TEXT BOOKS:
1. Man Young Rhee, “Internet Security: Cryptographic Principles”, “Algorithms and Protocols”
Wiley Publications, 2003.
2. Nelson, Phillips, Enfinger, Steuart, “Computer Forensics and Investigations”, Cengage
Learning, India Edition, 2008.
REFERENCES:
1. John R.Vacca, “Computer Forensics”, Cengage Learning, 2005

2. Richard E.Smith, “Internet Cryptography”, 3rd Edition Pearson Education, 2008.
3. Marjie T.Britz, “Computer Forensics and Cyber Crime”: An Introduction”, 3rd Edition,
Prentice Hall, 2013.
UNIT - 1 CS 6004 - CYBER FORENSICS
UNIT I NETWORK LAYER SECURITY &TRANSPORT LAYER SECURITY
IPSec Protocol - IP Authentication Header - IP ESP - Key Management Protocol for

IPSec . Transport layer Security: SSL protocol, Cryptographic Computations – TLS
Protocol.
1.1 IPSEC PROTOCOL
TCP/IP communication can be made secure with the help of cryptography. Cryptographic methods and
protocols have been designed for different purposes in securing communication on the Internet. These
include,
 The SSL and TLS for HTTP Web traffic,

 S/MIME and PGP for e-mail and

 IPsec for network layer security.

 IPSec is the IETF (Internet Engineering Task Force) standard for real time communication
Security.

 It works with IPv4 or IPv6. IPSec can provide security between any pair of network layer entities
(eg: between hosts, routers or a host and a router).

 Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP)
communications that works by authenticating and encrypting each IP packet of a
communication session.

 IPsec includes protocols for establishing mutual authentication between agents at the beginning
of the session and negotiation of cryptographic keys to be used during the session.

 IPsec can be used in protecting data flows between
o A pair of hosts (host-to-host),
o A pair of security gateways (network-to-network), or
o A security gateway and a host (network-to-host).
IPsec is designed to protect communication in a secure manner by using TCP/IP and it provides
privacy and authentication services at the IP layer by using modern cryptography. To protect the
contents of an IP datagram, the data is transformed using encryption algorithms. There are two main
transformation types that form the basics of IPsec,
 The Authentication Header (AH) and

 The Encapsulating Security Payload (ESP).
PREPARED BY SANTHIYA.M/AP/CSE DEPT 1

The basic components of the IPsec security architecture are explained in terms of the following
functionalities:
• Security Protocols for AH and ESP
• Security Associations for policy management and traffic processing
• Manual and automatic key management for the Internet Key Exchange (IKE),
• Oakley key determination protocol and ISAKMP.
• Algorithms for authentication and encryption
The suite of IPsec protocols and associated default algorithms is designed to provide high-quality
security for Internet traffic.
An IPsec implementation operates in a host or a security gateway environment, affording protection to
IP traffic.
The protection offered is based on requirements defined by a Security Policy Database (SPD)
established and maintained by a user or system administrator.
Security Associations (SAs)

• A Security Association is simply the bundle of algorithms and parameters (such as keys) that
is being used to encrypt and authenticate a particular flow in one direction.
• Therefore, in normal bi-directional traffic, the flows are secured by a pair of security
associations.
• If both AH and ESP protection are applied to a traffic stream, then two SAs are required for two-
way secure exchange.
• An SA is uniquely identified by three parameters as follows:
1. Security Parameters Index (SPI): A receiver uses the SPI to identify the security
association for a packet. Before a sender uses IPsec to communicate with a receiver, the
sender must know the index value for a particular SA. The sender then places the value in
the SPI field of each outgoing datagram.
2. IP Destination Address: This is the address of the destination endpoint of the SA. The
destination endpoint may be an end-user system or a network system such as a firewall or
router.
3. Security Protocol Identifier: This identifier indicates whether the association is an AH or
ESP security association.
• There are two nominal databases in a general model for processing IP traffic relative to SAs.
1. The Security Policy Database (SPD) and
2. The Security Association Database (SAD).
2
Security policy database

• The SPD is an essential element of SA processing, it specifies what services are to be offered
to IP datagrams and in what fashion.
• The SPD is used to control the flow of all traffic (inbound and outbound) through an IPsec
system, including security and key management traffic (i.e. ISAKMP).
• The SPD contains an ordered list of policy entries.
• The entry for IPsec processing includes SA specification, limiting the IPsec protocols, modes
and algorithms to be employed.
Security association database

• The SAD contains parameters that are associated with each security association.
• Each SA has an entry in the SAD.
• For outbound processing, entries are pointed to by entries in the SPD. For inbound processing,
each entry in the SAD is indexed by a destination IP address, IPsec protocol type and SPI
• There are two types of SAs to be defined:

1. A transport mode SA
2. A tunnel mode SA.
Transport mode SA
• A transport mode provides protection primarily for upper-layer protocols, i.e. a TCP packet or
UDP segment or an Internet Control Message Protocol (ICMP) packet, operating directly above
the IP layer. A transport mode SA is a security association between two hosts.
• When a host runs AH or ESP over IPv4, the payload is the data that normally follows the IP
header.
• AH in transport mode authenticates the IP payload and the protection is also extended to
selected portions of the IP header.
• ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP
header.
• A transport mode SA provides security services only for higher-layer protocols, not for the IP
header or any extension headers proceeding the ESP header.
Tunnel mode SA
• Tunnel mode provides protection to the entire IP packet. A tunnel mode SA is essentially an SA
applied to an IP tunnel.

• When the entire inner (original) packet travels through a tunnel from one point of the IP network
to another, routers along the path are unable to examine the inner IP header because the
original inner packet is encapsulated. As a result, the new larger packet will have totally different
source and destination addresses. When the AH and ESP fields are added to the IP packet, the
entire packet plus security field (AH or ESP) is treated as the new outer IP packet with a new
outer IP header.
• ESP in tunnel mode encrypts and optionally authenticates the entire inner IP packet, including
the inner IP header.
• AH in tunnel mode authenticates the entire inner IP packet and selected portions of the outer
IP header.
1.1.2 Hashed Message Authentication Code (HMAC)

• HMAC is a secret-key authentication algorithm which provides both data integrity and data
origin authentication for packets sent between two parties.
• An HMAC mechanism can be used with any iterative hash functions in combination with a
secret key.
• MACs are used between two parties (e.g. client and server) that share a secret key in order to
validate information transmitted between them.
• Current candidates for secure hash functions include SHA-1, MD5 and RIPEMD-160.
• Hash functions such as MD5 and SHA-1 are generally known to execute faster in software than
symmetric block ciphers such as DES-CBC.
• Its definition requires a cryptographic hash function H and a secret key K.
• H denotes a hash function where the message is hashed by iterating a basic compression
function on data blocks.
• Let b denote the block length of 64 bytes or 512 bits for all hash functions such as MD5 and
SHA-1.
• h denotes the length of hash values, i.e. h = 16 bytes or 128 bits for MD5 and 20 bytes or 160
bits for SHA-1.
• The secret key K can be of any length up to b = 512 bits
• To compute HMAC over the message, the HMAC equation is expressed as follows:
• HMAC = H[(K ⊕ opad)||H[(K ⊕ ipad)||M]]
• where
ipad = 00110110(0x36) repeated 64 times (512 bits)
opad = 01011100(0x5c) repeated 64 times (512 bits)
ipad is inner padding opad is outer padding

• The following explains the HMAC equation:

1. Append zeros to the end of K to create a b-byte string (i.e. if K = 160 bits in length and b =
512 bits, then K will be appended with 352 zero bits or 44 zero bytes 0x00).
2. XOR (bitwise exclusive-OR) K with ipad to produce the b-bit block computed in step 1.
3. Append M to the b-byte string resulting from step 2.
4. Apply H to the stream generated in step 3.
5. XOR (bitwise exclusive-OR) K with opad to produce the b-byte string computed in step 1.
6. Append the hash result H from step 4 to the b-byte string resulting from step 5.
7. Apply H to the stream generated in step 6 and output the result.
1.2 IP AUTHENTICATION HEADER
• The IP AH is used to provide data integrity and data origin authentication for IP packets.
• It also provides protection against replays.
• The AH provides authentication for the IP header, as well as for upper-level protocol (TCP,
UDP) data.
• The current key management options required for both AH and ESP are manual keying and
automated keying via IKE.
• Authentication is based on the use of an MAC or the Integrity Check Value (ICV) computation
so that two hosts must share a secret key.
AH Format
• The IPsec AH format is shown in Figure . The following six fields comprise the AH format:
• Next header (8 bits): This field identifies the type of the next payload after the AH.The value of
this field is chosen from the set of IP numbers defined in the Internet Assigned Number
Authority (IANA).
• Payload length (8 bits): This field specifies the length of the AH in 32-bit words, minus 2. The
default length of the authentication data field is 96 bits, or three 32-bit words. With a three-word
fixed header, there are a total of six words in the header, and the payload length field has a
value of 4.
• Reserved (16 bits): This field is reserved for future use. It must be set to ‘zero’.
• SPI (32 bits): This field uniquely identifies the SA for this datagram, in combination with the
destination IP address and security protocol (AH).
• Sequence number (32 bits): This field contains the monotonic strictly increasing sequence
number (incremented by 1 for every packet sent) to prevent replay attacks.
• Authentication data (variable): This field is a variable-length field that contains the Integrity
Check Value (ICV) or MAC for this packet.
AH Location
• AH or ESP is employed in two ways: transport mode or tunnel mode.
• In the transport mode, AH is inserted after the IP header and before an upper layer protocol
(TCP, UDP or ICMP), or before any other IPsec header that may have already been inserted.
• In tunnel mode, the inner IP header carries the ultimate source and destination addresses, while
an outer IP header may contain different IP addresses (i.e. addresses of firewalls or other
security gateways).
• In tunnel mode, AH protects the entire inner IP packet, including the entire inner IP header.
• The position of AH in tunnel mode, relative to the outer IP header, is the same as for AH in
transport mode.
1.3 IP ESP
• The ESP header is designed to provide security services in IPv4 and IPv6.
 ESP can be applied

 Alone,

 In combination with the IP AH or

 Through the use of tunnel mode.

• Security services are provided between
 A pair of hosts,

 A pair of security gateways or

 A security gateway and a host.

• ESP is used to provide confidentiality (encryption), data authentication, integrity and anti-replay
service, and limited traffic flow confidentiality.

• However, use of confidentiality without integrity/ authentication may subject traffic to certain
forms of active attacks that undermine the confidentiality service.
• Data authentication and integrity are joint services offered as an option with confidentiality.
• The anti-replay service is chosen only if data origin authentication is selected and the service is
effective only if the receiver checks the sequence number.
• The current key management options required for both AH and ESP are manual keying and
automated keying via IKE.
ESP Packet Format

• Figure shows the format of an ESP packet and the fields in the header format are defined as
follows:
• Security Parameters Index (32 bits) : Arbitrary value used (together with the destination IP
address) to identify the security association of the receiving party.
• Sequence Number (32 bits) : A monotonically increasing sequence number (incremented by 1
for every packet sent) to protect against replay attacks.
• Payload data (variable) : The protected contents of the original IP packet. The type of content
that was protected is indicated by the Next Header field.
• Padding (0-255 octets) : Padding for encryption, to extend the payload data to a size that fits
the encryption's cipher block size, and to align the next field.
• Pad Length (8 bits) : Size of the padding (in octets).
• Next Header (8 bits) : Type of the next header. The value is taken from the list of IP protocol
numbers.

• Authentication data (variable): This is a variable-length field containing an ICV - Integrity

Check Value (multiple of 32 bits), computed over the ESP packet minus the authentication
data.
ESP Header Location
• Like AH, ESP is also employed in the two transport or tunnel modes.
• In the transport mode, ESP is inserted after the IP header and before an upper-layer protocol
(TCP, UDP or ICMP), or before any other IPsec headers that have already been inserted.
• Tunnel mode ESP can be employed in either hosts or security gateways.
• When ESP is implemented in a security gateway to protect subscriber transit traffic, tunnel
mode must be used.
• In tunnel mode, the inner IP header carries the ultimate source and destination addresses, while
an outer IP header may contain different IP addresses such as addresses of security gateways.
• In tunnel mode, ESP protects the entire inner IP packet, including the entire inner IP header.
• The position of ESP in tunnel mode, relative to the outer IP header, is the same as for ESP in
transport mode.
Encryption and Authentication Algorithms

• ESP is applied to an outbound packet associated with an SA that calls for ESP processing.
• The encryption algorithm and authentication algorithm employed is specified by the SA.
Encryption
• ESP is designed for use with symmetric algorithms like a triple DES in CBC (Cipher Block
Chaining) mode.
• Other algorithms for encryption are: RC5, IDEA, CAST and Blowfish.
• For encryption to be applied, the sender encrypts the fields (payload data, padding, pad length
and next header) using the key, encryption algorithm, algorithm mode indicated by the SA and
an IV (Initialization Vector).
• The encryption is performed before the authentication and does not encompass the
authentication data field.
Decryption
• The receiver decrypts the ESP payload data, padding, pad length and next header using the
key, encryption algorithm, algorithm mode and IV data.
• If explicit IV data is indicated, it is taken from the payload field and input to the decryption
algorithm.

• If implicit IV data is indicated, a local version of the IV is constructed and input to the decryption
algorithm.
• For transport mode, the receiver reconstructs the original IP datagram from the original IP
header plus the original upper-layer protocol information in the ESP payload field.
• For tunnel mode, the receiver reconstructs the tunnel IP header plus the entire IP datagram in
the ESP payload field.
Authentication
• The authentication algorithm employed for the ICV computation is specified by the SA.
• For communication between two points, suitable authentication algorithms include Keyed
Message Authentication Codes (MACs) based on symmetric encryption algorithms (i.e. DES) or
on one-way hash function (i.e. MD5 or SHA-1).
• For multicast communication, one-way hash algorithms combined with asymmetric signature
algorithms are appropriate.
1.4 KEY MANAGEMENT PROTOCOL FOR IPSec
• The key management mechanism of IPsec involves the determination and distribution of a
secret key.
• Key establishment is at the heart of data protection that relies on cryptography.
• A secure key distribution for the Internet is an essential part of packet protection.
• Prior to establishing a secure session, the communicating parties need to negotiate the terms
that are defined in the SA.
• An automated protocol is needed in order to establish the SAs for making the process feasible
on the Internet.
• This automated process is the IKE (Internet Key Exchange) . IKE combines ISAKMP with the
Oakley key exchange.
OAKLEY Key Determination Protocol

• The Oakley Key Determination Protocol is a key-agreement protocol that allows authenticated
parties to exchange keying material across an insecure connection using the Diffie–Hellman key
exchange algorithm.
• The protocol was proposed by Hilarie K. Orman in 1998, and formed the basis for the more
widely used Internet key exchange protocol.
• Oakley is not only a refinement of the Diffie–Hellman key exchange algorithm, but a method to
establish an authentication key exchange.

• The Oakley protocol is truly used to establish a shared key with an assigned identifier and
associated authenticated identities for the two parties.
• Oakley can be used directly over the IP protocol or over UDP protocol using a well-known port
number assignment available.
• Oakley uses the cookies for two purposes:
1. Anti-clogging (denial of service) and
2. Key naming.
• The construction of the cookies prevents an attacker from obtain a cookie using a real IP
address and UDP port.
• The anti-clogging tokens provide a form of source address identification for both parties.
• Oakley employs nonces to ensure against replay attacks.
• Each nonce is a pseudorandom number which is generated by the transmitting entity.
• The nonce payload contains this random data used to guarantee liveness during a key
exchange and protect against replay attacks.
• All the Oakley message fields correspond to ISAKMP message payloads.
• The relevant payload fields are the SA payload, the authentication payload, the certification
payload, and the exchange payload. Oakley is the actual instantiation of ISAKMP framework for
IPsec key and SA generation.
ISAKMP
• ISAKMP defines a framework for SA management and cryptographic key establishment for the
Internet.
• This framework consists of defined exchange, payloads and processing guidelines.
• ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete SAs.
• It also defines payloads for exchanging key generation and authentication data.
• These payload formats provide a consistent framework for transferring key and authentication
data which is independent of the key generation technique, encryption algorithm and
authentication mechanism
Payload Types for ISAKMP

• ISAKMP payloads provide modular building blocks for constructing ISAKMP messages.
• The presence and ordering of payloads in ISAKMP is defined by and dependent upon the
Exchange Type Field located in the ISAKMP Header.

ISAKMP Header
• The ISAKMP header fields are fined as shown in Figure
• Initiator Cookie (64 bits) - This field is the cookie of entity that initiated SA establishment, SA
notification, or SA deletion.
• Responder Cookie (64 bits) - This field is the cookie of entity that is corresponded to an SA
establishment request, SA notification, or SA deletion.
• Next Payload (8 bits) - This field indicates the type of the first payload in the message
• Major Version (4 bits)- This field indicates the Major version of the ISAKMP protocol in use.
Set the Major version to 1 according to ISAKMP Internet-Draft.
• Minor Version (4 bits)- This field indicates the Minor version of ISAKMP protocol in use. Set
the Minor version to 0 according to implementations based on the ISAKMP Internet-Draft.
• Exchange Type (8 bits) - This field indicates the type of exchange being used. This dictates
the message and payload orderings in the ISAKMP exchanges.
• Flags (8 bits) - This field indicates specific options that are set for the ISAKMP exchange.
• Message ID (32 bits) - Message ID is used to identify protocol state during Phase 2
negotiations. This value is randomly generated by the initiator of the phase 2 negotiation. During
Phase 1 negotiation, this value must be set to 0.
• Length (32 bits) - Length of total message (header || payload) is 32 bits. Encryption can
expand the size of an ISAKMP message.

Payload Types for ISAKMP
1.5 TRANSPORT LAYER SECURITY: SSLv3 and TLSv1
 Secure Sockets Layer version 3 (SSLv3) was introduced by Netscape Communications

Corporation in 1995.

 SSLv3 was designed with public review and input from industry and was published as an
Internet-Draft document.

 After reaching a consensus of opinion to Internet standardisation, the Transport Layer Security
(TLS) Working Group was formed within IETF in order to develop an initial version of TLS as an
Internet standard.

 The first version of TLS is very closely compatible with SSLv3.

1.6 SSL PROTOCOL
 SSL is designed to make use of TCP to provide a reliable end-to-end secure service.

 SSL is not a single protocol but rather two layers of protocols.

 SSL is a layered protocol.
SSL Protocol Architecture

• SSL includes two layers of protocols:
–3 Higher layer protocols
• SSL Handshake Protocol.
• CCSP
• Alert Protocol
–SSL Record Protocol
• Handshake Protocol -- exchange messages between an SSL-enabled server and an SSL-
enable client.
• Record Protocol -- defines the format used to transmit data.
 At the lower level, the SSL Record Protocol is layered on top of some reliable transport protocol
such as TCP.

 The SSL Record Protocol takes the upper-layer application message to be transmitted,
fragments the data into manageable blocks, optionally compresses the data, applies an MAC,
encrypts, adds a header, and transmits the result to TCP. The received data is decrypted,
verified, decompressed, reassembled, and then delivered to higher-level clients.
Session and Connection States

There are two defined specifications: SSL session and SSL connection.
SSL session
 An SSL session is an association between a client and a server.

 Sessions are created by the Handshake Protocol.

 They define a set of cryptographic security parameters, which can be shared among multiple
connections.

 Sessions are used to avoid the expensive negotiation of new security parameters for each
connection.

 An SSL session coordinates the states of the client and server.

 When the client or server receives a change cipher spec message, it copies the pending
read state into the current read state.

 When the client or server sends a change cipher spec message, it copies the pending write
state into the current write state.

 When the handshake negotiation is completed, the client and server exchange change
cipher spec messages, and they then communicate using the newly agreed-upon cipher spec.

The session state is defined by the following elements:

 Session identifier : This is a value generated by a server that identifies an active or
resumable session state.

 Peer certificate: This is an X.509 v3 certificate of the peer. This element of the state may be
null.

 Compression method: This is the algorithm used to compress data prior to encryption.

 Cipher spec: This specifies the bulk data encryption algorithm (such as null, DES, etc.) and a
hash algorithm (such as MD5 or SHA-1) used for MAC computation.

 Master secret: This is a 48-byte secure secret data used for generating encryption keys,
MAC secrets and IVs.

 Is resumable: This designates a flag indicating whether the session can be used to initiate
new connections.

SSL connection
 A connection is a transport (in the OSI layering model definition) that provides a suitable type
of service.

 For SSL, such connections are peer-to-peer relationships and are transient.

 Every connection is associated with one session.

The connection state is defined by the following elements:

 Server and client random: These are byte sequences that are chosen by the server and
client for each connection.

 Server write MAC secret: This indicates the secret key used in MAC operations on data sent
by the server.

 Client write MAC secret: This represents the secret key used in MAC operations on data
sent by the client.

 Server write key: This is the conventional cipher key for data encrypted by the server and
decrypted by the client.

 Client write key: This is the conventional cipher key for data encrypted by the client and
decrypted by the server.

 Initialization vectors: When a block cipher in CBC mode is used, an IV is maintained for
each key.

 Sequence numbers: Each party maintains separate sequence numbers for transmitted and
received messages of each connection. Sequence numbers may not exceed 264 − 1.
Difference between Connection & Session
CONNECTION SESSION
Established between two peers with same

Established between client and server
roles
Associated with only one session Can have many connections
Connection can be terminated and established When a session terminates all session
within a session also terminate
Negotiation can be skipped Requires negotiation
Data can be exchanged after connection Mere session establishment is not

establishment enough for data exchange

SSL Record Protocol

 The SSL Record Protocol provides basic security services to various higher-layer protocols.

 Three upper-layer protocols are defined as part of SSL:
o Handshake Protocol,
o Change Cipher Spec Protocol and
o Alert Protocol.
 The SSL Record Protocol takes an application message to be transmitted, fragments the data
into manageable blocks, optionally compresses the data, applies an MAC, encrypts, adds a
header, and transmits the result in a TCP segment.

 The received data is decrypted, verified, decompressed, reassembled and then delivered to
higher-level clients. The overall operation of the SSL Record Protocol is shown in Figure.
 Fragmentation: A higher-layer message is fragmented into blocks of 214 bytes or less.


 Compression and decompression: All records are compressed using the compression
algorithm defined in the current session state. The compression algorithm translates an
SSLPlaintext structure into an SSLCompressed structure. Compression must be lossless and
may not increase the current length by more than 1024 bytes. If the decompression function
encounters an SSLCompressed fragment that would decompress to a length in excess of 214 =
16,348 bytes, it should issue a fatal decompression failure alert.

 MAC: The MAC is computed before encryption. Using a shared secret key, the calculation is
defined as follows:

H1 = hash(MAC-write-secret || pad-1 || seq-num || SSLCompressed.type ||
SSLCompressed.length || SSLCompressed.fragment)
H = hash(MAC-write-secret || pad-2 ||H1)

The compressed message plus the MAC are encrypted using symmetric encryption.
The block ciphers being used as encryption algorithms are:
DES(56), Triple DES(168), IDEA(128),
RC5(variable) and Fortezza(80)

where the number inside the brackets indicates the key size. Fortezza is a PCMCIA card that
provides both encryption and digital signing.

 Append SSL record header: The final processing of the SSL Record Protocol is to append
an SSL record header. The composed fields consist of:

–Content type (8 bits): This field is the higher-layer protocol used to process the
enclosed fragment.
–Major version (8 bits): This field indicates the major version of SSL in use. For
SSLv3, the value is 3.
–Minor version (8 bits): This field indicates the minor version of SSL in use. For
SSLv3, the value is 0.
–Compressed length (16 bits): This field indicates the length in bytes of the
plaintext fragment or compressed fragment if compression is required. The
maximum value is 214 + 2048.
SSL Change Cipher Spec Protocol

• The Change Cipher Spec Protocol is the simplest of the three SSL-specific protocols.
• This protocol consists of a single message, which is compressed and encrypted under the current
CipherSpec.
• The message consists of a single byte of value 1.
• The change cipher spec message is sent by both the client and server
to notify the receiving party that subsequent records will be protected
under the just-negotiated CipherSpec and keys.
• Reception of this message causes the pending state to be copied into the current state, which
updates the cipher suite to be used on this connection.

The Alert Protocol is used to convey SSL-related alerts to the peer entity. As with
other applications that use SSL, alert messages are compressed and encrypted, as
specified by the current state.
Each message in this protocol consists of two bytes.
The first byte takes the value "warning" (1) or "fatal"(2) to convey the severity of
the message.
If the level is fatal, SSL immediately terminates the connection. Other connections on the same
session may continue, but no new connections on this session may be established.
The second byte contains a code that indicates the specific alert.
Fatal alerts are as follow:

 unexpected_message: An inappropriate message was received.

 bad_record_mac: An incorrect MAC was received.

 decompression_failure: The decompression function received improper input (e.g., unable
to decompress or decompress to greater than maximum allowable length).
 handshake_failure: Sender was unable to negotiate an acceptable set of security
parameters given the options available.

 illegal_parameter: A field in a handshake message was out of range or inconsistent with
other fields.
The remainder of the alerts is the following:

 close_notify: Notifies the recipient that the sender will not send any more messages on this
connection. Each party is required to send a close_notify alert before closing the right side of
a connection.

 no_certificate: May be sent in response to a certificate request if no appropriate certificate is
available.
 bad_certificate: A received certificate was corrupt (e.g., contained a signature that did not
verify).
 unsupported_certificate: The type of the received certificate is not supported.

 certificate_revoked: A certificate has been revoked by its signer.

 certificate_expired: A certificate has expired.

 certificate_unknown: Some other unspecified issue arose in processing the certificate,
rendering it unacceptable.

Handshake Protocol
 The most complex part of SSL is the Handshake Protocol. The SSL handshake protocol
involves using the SSL record protocol to exchange a series of messages between an SSL-
enabled server and an SSL-enabled client when they first establish an SSL connection. This
exchange of messages is designed to facilitate the following actions:

 Authenticate the server to the client.

 Allow the client and server to select the cryptographic algorithms, or ciphers, that they
both support.

 Optionally authenticate the client to the server.

 Use public-key encryption techniques to generate shared secrets.

 Establish an encrypted SSL connection.

 The Handshake Protocol consists of a series of messages exchanged by client and server. All
of these have the format shown in Figure below. Each message has three fields:

 Type (1 byte): Indicates one of 10 messages. Table 14.2 lists the defined message types.

 Length (3 bytes): The length of the message in bytes.

 Content ($ 1 byte): The parameters associated with this message; these are listed in Table
below.

 SSL Handshake Protocol Message Types
All the messages can be classified as four phases:

 Phase 1. Establish Security Capabilities

 Phase 2. Server Authentication and Key Exchange

 Phase 3. Client Authentication and Key Exchange

 Phase 4. Finish


Phase 1: Hello Messages for Logical Connection
The client sends a client hello message to which the server must respond with a server hello
message, or else a fatal error will occur and the connection will fail. The client hello and server
hello are used to establish security enhancement capabilities between client and server. The
client hello and server hello establish the following attributes: protocol version, random values
(ClientHello.random and ServerHello.random), session ID, cipher suite and compression
method.
Phase 2: Server Authentication and Key Exchange
Following the hello messages, the server begins this phase by sending its certificate if it needs
to be authenticated. Additionally, a server key exchange message may be sent if it is required. If
the server is authenticated, it may request a certificate from the client, if that is appropriate to
the cipher suite selected. Then the server will send the server hello done message, indicating
that the hello message phase of the handshake is complete. The server will then wait for a
client response. If the server has sent a certificate request message, the client must send the
certificate message.
Phase 3: Client Authentication and Key Exchange
If the server has sent a certificate request message, the client must send the certificate
message. The client key exchange message is then sent, and the content of that message will
depend on the public key algorithm selected between the client hello and the server hello. If the
client has sent a certificate with signing ability, a digitally signed certificate verify message is
sent to explicitly verify the certificate.
Phase 4: End of Secure Connection
At this point, a change cipher spec message is sent by the client, and the client copies the
pending CipherSpec into the current CipherSpec. The client then immediately sends the
finished message under the new algorithms, keys and secrets. In response, the server will send
its own change cipher spec message, transfer the pending CipherSpec to the current one, and
then send its finished message under the new CipherSpec. At this point, the handshake is
complete and the client and server may begin to exchange application layer data

1.7 CRYPTOGRAPHIC COMPUTATIONS
The key exchange, authentication, encryption and MAC algorithms are determined by the cipher
suite selected by the server and revealed in the server hello message.
Cryptographic computation involves

- the creation of a shared master secret by means of the key exchange and
- the generation of cryptographic parameters from the master secret.
Computing the Master Secret

 For all key exchange methods, the same algorithm is used to convert the premaster secret into the
master secret.
 In order to create the master secret, a premaster secret is first exchanged between two parties and
then the master secret is calculated from it.

 The master secret is always exactly 48 bytes (384 bits) shared between the client and server.

 The length of the premaster secret is not fixed and will vary depending on the key exchange
method.
 There are two ways for the exchange of the premaster secret:
o RSA: When RSA is used for server authentication and key exchange,
A 48-byte premaster secret is generated by the client, encrypted with the

server’s public key and sent to the server.
The server decrypts the ciphertext (of the premaster secret) using its private key
to recover the premaseter secret.
Both parties then convert the premaster secret into the master secret
o Diffie–Hellman :
Both client and server generate a Diffie-Hellman common key.
This negotiated key is use as the premaster secret and is converted into the
master secret
master_secret = MD5(pre_master_secret||SHA(‘A’||
pre_master_secret||ClientHello.random||
ServerHello.random))||
MD5(pre_master_secret||SHA(‘BB’||
ServerHello.random))||
MD5(pre_master_secret||SHA(‘CCC’||
ServerHello.random))

where ClientHello.random and ServerHello.random are the two nonce values exchanged in the
initial hello messages.
The generation of the master secret from the premaster secret is shown in Figure.
Converting the Master Secret into Cryptographic Parameters

CipherSpec specifies the bulk data encryption algorithm and a hash algorithm used for MAC
computation, and defines cryptographic attributes such as the hash size.
To generate the key material, the following is computed until enough output has been generated.
key_block = MD5(master_secret||SHA(‘A’||master_secret||
ServerHello.random||ClientHello.random))||
MD5(master_secret||SHA(‘BB’||master_secret||
ServerHello.random||ClientHello.random))||
MD5(master_secret||SHA(‘CCC’||master_secret||
ServerHello.random||ClientHello.random))||……

A,BB,CCC – byte strings 0x41, 0x4242, 0x434343

Figure below illustrates the steps for generation of the key block from the master secret.
1.8 TRANSPORT LAYER SECURITY (TLS):
• TLS is an IETF standardization initiative whose goal is to produce an Internet standard version
of SSL. TLS is defined as a Proposed Internet Standard in RFC 2246. RFC 2246 is very similar
to SSLv3, but with a number of minor differences in the areas shown, as discussed in the text.
• The TLS protocol allows client/server applications to communicate across a network in a way
designed to prevent eavesdropping and tampering.
• TLS is the successor to the Secure Sockets Layer (SSL).
• TLS is composed of two layers:
o The TLS Record Protocol and
o The TLS Handshake Protocol.
• The TLS Record Protocol provides connection security with some encryption method such as
the Data Encryption Standard (DES).
• The TLS Record Protocol can also be used without encryption.

• The TLS Handshake Protocol allows the server and client to authenticate each other and to
negotiate an encryption algorithm and cryptographic keys before data is exchanged.
The TLS Handshake Protocol
• The TLS Handshake Protocol first negotiates key exchange using an asymmetric algorithm
such as RSA or Diffie-Hellman. The TLS Record Protocol then begins opens an encrypted
channel using a symmetric algorithm such as RC4, IDEA, DES, or 3DES.
The TLS Record Protocol
The TLS Record Protocol is also responsible for ensuring that the communications are not altered in
transit. Hashing algorithms such as MD5 and SHA are used for this purpose.
A TLS client and server negotiate a stateful connection by using a handshaking procedure. During this
handshake, the client and server agree on various parameters used to establish the connection's
security.
 The handshake begins when a client connects to a TLS-enabled server requesting a secure
connection and presents a list of supported CipherSuites (ciphers and hash functions).
 From this list, the server picks the strongest cipher and hash function that it also supports and
notifies the client of the decision.

 The server sends back its identification in the form of a digital certificate. The certificate usually
contains the server name, the trusted certificate authority (CA) and the server's public
encryption key.

 The client may contact the server that issued the certificate (the trusted CA as above) and
confirm the validity of the certificate before proceeding.
 In order to generate the session keys used for the secure connection, the client encrypts a
random number with the server's public key and sends the result to the server. Only the server
should be able to decrypt it, with its private key.

 From the random number, both parties generate key material for encryption and decryption.
This concludes the handshake and begins the secured connection, which is encrypted and decrypted
with the key material until the connection closes.
If any one of the above steps fails, the TLS handshake fails and the connection is not created.

TLS record protocol:
This is the general format of all TLS records.
Content type
Version Length
(Major) (Minor) (bits 15..8) (bits 7..0)
Protocol message(s)
MAC (optional)
Padding (block ciphers only)
Content type : This field identifies the Record Layer Protocol Type contained in this Record.
Content types
Hex Dec Type
0x14 20 ChangeCipherSpec
0x15 21 Alert
0x16 22 Handshake
0x17 23 Application
Version Number
The TLS Record Format is the same as that of the SSL Record Format , and the fields in the header
have the same meanings. The one difference is in version values. For the current draft of TLS, the
Major Version is 3 and the Minor Version is 1.
Message Authentication Code
There are two differences between the SSLv3 and TLS MAC schemes: the actual algorithm and the
scope of the MAC calculation. TLS makes use of the HMAC algorithm defined in RFC 2104. HMAC is
defined as follows:
HMACK = H[(K+ Å opad) || H[(K+Å ipad) || M]]
where
H = embedded hash function (for TLS, either MD5 or SHA-1)
M = message input to HMAC
K+ = secret key padded with zeros on the left so that the result is equal to the block length of
the hash code (for MD5 and SHA-1, block length = 512 bits)
ipad = 00110110 (36 in hexadecimal) repeated 64 times (512 bits)
opad = 01011100 (5C in hexadecimal) repeated 64 times (512 bits)

SSLv3 uses the same algorithm, except that the padding bytes are concatenated with the secret key
rather than being XORed with the secret key padded to the block length. The level of security should be
about the same in both cases.
For TLS, the MAC calculation encompasses the fields indicated in the following expression:
HMAC_hash(MAC_write_secret, seq_num || TLSCompressed.type ||

TLSCompressed.version || TLSCompressed.length || TLSCompressed.fragment))
The MAC calculation covers all of the fields covered by the SSLv3 calculation, plus the field
TLSCompressed.version, which is the version of the protocol being employed.
Pseudorandom Function
TLS makes use of a pseudorandom function referred to as PRF to expand secrets into blocks of data
for purposes of key generation or validation. The objective is to make use of a relatively small shared
secret value but to generate longer blocks of data in a way that is secure from the kinds of attacks
made on hash functions and MACs. The PRF is based on the following data expansion function
P_hash(secret, seed) = HMAC_hash(secret, A(1) || seed) ||

HMAC_hash(secret, A(2) || seed) ||
HMAC_hash(secret, A(3) || seed) || . . .
where A() is defined as
A(0) = seed
A(i) = HMAC_hash(secret, A(I-1))
The data expansion function makes use of the HMAC algorithm, with either MD5 or SHA-1 as the
underlying hash function. As can be seen, P_hash can be iterated as many times as necessary to
produce the required quantity of data.
For example, if P_SHA-1 was used to generate 64 bytes of data, it would have to be iterated four times,
producing 80 bytes of data, of which the last 16 would be discarded. In this case, P_MD5 would also
have to be iterated four times, producing exactly 64 bytes of data. Note that each iteration involves two
executions of HMAC, each of which in turn involves two executions of the underlying hash algorithm.

To make PRF as secure as possible, it uses two hash algorithms in a way that should guarantee its
security if either algorithm remains secure. PRF is defined as
PRF(secret, label, seed) = P_MD5(S1, label || seed) Å P_SHA-1(S2, label || seed)
PRF takes as input a secret value, an identifying label, and a seed value and produces an output of
arbitrary length. The output is created by splitting the secret value into two halves (S1 and S2) and
performing P_hash on each half, using MD5 on one half and SHA on the other half. The two results are
exclusive-ORed to produce the output; for this purpose, P_MD5 will generally have to be iterated more
times than P_SHA to produce an equal amount of data for input to the exclusive-OR function.

Alert Codes
TLS supports all of the alert codes defined in SSLv3 with the exception of no_certificate. A number of
additional codes are defined in TLS; of these, the following are always fatal:
 decryption_failed: A ciphertext decrypted in an invalid way; either it was not an even multiple
of the block length or its padding values, when checked, were incorrect.

 record_overflow: A TLS record was received with a payload (ciphertext) whose length
exceeds 214 + 2048 bytes, or the ciphertext decrypted to a length of greater than 214 1 1024
bytes.

 unknown_ca: A valid certificate chain or partial chain was received, but the certificate was not
accepted because the CA certificate could not be located or could not be matched with a
known, trusted CA.

 access_denied: A valid certificate was received, but when access control was applied, the
sender decided not to proceed with the negotiation.

 decode_error: A message could not be decoded because a field was out of its specified range
or the length of the message was incorrect.

 export_restriction: A negotiation not in compliance with export restrictions on key length was
detected.

 protocol_version: The protocol version the client attempted to negotiate is recognized but not
supported.

 insufficient_security: Returned instead of handshake_failure when a negotiation has failed
specifically because the server requires ciphers more secure than those supported by the client.

 internal_error: An internal error unrelated to the peer or the correctness of the protocol makes
it impossible to continue.
The remainder of the new alerts are the following:
 decrypt_error: A handshake cryptographic operation failed, including being unable to verify a

signature, decrypt a key exchange, or validate a finished message.

 user_canceled: This handshake is being canceled for some reason unrelated to a protocol
failure.

 no_renegotiation: Sent by a client in response to a hello request or by the server in response
to a client hello after initial handshaking. Either of these messages would normally result in
renegotiation, but this alert indicates that the sender is not able to renegotiate. This message is
always a warning.

Cipher Suites
There are several small differences between the cipher suites available under SSLv3 and under TLS:
 Key Exchange: TLS supports all of the key exchange techniques of SSLv3 with the exception
of Fortezza.

 Symmetric Encryption Algorithms: TLS includes all of the symmetric encryption algorithms
found in SSLv3, with the exception of Fortezza.
Client Certificate Types
TLS defines the following certificate types to be requested in a certificate_ request message: rsa_sign,
dss_sign, rsa_fixed_dh, and dss_fixed_dh. These are all defined in SSLv3. In addition, SSLv3 includes
rsa_ephemeral_dh, dss_ephemeral_ dh, and fortezza_kea. Ephemeral Diffie-Hellman involves signing
the Diffie-Hellman parameters with either RSA or DSS; for TLS, the rsa_sign and dss_sign types are
used for that function; a separate signing type is not needed to sign Diffie-Hellman parameters. TLS
does not include the Fortezza scheme.
Certificate_Verify and Finished Messages
In the TLS certificate_verify message, the MD5 and SHA-1 hashes are calculated only over
handshake_messages. Recall that for SSLv3, the hash calculation also included the master secret and
pads. These extra fields were felt to add no additional security.
As with the finished message in SSLv3, the finished message in TLS is a hash based on the shared
master_secret, the previous handshake messages, and a label that identifies client or server. The
calculation is somewhat different. For TLS, we have
PRF(master_secret, finished_label, MD5(handshake_messages) || SHA-

1(handshake_messages))
where finished_label is the string "client finished" for the client and "server finished" for the server.
Cryptographic Computations
The pre_master_secret for TLS is calculated in the same way as in SSLv3. As in SSLv3, the
master_secret in TLS is calculated as a hash function of the pre_master_secret and the two hello
random numbers. The form of the TLS calculation is different from that of SSLv3 and is defined as
follows:
master_secret =
PRF(pre_master_secret, "master secret", ClientHello.random || ServerHello.random)

The algorithm is performed until 48 bytes of pseudorandom output are produced. The calculation of the
key block material (MAC secret keys, session encryption keys, and IVs) is defined as follows:
key_block =PRF(master_secret, "key expansion",

SecurityParameters.server_random || SecurityParameters.client_random)
until enough output has been generated. As with SSLv3, the key_block is a function of the
master_secret and the client and server random numbers, but for TLS the actual algorithm is different.
Padding
In SSL, the padding added prior to encryption of user data is the minimum amount required so that
the total size of the data to be encrypted is a multiple of the cipher's block length. In TLS, the padding
can be any amount that results in a total that is a multiple of the cipher's block length, up to a
maximum of 255 bytes. For example, if the plaintext (or compressed text if compression is used) plus
MAC plus padding.length byte is 79 bytes long, then the padding length, in bytes, can be 1, 9, 17, and
so on, up to 249. A variable padding length may be used to frustrate attacks based on an analysis of
the lengths of exchanged messages.

CS 6004 CYBER FORENSICS UNIT – 2
UNIT II
E-MAIL SECURITY & FIREWALLS
[
PGP - S/MIME - Internet Firewalls for Trusted System: Roles of Firewalls – Firewall
related terminology- Types of Firewalls - Firewall designs - SET for E-Commerce
Transactions.
PGP
 Pretty Good Privacy (PGP) was invented by Philip Zimmermann who released
version in 1991.

 PGP uses a combination of symmetric secret-key and asymmetric public-key
encryption to provide security services for electronic mail and data files.

 It also provides data integrity services for messages and data files by using digital
signature, encryption, compression (zip) and radix-64 conversion (ASCII
Armor).
CONFIDENTIALITY VIA ENCRYPTION

 PGP provides confidentiality by encrypting messages to be transmitted or data files
to be stored locally using encryption algorithm such as IDEA, 3DES or CAST-128.



 In PGP, each symmetric key, known as a session key, is used only once. A new
session key is generated as a random 128-bit number for each message.

 The sequence is :

 The sender creates a message.
 The sending PGP generates a random 128-bit number to be used as a session key.
 The session key is encrypted with RSA, using the recipient’s public key.
The sending PGP encrypts the message, using CAST-128 or IDEA or 3DES, with
 the session key.
The receiving PGP uses RSA with its private key to decrypt and recover the
 session key.
The receiving PGP decrypts the message using the session key. If the message
was compressed, it will be decompressed.
PREPARED BY SANTHIYA.M/AP/CSE DEPT/REC 1

AUTHENTICATION VIA DIGITAL SIGNATURE
 The digital signature uses a hash code of the message digest algorithm, and a
public-key signature algorithm.

  The sequence is as follows:
 The sender creates a message.
 SHA-1 is used to generate a 160-bit hash code of the message.
The hash code is encrypted with RSA using the sender’s private key and a digital
 signature is produced.
 The binary signature is attached to the message.
 The receiver uses RSA with the sender’s public key to decrypt and recover the
 hash code.
The receiver generates a new hash code for the received message and compares it
with the decrypted hash code. If the two match, the message is accepted as
authentic.

COMPRESSION
 PGP compresses the message after applying the signature but before encryption.
The placement of Z for compression and Z−1 for decompression.

 PGP makes use of a compression package called ZIP which is functionally
equivalent to PKZIP developed by PKWARE, Inc.

 The zip algorithm is perhaps the most commonly used cross-platform compression
technique.

 Two main compression schemes, named after Abraham Lempel and Jakob Ziv, were
first proposed by them in 1977 and 1978.

 These two schemes for text compression (referred to as lossless compression) are
broadly used because they are easy to implement and also fast.

 LZSS based on the work of Lempel and Ziv. In LZSS, the compressor maintains a
window of size N bytes and a look ahead buffer.
[
 Sliding-window-based schemes can be simplified by numbering the input text

characters mod N, in effect creating a circular buffer.

 LZ77 and LZ78 produce a hybrid compression algorithm called LZFG.

LZFG uses the standard sliding window, but stores the data in a modified tree
data structure and produces as output the position of the text in the tree.
 Huffman compression is a statistical data compression technique which reduces the

average code length used to represent the symbols of an alphabet.
RADIX-64 CONVERSION
 PGP provides the service of converting the raw 8-bit binary octets to a stream of
printable 7-bit ASCII characters, called radix-64 encoding or ASCII Armor.

 Each group of three octets of binary data is mapped into four ASCII characters.

 Example :
Consider the mapping of a 24-bit input (a block of three octets) into a four-
character output consisting of the 8-bit set in the 32-bit block.
o The 24-bit raw text is:
10110010 01100011 00101001
o The hexadecimal representation of this text sequence is b2 63 29.
o Arranging the input sequence in blocks of 6 bits yields:
101100 100110 001100 101001
o The extracted 6-bit decimal values are 44, 38, 12, 41.
o The radix-64 encoding of these decimal values produces the following

characters:
smMp
o If these characters are stored in 8-bit ASCII format with zero parity, the
hexadecimal representation is as follows:
73 6d 4d 70
o In binary representation, this becomes:
01110110 01101101 01001101 01110000

ASCII Armor Format
 When PGP encodes data into ASCII Armor, it puts specific headers around the data,
so PGP can construct the data later.

 PGP informs the user about what kind of data is encoded in ASCII Armor through
the use of the headers.

 Concatenating the following data creates ASCII Armor:
An Armor head line
It consists of the appropriate header line text surrounded by five dashes (‘-’,
0x2D) on either side of the header line text.
Armor headers
It is a pairs of strings that can give the user or the receiving PGP
implementation some information about how to decode or use the message.
A blank line
It indicates zero length or contains only white space.
ASCII-Armored data
An arbitrary file can be converted to ASCII-Armoured data.
Armor checksum
It is a 24-bit CRC converted to four characters of radix-64 encoding by the

same MIME base 64 transformation, preceded by an equals sign (=).
Armor tail
It is composed in the same manner as the Armor header line, except the string
‘BEGIN’ is replaced by the string ‘END’.
Encoding Binary in Radix-64
 The encoding process represents three 8-bit input groups as output strings of four
encoded characters.

 These 24 bits are then treated as four concatenated 6-bit groups, each of which is
translated into a single character in the radix-64 alphabet.

 Each 6-bit group is used as an index. The character referenced by the index is placed
in the output string.

PACKET HEADERS
 A PGP message is constructed from a number of packets.

 A packet is a chunk of data which has a tag specifying its meaning. Each packet
consists of a packet header of variable length, followed by the packet body. The first
octet of the packet header is called the packet tag.

 The packet tag denotes what type of packet the body holds. The defined tags are:
0–Reserved
1–Session key packet encrypted by public key
2–Signature packet
3–Session key packet encrypted by symmetric key
4–One-pass signature packet
5–Secret-key packet
6–Public-key packet
7–Secret-subkey packet
8–Compressed data packet
9–Symmetrically encrypted data packet
10–Marker packet
11–Literal data packet
12–Trust packet
13–User ID packet
14–Public sub key packet
60 ∼ 63–Private or experimental values
PGP PACKET STRUCTURE
 A PGP file consists,
o Message packet,
o A signature packet and
o A session key packet.
Message Packet
 This packet includes the actual data to be transmitted or stored as well as a header
that includes control information generated by PGP such as a filename and a
timestamp.

 A timestamp specifies the time of creation. The message component consists of a
single literal data packet.
Signature Packet (Tag 2)
 This packet describes a binding between some public key and some data. The most
common signatures are a signature of a file or a block of text, and a signature that is
a certification of a user ID.

 The signature includes the following components:

Timestamp: represents the time at which the signature was created.
Message digest (or hash code):
A hash code represents the 160-bit SHA-1 digest, encrypted with sender a’s
private key. The hash code is calculated over the signature timestamp
concatenated with the data portion of the message component.
Session Key Packets (Tag 1)
 It includes the session key and the identifier of the receiver’s public key that was
used by the sender to encrypt the session key.

 The body of this session key component consists of:
A one-octet version number which is 3.

An eight-octet key ID of the public key that the session key is encrypted to.
A one-octet number giving the public key algorithm used.
A string of octets that is the encrypted session key.

KEY MATERIAL PACKET

 A key material packet contains all the information about a public or private key.

 There are four variants of this packet type and two versions.
Public-key packet (tag 6): This packet starts a series of packets that forms a
PGP 5.x key.
Public sub key packet (tag 14): This packet has exactly the same format as a
public key packet, but denotes a sub key. One or more sub keys may be
associated with a top-level key. The top-level key provides signature services,
and the sub keys provide encryption services. PGP 2.6.x ignores public-sub
key packets.
Secret-key packet (tag 5): This packet contains all the information that is
found in a public-key packet, including the public-key materials, but also
includes the secret-key material after all the public-key fields.
Secret-sub key packet (tag 7): A secret-sub key packet is the sub key
analogous to the secret-key packet and has exactly the same format.
ALGORITHMS FOR PGP

5.x Public-Key Algorithms
Symmetric-Key Algorithms

Compression Algorithm
Hash Algorithms
S/MIME
 Secure/Multipurpose Internet Mail Extension (S/MIME) provides a consistent

means to send and receive secure MIME data.

 S/MIME, based on the Internet MIME standard, is a security enhancement to
cryptographic electronic messaging.
MIME
 MIME was defined to allow transmission of non-ASCII data through e-mail.

 MIME allows arbitrary data to be encoded in ASCII and then transmitted in a
standard e-mail message. It is a supplementary protocol that allows non-ASCII data
to be sent through SMTP.

 The MIME standard provides a general structure for the content type of Internet
messages and allows extensions for new content-type applications.
MIME Description
 MIME transforms non-ASCII data at the sender’s site to NVT ASCII data and
delivers it to the client SMTP to be sent through the Internet.

 The server SMTP at the receiver’s site receives the NVT ASCII data and delivers it
to MIME to be transformed back to the original non-ASCII data.
MIME Header
 MIME defines five headers:
MIME Version
Content Type
Content Transfer Encoding
Content Id
Content Description

MIME Version
This header defines the version of MIME used. The current version is 1.0.
Content Type
This header defines the type of data used in the message body. The content
type and the content subtype are separated by a slash.
MIME allows seven different types of data:
 Text: The original message is in 7-bit ASCII format.


 Multipart: The body contains multiple, independent parts. The
multipart header needs to define the boundary between each part. Each
part has a separate content type and encoding.

The multipart/signed content type specifies how to support
authentication and integrity services via digital signature.

The multipart/encrypted content type specifies how to
support confidentiality via encryption.

 Message: It represents the whole mail message, a part of a mail
message or a pointer to the message.

Three subtypes are currently used:
o RFC 2822,
o Partial or
o External body.
 Image: It represents a stationary image.
The two subtypes used are
o Joint Photographic Experts Group (JPEG) and

o Graphics Interchange Format (GIF).
 Video: It is a time-varying image (animation).


The only subtype is Motion Picture Experts Group (MPEG).
If the animated image contains sound, it must be sent separately
using the audio content type.

 Audio: It contains sound.

 The only subtype is basic, which uses 8 kHz standard audio data.

 Application:

There are only two subtypes used currently:
o Octet-stream and
o PostScript.
Octet-stream is used when the data represents a sequence of

binary data consisting of 8-bit bytes.
PostScript is used when the data is in Adobe PostScript format
for printers that support PostScript.
Content Transfer Encoding
This header defines the method to encode the messages into ones and zeros for
transport.
There are the five types of encoding:
o 7 bit
  7-bit NVT ASCII characters and short lines

o 8 bit

 Non-ASCII characters and short lines
o Binary
  Non-ASCII characters with unlimited-length lines

o Base64
  6-bit blocks of data encoded into 8-bit ASCII characters

o Quoted-printable
 Non-ASCII characters encoded as an equals sign followed by an

ASCII code
Content Id
This header uniquely identifies the whole message in a multiple message

environment: Content Id: id = <content id>
Content Description
This header defines whether the body is image, audio or video:
Content Description: <description>

S/MIME
 S/MIME provides a way to send and receive 7-bit MIME data. S/MIME can be
used with any system that transports MIME data.
Definitions
 ASN.1: Abstract Syntax Notation One, as defined in ITU-T X.680– 689.


 BER: Basic Encoding Rules for ASN.1, as defined in ITU-T X.690.

 DER: Distinguished Encoding Rules for ASN.1, as defined in ITU-T X.690.

 Certificate: A type that binds an entity’s distinguished name to a public key with a
digital signature. This type is defined in the PKIX certificate and CRL profile. The
certificate also contains the distinguished name of the certificate issuer (the
signer), an issuer-specific serial number, the issuer’s signature algorithm identifier, a
validity period and extensions also defined in that certificate.
 CRL: The Certificate Revocation List that contains information about certificates
whose validity the issuer has prematurely revoked. The information consists of an
issuer name, the time of issue, the next scheduled time of issue, a list of certificate
serial numbers and their associated revocation times, and extensions. The CRL is
signed by the issuer.

 Attribute certificate: An X.509 AC is a separate structure from a subject’s PKIX
certificate. A subject may have multiple X.509 ACs associated with each of its
PKIX certificates. Each X.509 AC binds one or more attributes with one of the
subject’s PKIXs.

 Sending agent: Software that creates S/MIME CMS objects, MIME body parts that
contains CMS objects, or both.

 Receiving agent: Software that interprets and processes S/MIME CMS objects,
MIME parts that contain CMS objects, or both.

 S/MIME agent: User software that is a receiving agent, a sending agent, or both.
Cryptographic Message Syntax (CMS) Options
 CMS provides additional details regarding the use of the cryptographic algorithms.
DigestAlgorithmIdentifier
o This type identifies a message digest algorithm which maps the message
to the message digest. Sending and receiving agents must support SHA-1.
Receiving agents should support MD5 for the purpose of providing

backward compatibility with MD5-digested S/MIME v2 SignedData

objects.
SignatureAlgorithmIdentifier
o Sending and receiving agents must support id-dsa defined in DSS.

Receiving agents should support rsaEncryption, defined in PRCS-1.
KeyEncryptionAlgorithmIdentifier
o This type identifies a key encryption algorithm under which a content

encryption key can be encrypted.
o Sending and receiving agents must support Diffie–Hellman key

exchange.
o Receiving agents should support rsaEncryption.
o Incoming encrypted messages contain symmetric keys which are to be

decrypted with a user’s private key.
 The six different content types are :
o Data content type

  This type is arbitrary octet strings, such as ASCII text files.
 Strings need not have any internal structure.
o Signed data content type

 This type consists of any type and encrypted message digests of the
 content for zero or more signers.
 Any type of content can be signed by any number of signers in parallel.
o Enveloped data content type

  This content type is used to apply privacy protection to a message.
 The type consists of encrypted content of any type and encrypted-content
encryption keys for one or more recipients. The combination of encrypted
content and encrypted content-encryption key for a recipient is called a
digital envelope for that recipient.
o Signed-and-enveloped data content type
o Digested data content type

 This type consists of content of any type and a message digest of the
content.

 A typical application of the digested-data content type is to add integrity

to content of the data content type, and the result becomes the content
input to the enveloped-data content type.
o Encrypted data content type
This type consists of encrypted content of any type.
Enhanced Security Services for S/MIME
 The security service of S/MIME uses the concept of triple wrapped message.

 A triple wrapped message is one that has been signed, then encrypted and then
signed again. The signers of the inner and outer signatures may be different entities
or the same entity.

 The steps to create a triple wrapped message :

1. Start with the original content (a message body).
2. Encapsulate the original content with the appropriate MIME content-type
headers.
3. Sign the inner MIME headers and the original content resulting from step 2.
4. Add an appropriate MIME construct to the signed message from step 3. The
resulting message is called the inside signature.
5. Encrypt the step 4 result as a single block, turning it into an application/pkcs7-
mime object.
6. Add the appropriate MIME headers: a content type of application/pkcs7- mime
with parameters, and optional MIME headers such as Content-Transfer-
Encoding and Content-Disposition.
7. Sign the step 6 result (the MIME headers and the encrypted body) as a single
block.
8. Using the same logic as in step 4, add an appropriate MIME construct to the
signed message from step 7. The resulting message is called the outside
signature, and is also the triple wrapped message.
INTERNET FIREWALLS FOR TRUSTED SYSTEMS
 A firewall is a device or group of devices that controls access between networks.

 A firewall generally consists of filters and gateway(s).


 A firewall is a security gateway that controls access between the public Internet and
an intranet (a private internal network) and is a secure computer system placed
between a trusted network and an untrusted internet.

 A firewall is an agent which screens network traffic in some way, blocking traffic
it believes to be inappropriate, dangerous, or both.

 Firewalls act as an intermediate server in handling SMTP and HTTP connections
in either direction.

 Firewalls can be classified into three main categories:
o Packet filters,
o Circuit-level gateways and
o Application-level gateways.
ROLE OF FIREWALLS
 The firewall imposes restrictions on packets entering or leaving the private
network.
o All traffic from inside to outside, and vice versa, must pass through the
firewall, but only authorized traffic will be allowed to pass.
 Firewalls create checkpoints or choke points between an internal private network

and an untrusted Internet.

o Once the choke points have been clearly established, the device can monitor,
filter and verify all inbound and outbound traffic.
 The firewall may filter on the basis of IP source and destination addresses and TCP
port number.

 The firewall also enforces logging, and provides alarm capacities. By placing
logging services at firewalls, security administrators can monitor all access to and
from the Internet.

 Firewalls may block TELNET or RLOGIN connections from the Internet to the
intranet.

o They also block SMTP and FTP connections to the Internet from internal
systems not authorised to send e-mail or to move files.

 The firewall provides protection from various kinds of IP spoofing and routing
attacks.

 It can also serve as the platform for IPsec.

 The firewall can be used to implement Virtual Private Networks (VPNs). A VPN
encapsulates all the encrypted data within an IP packet.

 A firewall can limit network exposure by hiding the internal network systems and
information from the public Internet.

 Drawbacks
o It cannot protect against internal threats such as an employee who cooperates

with an external attacker;
o It is also unable to protect against the transfer of virus-infected programs or

files because it is impossible for it to scan all incoming files, e-mail and
messages for viruses.
FIREWALL-RELATED
TERMINOLOGYBastion Host
 A bastion host is a publicly accessible device for the network’s security, which has
a direct connection to a public network such as the Internet.

 The bastion host serves as a platform for any one of the three types of firewalls:
o Packet filter,
o Circuit-level gateway or o
Application-level gateway.
 The bastion host’s role falls into the following three common types:
Single-homed bastion host

o This is a device with only one network interface, used for an application-
level gateway.
o The external router is configured to send all incoming data to the bastion
host, and all internal clients are configured to send all outgoing data to the
host.
Dual-homed bastion host

o It consists of at least two network interfaces.

o Dual-homed bastion hosts serve as application-level gateways, and as packet

filters and circuit-level gateways as well.
Multi-homed bastion host

o Single-purpose or internal bastion hosts can be classified as either single-
homed or multihomed bastion hosts.
o A tri-homed firewall connects three network segments with different
network addresses.
Proxy Server
 Proxy servers are used to communicate with external servers on behalf of internal
clients.

 Proxy server typically refers to an application-level gateway, although a circuit-
level gateway is also a form of proxy server.
Application proxies forward packets only when a connection has been

established using some known protocol. When the connection closes, a
firewall using application proxies rejects individual packets, even if they
contain port numbers allowed by a rule set.
Circuit proxies’ always forward packets containing a given port number if that
port number is permitted by the rule set.
 Circuit proxies are static. It is configured to allow access only to specific

host systems.
SOCKS
 The SOCKS protocol version 4 provides for unsecured firewall traversal for TCP-
based client/server applications, including HTTP, TELNET and FTP.

 When a TCP-based client wishes to establish a connection to an object that is
reachable only via a firewall, it must open a TCP connection to the appropriate
SOCKS port on the SOCKS server system.

 The SOCKS service is conventionally located at TCP port 1080.

 If the connection request succeeds, the client enters negotiation for the
authentication method to be used, authenticates with the chosen method, and then
sends a relay request.

 The SOCKS server evaluates the request, and either establishes the appropriate
connection or denies it.

CHOKE POINT
 A choke point is the point at which a public internet can access the internal
network.

 Once these choke points have been clearly established, the firewall devices can
monitor, filter and verify all inbound and outbound traffic.
DE-MILITARISED ZONE (DMZ)
 The DMZ is a network that lies between an internal private network and the external
public network.

 DMZ networks are sometimes called perimeter networks.

 A DMZ is used as an additional buffer to further separate the public network from
the internal network.
LOGGING AND ALARMS
 Logging is usually implemented at every device in the firewall, but these individual
logs combine to become the entire record of user activity.

 The audit log is an essential tool for detecting and terminating intruder attacks.
VPN
 VPNs provide secure external access to internal resources.


 All VPNs are tunneling protocols in the sense that their information packets or
payloads are encapsulated or tunneled into the network packets.

 The VPN encapsulates all the encrypted data within an IP packet. Authentication,
message integrity and encryption are very important fundamentals for implementing
a VPN.
TYPES OF FIREWALLS
 Firewalls are classified into three common types:
1. Packet filters,
2. Circuit-level gateways and
3. Application-level gateways
1. Packet Filters
 Packet filters are firewalls that process network traffic on a packet-by-packet basis.

 A packet filter’s main function is to filter traffic from a remote IP host, so a router is
needed to connect the internal network to the Internet.

 A packet filter is a device which inspects or filters each packet at a screening router
for the content of IP packets.

 The screening router is configured to filter packets from entering or leaving the
internal network.

 The routers can easily compare each IP address to a filter or a series of filters. The
type of router used in a packet-filtering firewall is known as a screening router.
  Packet filters typically set up a list of rules that are sequentially read line by line.
 Packet Filtering rules can be applied based on source and destination IP addresses
 or network addresses, and TCP or UDP ports.
  Packet filters are read and then treated on a rule-by-rule basis.
 A packet filter will provide two actions,
o Forward or
o Discard.
 If the action is in the forward process, the action takes place to route the packet as
 normal if all conditions within the rule are met.
 The discard action will block all packets if the conditions in the rule are not met.

Packet-Filtering Rules

 A packet filter applies a set of rules to each incoming IP packet and then
forwards or discards the packet.

 The packet filter typically sets up a list of rules which may match fields in the IP
 or TCP header.
 If there is a match to one of the rules, that rule is able to determine whether to
forward or discard the packet.

 If there is no match to any rule, then two default actions (forward and discard)
will be taken.
TELNET packet filtering
 TELNET is a simple remote terminal access that allows a user to log onto a
 computer across an internet.
 TELNET client software allows the user to specify a remote machine either by
 giving its domain name or IP address.
  TELNET can be used to administer a UNIX machine.
 TELNET sends all user names and passwords in plaintext. Experienced hackers
 can hijack a TELNET session in progress.
 TELNET runs on TCP port 23.
Example:
 To disable the ability to TELNET into internal devices from the Internet, the
information listed Table tells the router to discard any packet going to or coming
from TCP port 23.
o An asterisk (*) in a field indicates any value in that particular field.

o The packet-filtering rule sets are executed sequentially, from top to
bottom.
o If a packet is passed through the filter and has a source port of 23, it will
immediately be discarded. If a packet with a destination port of 23 is
passed through this filter, it is discarded only after rule 2 has been applied.
FTP packet filtering
  FTP is the first protocol for transferring or moving files across the Internet.
  The FTP service is typically associated with using TCP ports 20 and 21.
 Each FTP server has a command channel, where the requests for data and
directory listings are issued, and a data channel, over which the requested data is
delivered.

  FTP operates in two different modes :

o Active
 o Passive
 In active mode, an FTP server receives commands on TCP/IP port 21 and
exchanges data with the client.
SMTP packet filtering
 On the Internet, e-mail exchanges between mail servers are handled with SMTP.

 It is the protocol that transfers e-mail from one server to another, and it provides
 a basic e-mail facility for transferring messages among separate hosts.
 SMTP receivers use TCP port 25; SMTP senders use a randomly selected port
 above 1023.
 Most e-mail messages are addressed with hostnames instead of IP addresses, and
the SMTP server uses DNS (Directory and Naming Services) to determine the
 matching IP address.
 If the same machines handle internal and external mail delivery, a hacker who
can spoof DNS information may be able to cause mail that was intended for
internal destinations to be delivered to an external host.

2. Circuit-Level Gateways
 The circuit-level gateway represents a proxy server that defines what traffic will
be forwarded.

 Circuit proxies always forward packets containing a given port number if that port
number is permitted by the rule set.

 A circuit-level gateway operates at the network level of the OSI model.

 This gateway acts as an IP address translator between the Internet and the internal
system.

 Advantages:
o Its ability to provide Network Address Translation (NAT). NAT hides the
internal IP address from the Internet.
o NAT is the primary advantage of circuit-level gateways and provides security

administrators with great flexibility when developing an address scheme
internally.
3. Application-Level Gateways
 The application-level gateway represents a proxy server, performing at the TCP/IP

application level.

 Application proxies forward packets only when a connection has been established
using some known protocol.

 When the connection closes, a firewall using application proxies rejects individual
packets, even if the packets contain port numbers allowed by a rule set.

 The application gateway analyses the entire message instead of individual packets
when sending or receiving data.
o When an inside host initiates a TCP/IP connection, the application gateway

receives the request and checks it against a set of rules or filters.
o The application gateway will then initiate a TCP/IP connection with the
remote server.
o The server will generate TCP/IP responses based on the request from the
proxy server.
o The responses will be sent to the proxy server (application gateway) where
the responses are again checked against the proxy server’s filters.
 If the remote server’s response is permitted, the proxy server will then forward the
response to the inside host.

Advantages:
o Its ability to provide NAT for shielding the internal network from the
Internet.
FIREWALL DESIGNS
1. Screened Host Firewall (Single-Homed Bastion Host)
 The first type of firewall is a screened host which uses a single-homed bastion host
plus a packet-filtering router.

 The screened host firewall is designed such that all incoming and outgoing
information is passed through the bastion host.

 The external screening router is configured to route all incoming traffic directly to
the bastion host.

 The screening router is also configured to route outgoing traffic only if it originates
from the bastion host.

 This kind of configuration prevents internal clients from bypassing the bastion host.


 The bastion host is configured to restrict unacceptable traffic and proxy acceptable
traffic.
2. Screened Host Firewall (Dual-Homed Bastion Host)
 A dual-homed bastion host has two network interfaces.


 This firewall implementation is secure because it creates a complete break between
the internal network and the external Internet.

 All external traffic is forwarded directly to the bastion host for processing.
3. Screened Subnet Firewall
 It is also known as a DMZ.


 It is the most secure one among the three implementations.

 All publicly accessible devices, including modem and server, are placed inside the
DMZ. This DMZ then function as a small isolated network positioned between the
Internet and the internal network.

 The screened subnet firewall contains external and internal screening routers.

 Each is configured such that its traffic flows only to or from the bastion host.

 This arrangement prevents any traffic from directly traversing the DMZ subnetwork.


 Advantages:
o A hacker must subvert three separate tri-homed interfaces when he or she

wants to access the internal network. But it is almost infeasible.
o The internal network is effectively invisible to the Internet because all

inbound/outbound packets go directly through the DMZ. This arrangement
makes it impossible for a hacker to gain information about the internal
systems because only the DMZ is advertised in the routing tables and other
Internet information.
o Internal users cannot access the Internet without going through the bastion
host because the routing information is contained within the network.

SET FOR E-COMMERCE TRANSACTIONS
 The Secure Electronic Transaction (SET) is a protocol designed for protecting

credit card transactions over the Internet.

 It is an industry-backed standard that was formed by MasterCard and Visa (acting
as the governing body) in February 1996.

 SET relies on cryptography and X.509 v3 digital certificates to ensure message
confidentiality and security.

 SET is the only Internet transaction protocol to provide security through
authentication.
BUSINESS REQUIREMENTS FOR SET

1. Confidentiality of Information
o The SET protocol uses encryption.
o Confidentiality reduces the risk of fraud by either party to the transaction or

by malicious third parties.
o Cardholder account and payment information should be secured and it should

also prevent the merchant from learning the cardholder’s credit card number.
o Conventional encryption by DES is used to provide confidentiality.

2. Integrity of data
o SET combats the risk of transaction information being altered in transit by

keeping information securely encrypted at all times.
o Digital signatures are used to ensure integrity of payment information.
o RSA digital signatures, using SHA-1 hash codes, provide message

integrity.
3. Cardholder account authentication
o Digital signatures and certificates are used to ensure authentication of the

cardholder account.
o SET uses X.509 v3 digital certificates with RSA signatures for this
purpose.
4. Merchant authentication
o Cardholders also need to be able to identify merchants with whom they can
securely conduct electronic commerce.
o SET provides for the use of digital signatures and merchant certificates to
ensure authentication of the merchant.
o SET uses X.509 v3 digital certificates with RSA signatures for this
purpose.
5. Security techniques
o SET utilizes two asymmetric key pairs for the encryption/decryption process
and for the creation and verification of digital signatures.
o Confidentiality is ensured by the message encryption.
o Integrity and authentication are ensured by the use of digital signatures.

Authentication is further enhanced by the use of certificates.
6. Creation of brand-new protocol
o SET is an end-to-end protocol whereas SSL provides point-to-point

encryption.
o SET does not interfere with the use of other security mechanisms such as
IPsec and SSL/TLS.

7. Interoperability
o SET uses specific protocols and message formats to provide interoperability.
o The specification must be applicable on a variety of hardware and software

platforms and must not include a preference for one over another.
o Any cardholder with compliant software must be able to communicate with

any merchant software that also meets the defined standard.
SET SYSTEM
PARTICIPANTS Cardholder
o A cardholder is an authorised holder of a payment card that has been issued

by an issuer.
Issuer
o An issuer is a financial institution (a bank) that establishes an account for a

cardholder and issues the payment card.
Merchant
o A merchant is a person or organization that offers goods or services for sale

to the cardholder.
Acquirer
o An acquirer is the financial institution that establishes an account with a

merchant and processes payment card authorization and payments.
o The acquirer provides authentication to the merchant that a given card

account is active and that the proposed purchase does not exceed the credit
limit.
Payment gateway
o A payment gateway acts as the interface between a merchant and the

acquirer.
o A payment gateway is a device operated by the acquirer or a designated third

party that processes merchant payment messages, including payment
instructions from cardholders.
o The payment gateway functions as follows:

 It decrypts the encoded message, authenticates all participants in a

transaction, and reformats the SET message into a format compliant
with the merchant’s point of sale system.
Certification Authority
o A CA is an entity that is trusted to issue X.509 v3 public key certificates for

cardholders, merchants and payment gateways.
o The primary functions of the CA are to receive registration requests, to

process and approve/decline requests, and to issue certificates.
CRYPTOGRAPHIC OPERATION PRINCIPLES

 SET is the Internet transaction protocol providing security by ensuring
confidentiality, data integrity, authentication of each party and validation of the
participant’s identity.

Confidentiality
 SET relies on encryption to ensure message confidentiality.


 In SET, message data is encrypted with a random symmetric key which is further
encrypted using the recipient’s public key.

 The encrypted message along with this digital envelope is sent to the recipient.

 The recipient decrypts the digital envelope with a private key and then uses the
symmetric key in order to recover the original message.
Integrity
 It is ensured by the use of a digital signature.


 Using the public/private key pair, data encrypted with either key can be decrypted
with the other.

 This allows the sender to encrypt a message using the sender’s private key.

 Any recipient can determine that the message came from the sender by decrypting
the message using the sender’s public key.
Authentication
 It is also ensured by means of a digital signature, but it is further strengthened by

the use of a CA.

 When two parties conduct business transactions, each party wants to be sure that the
other is authenticated.

 Before a user B accepts a message with a digital signature from a user A, B wants to
be sure that the public key belongs to A.

 One way to secure delivery of the key is to utilize a CA to authenticate that the
public key belongs to A.

 A CA is a trusted third party that issues digital certificates.
DUAL SIGNATURE AND SIGNATURE VERIFICATION
 SET introduced a new concept of digital signature called dual signatures.


 A dual signature is generated by creating the message digest of two messages:
o Order digest and

o Payment digest.

 The steps are :


o The customer takes the hash codes (message digests) of both the order
message and payment message by using the SHA-1 algorithm.

o These two hashes, ho and hp, are then concatenated and the hash code h of
the result is taken.

o Finally, the customer encrypts (via RSA) the final hash code with his or her
private key, Ksc, creating the dual signature.

o Computation of the dual signature (DS) is shown as follows:
AUTHENTICATION AND MESSAGE INTEGRITY
 The encryption/decryption processes for message integrity consist of the

following steps.
1. Encryption process
 User A sends the plaintext through a hash function to produce the message digest.

 A then encrypts the message digest with his or her private key to produce the digital
signature.

 Next, A generates a random symmetric key and uses it to encrypt the plaintext, A’s
signature and a copy of A’s certificate, which contains A’s public key.

 To decrypt the plaintext later, user B will require a secure copy of this temporary
symmetric key.

 B’s certificate contains a copy of his or her public key. To ensure secure
transmission of the symmetric key, A encrypts it using B’s public key. The
encrypted key, called the digital envelope, is sent to B along with the encrypted
message itself.

 A sends a message to B consisting of the DES-encrypted plaintext, signature and
A’s public key, and the RSA-encrypted digital envelope.
2. Decryption process
 B receives the encrypted message from A and decrypts the digital envelope with his
or her private key to retrieve the symmetric key.

 B uses the symmetric key to decrypt the encrypted message, consisting of the
plaintext, A’s signature and A’s public key retrieved from A’s certificate.

 B decrypts A’s digital signature with A’s public key that is acquired from A’s
certificate. This recovers the original message digest of the plaintext.

 B runs the plaintext through the same hash function used by A and produces a new
message digest of the decrypted plaintext.

 Finally, B compares his or her message digest to the one obtained from A’s digital
signature. If they are exactly the same, B confirms that the message content has not
been altered during transmission and that it was signed using A’s private key. If they
are not the same, then the message either originated somewhere else or was altered
after it was signed. In that case, B discards the message.

PAYMENT PROCESSING
1. Cardholder Registration
2. Merchant Registration
3. Purchase Request
4. Payment Authorization
5. Payment Capture
1. Cardholder Registration
 The cardholder must register with a CA before sending SET messages to the
merchant. The cardholder needs a public/private-key pair for use with SET.

  The scenario of cardholder registration are:
o Registration request/response processes
 o Registration form process
o Certificate request/response processes
2. Merchant Registration
 Merchants must register with a CA before they can receive SET payment
instructions from cardholders.

 In order to send SET messages to the CA, the merchant must have a copy of the
CA’s public key which is provided in the CA certificate.

 The merchant also needs the registration form from the acquirer.

 The merchant must identify the acquirer to the CA.

 The merchant registration process consists of five steps as follows:

(1) The merchant requests the registration form;
(2) The CA processes this request and sends the registration form;
(3) The merchant requests certificates after receiving the registration certificates;
(4) The CA creates certificates;
(5) The merchant receives certificates.
3. Purchase Request
 The purchase request exchange should take place after the cardholder has completed
browsing, selecting and ordering.

1. Initiate request
  The cardholder sends the initiate request to the merchant.

  The merchant receives the initiate request.
 The merchant generates the response and digitally signs it by generating a message
 digest of the response and encrypting it with the merchant’s private key.
 The merchant sends the response along with the merchant and payment gateway
certificates to the cardholder.
2. Initiate response
 The cardholder receives the initiate response and verifies the certificates.

 The cardholder verifies the merchant’s signature by decrypting it with the
merchant’s public key and comparing the result with a newly computed message
digest of the response.

 The cardholder creates the order message (OM) using information from the
shopping phase and payment message (PM).
3. Purchase request
 The cardholder generates a dual signature for the OM and PM .


 The cardholder generates a random symmetric key (No. 1) and uses it to encrypts
the PM.

 The cardholder transmits the OM and the encrypted PM to the merchant.

 The merchant verifies the cardholder certificate by traversing the trust chain to the
root key.

 The merchant verifies the cardholder’s dual signature on the OM by decrypting it
with the cardholder’s public key and comparing the result with a newly computed
message digest of the concatenation of the message digests of the OM and PM.

 The merchant processes the request, including forwarding the PM to the payment
gateway for authorisation.
4. Purchase response
 The merchant creates the purchase response including the merchant signature
certificate and digitally signs it by generating a message digest of the purchase
response and encrypting it with the merchant’s private key.

 The merchant transmits the purchase response to the cardholder.


 If the transaction was authorised, the merchant fulfils the order to the cardholder.

 The cardholder verifies the merchant signature certificate by traversing the trust
chain to the root key.

 The cardholder verifies the merchant’s digital signature by decrypting it with the
merchant’s public key and comparing the result with a newly computed message
digest of the purchase response.

 The cardholder stores the purchase response.
4. Payment Authorisation
 During the processing of an order from a cardholder, the merchant authorises the
transaction.

 The authorization request and the cardholder payment instructions are then
transmitted to the payment gateway.

 The steps involved in it are:
o Authorisation request
o Authorization response
5. Payment Capture
 After completing the processing of an order from a cardholder, the merchant will
request payment.

 The merchant generates and signs a capture request, which includes the final amount
of the transaction, the transaction identifier from the OM, and other information
about the transaction.

Overall picture for payment processing

CS6004 - CYBER FORENSICS UNIT - III
UNIT III INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with

Computer Crime Introduction to Identity Theft & Identity Fraud. Types of CF techniques -
Incident and incident response methodology - Forensic duplication and investigation.
Preparation for IR: Creating response tool kit and IR team. - Forensics Technology and
Systems - Understanding Computer Investigation – Data Acquisition.
3.1 INTRODUCTION TO TRADITIONAL COMPUTER CRIME
INTRODUCTION
Computer crime—a general term that has been used to denote any criminal act which
has been facilitated by computer use. Such generalization has included both Internet
and non-Internet activity.
Examples:
Theft of components,
o Counterfeiting,
o Digital piracy or copyright infringement,
o Hacking, and
o Child pornography.
Computer-related crime—a broad term used to encompass those criminal activities in

which a computer was peripherally involved.
Examples:
Traditional bookmaking,
and o Theft.
Digital crime—a term used to refer to any criminal activity which involves the
unauthorized access, dissemination, manipulation, destruction, or corruption of
electronically stored data.
Cybercrime—a specific term used to refer to any criminal activity which has been
committed through or facilitated by the Internet.
TRADITIONAL COMPUTER CRIME
Phreaking,
o Hacking,
o Computers as commodities,
o Theft of intellectual property.
PREPARED BY SANTHIYA.M/AP/CSE/REC 1
PHREAKING
Phreaking involves the manipulation of telecommunications carriers to gain

knowledge of telecommunications, and/or theft of applicable services.


It is also identified broadly as telecommunications fraud; phreaking includes any
activity that incorporates the illegal use or manipulation of access codes, access
tones, PBXs, or switches.


The theft of telephone access code is stealing the access code from unsuspecting
individuals while they are dialing is called shoulder surf.


War-dialing, involves random number generators, which test numerous codes
until one is successful. One of these programs running throughout the night may
generate several hits, which are then compiled into a large database.


The programs which enable these computerized code thefts have quickly found
their way to the Internet and are readily available for downloading.



Another method of defeating the telephone company—employed by such notables
as Steve Jobs and Steve Wozniak, the founders of Apple Computer, Inc.—involved
the invention of hardware devices. These blue boxes were devices which “tricked”
switching systems into granting free access to long-distance lines.



Innovative ways of utilizing stolen PBX codes are also being employed by
individuals involved in organized crime syndicates. Known as “call-sell”
operations, prepaid calls are sold on the street using stolen access or PBX codes.
HACKING
The six primary motivations for computer intrusion or theft of information in

 contemporary society are :
o Boredom (informational voyeurism),

o Intellectual challenge (mining for knowledge—pure hackers),
o Revenge (insiders, disgruntled employees, etc.),

o Sexual gratification (stalking, harassment, etc.),
 o Economic (criminals), and
o Political (hacktivists, terrorists, spies, etc.).
There are five general categories of cybercriminals:
Script kiddies,
o Cyberpunks,
o Hackers/crackers,
o Cybercriminal organizations, and
Hactivists.
Script Kiddies

Script kiddies, also known as skidiots, skiddie, or Victor Skill Deficiency
(VSD), are the lowest life form of cybercriminal.

These computer users are referred to as inexperienced hackers who employ
scripts or other programs authored by others to exploit security
vulnerabilities or otherwise compromise computer systems.


Script kiddies are not capable of writing their own programs and do not fully
understand the programs which they are executing. Thus, they are not
capable of targeting a specific system, but are limited to those targets which
possess the identified vulnerabilities.

Cyberpunks


Cyberpunks is an innocuous term which has been hotly contested by First
Amendment advocates but has been used by law enforcement officials to
refer to individuals’ intent on wreaking havoc via the Internet.

The term was initially used to refer to an emerging genre which marries science
fiction, information technology, and radical change in the social order.

Hackers/Crackers
Sophisticated computer criminals who are capable of programming, writing

code, and breaching complex systems are categorized as hackers or
crackers.
Hackers are those individuals who identify and exploit system vulnerabilities
but who lack economic motivation.
Crackers are those sophisticated users who employ their knowledge for
personal gain. Originally known as criminal hackers.
Cyber Criminal Organizations



Cybercriminal organizations are those groups comprised of criminally
minded individuals who have used the Internet to communicate, collaborate,
and facilitate cybercrime.


It include those activities associated with political extremism or economic
gain. The sophistication of the methods employed and the technical expertise
of their members range from elementary to highly complex.

Criminal hackers


Criminal hackers, or crackers, are those who target data which is valuable on
its face (e.g., trade secrets and proprietary data) or directed at data (e.g.,
credit card data) which may be used to further other criminal activity.
COMPUTERS AS COMMODITIES
Computers, accessible to employees, students, and, sometimes, the public at large,

are extremely vulnerable to theft.

The theft and resale of integrated chips has proven to be the most lucrative of
component theft. Resale of such computer chips may return as much as ten times on
their investment.


Black market dealers are the most organized groups trafficking in stolen
computer components. These individuals or groups may be likened to full-service
restaurants— carefully soliciting orders and preparing merchandise as requested.
Thus, their targets are selected only after they receive an order for particular
merchandise. These groups actively participate in the theft itself.
Gray market dealers are legitimate businesses with questionable, and illegal,
practices. These businesses are those which specialize in made-to-order computers
(i.e., nonstandard or knock-offs).
They represent a major customer for thieves, being a ready outlet for their
illegal wares. Buying the components at a significant discount, these
companies claim ignorance.
THEFTOF INTELLECTUAL PROPERTY
The digital revolution has resulted in heretofore unprecedented innovations in

content industries such as book publishers, record labels, movie studios, software
companies, and all other industries involved in the mass production of intellectual
property.

 The top ten industries for software piracy are :
Manufacturing
Sales/distribution
Service
Financial services
Software development
IT consulting
Medical
Engineering
School/education
Consulting
Data piracy refers to the reproduction, distribution, and use of software without
the permission or authorization of the owner of copyright. Making multiple copies
for personal use or distributing copies to friends or colleagues.


Most retail programs are licensed for use at just one computer site or by only one
user at any time. By buying the software, an individual becomes a licensed user
rather than an owner. While this individual user may be allowed to make copies of
the program for backup purposes, it is against the law to distribute copies to friends
and colleagues.


Many software companies tried to stop software piracy by copy-protecting their
software. A different approach to software piracy prevention was the introduction of
a new category of licensed software.

Shareware acknowledges the futility of trying to stop people from copying
software and instead relies on people’s honesty.
Shareware publishers encourage users to give copies of programs to friends and

colleagues but ask everyone who uses a program regularly to pay a registration fee
to the program’s author directly.



Commercial programs that are made available to the public illegally are often called
wareZ.


WareZ sites enable visitors to download software illegally in violation of
copyright protections. Many of these sites are created and maintained by highly
sophisticated, well-educated administrators.
Film Piracy
There are eight primary methods of film piracy:
Optical disc piracy,

Internet piracy,
Videocassette piracy,
Theatrical print theft,
Signal theft,
Broadcast piracy,
Public performances, and
Parallel imports.
CONTEMPORARY COMPUTER CRIME
WEB BASED CRIMINAL ACTIVITY
Interference with Lawful Use of Computer
There are six categories of online crime:

Interference with lawful use of computers
DOS attacks, viruses, worms, other malware, cyber vandalism, cyber terrorism,
spam, etc.
Theft of information and copyright infringement

Industrial espionage, ID theft, ID fraud, etc.
Dissemination of contraband or offensive materials
Pornography, child pornography, online gaming, treasonous or racist material,

etc.
Threatening communications
Extortion, cyber stalking, cyber harassment, cyberbullying, etc.
Fraud
Auction fraud, credit card fraud, theft of services, stock manipulation, etc.
Ancillary crimes
Money laundering, conspiracy, etc.
2. MALWARE
A malware or malicious programming code refers to code that causes damage to

computer systems.

It includes,
Back doors, o
Trojan horses, o
Viruses,
o Worms, and
o DoS attacks.
All of these entities can be, and have been, employed by terrorists, hacktivists,
corporate spies, criminals, and pleasure seekers.
Viruses and Worms
The first recognized computer virus, the rabbit, appeared in the 1960s.
These programs diminished the productivity of computer systems by cloning
themselves and occupying system resources.
The first virus attached to an executable file in the 1970s on the Univax 1108
system. Pervading Animal was attached to the end of an executable file and
required the computer user to answer a series of questions regarding
animals.
The four distinct eras of computer viruses are :
Classical era ( 1960 – 1970)

o Floppy era ( 1980 – 1990)
o Macro era ( 1990 – 2000) - Melissa virus
o Internet era ( 2000 – Present) - CodeRed, SirCam, and w32/Nimbda.A-mm.
Dos and DDos Attacks
A denial of service (DoS) attack is to disable a large system without

necessarily gaining access to it.
The most common DoS attack involved mail-bombing (e.g., jamming a

system’s server with voluminous e-mail). Other traditional methods included
the time-proven method of manipulation of phone switches or the more
sophisticated method of low-level data transmission.
Botnets and Zombie Armies
Zombies or bots are compromised computers attached to the Internet which

are often used to remotely perform malicious or criminal tasks. They are
often used in large batches (i.e., zombie armies or botnets).
In 1999, the first known DDoS attacks occurred, with tools known as Trinoo
and Tribe Flood Network (TFN). Since that time, such attacks have become
commonplace and have been employed by a variety of individuals or groups,
such as extortionists, business competitors, and terrorists.
The W32.Waledac botnet had the capability of sending as many as 1.5

billion spam e-mails a day.
Spam
Spamming may be defined as the abuse of electronic messaging systems to

randomly or indiscriminately send unsolicited bulk messages.
Spam may be found in many electronic communications such as,

 Instant messaging,
 Usenet newsgroup,
 Blogs,
 Mobile phones.
Electronic spam was most commonly used by advertisers or by businesses

themselves.
Ransomware and the Kidnapping of Information
Ransomware may be defined as a malware program which encrypts or

otherwise renders computer or digital resources inoperable or inaccessible in
furtherance of the illegal compulsion of an action or exchange.
Examples :
PC CYBORG/AIDS Information Trojan

This Trojan was distributed through the U.S. Postal Service in a socially
engineered package which contained a seemingly innocuous floppy. Once
installed, the Trojan operated by replacing the autoexec. bat file. Upon the 90th
reboot of the machine, directories were hidden and file names encrypted. At the
same time, the victim was informed of the action and prompted to pay a $378
renewal of license fee to recover the data.
GPCoder
This Trojan originally surfaced in May 2005, updated versions have consistently
appeared. These updated versions of GPCoder, distributed via e-mail, employed
complex RSA encryption to predetermined file extensions. Upon execution,
victims were instructed to visit a particular site to purchase a decoder.
CryZip
Surfacing in March 2006, CryZip attached itself to all running processes in the
form of a DLL file. It was similar to GPCoder, except that it collected all affected
files into a password-protected zip file and utilized an e-gold account for
ransom collection.
THEFT OF INFORMATION, DATA MANIPULATION, AND WEB ENCROACHMENT
Traditional Methods of Proprietary Information Theft
The most popular, method for stealing passwords involves social engineering.
Employees who fail to follow proper security procedures for disposing of personal
correspondence and company paperwork also pose a security risk to an institution’s
digital technology.


Unwitting administrators and employees routinely dump sensitive information into
the nearest trash receptacle. Information such as old technical manuals, internal
phone lists, and organizational charts and correspondence provide a wealth of
information for the malicious hacker.


The emergence of cloud computing and removable media is increasingly
responsible for theft of information or breaches in digital security.


More sophisticated approaches to gaining unauthorized access to “secured” data
may be employed by computer hackers. One approach involves systemic
vulnerabilities created by vendors in which remote access is allowed to perform
routine maintenance, such as updating, on their systems.


Some system administrators never change the defaults in their networks once they
are installed. By utilizing lists of default passwords, readily available on the Net,
unauthorized users are able to gain root access by simply using traditional network
defaults.
Trade Secrets and Copy rights
The increasing commercialization of knowledge has exponentially increased the

theft and trafficking of proprietary information.
Political Espionage
Technology has also escalated the potential for sophisticated attacks on a country’s
national security and public infrastructure.

Example:
Between 2004 and 2005, NASA networks were compromised six times by a
Swedish hacker Causing the agency to suffer $1 million in supercomputing
downtime.
TERRORISM
Cyber terrorism may be defined as a deliberate, politically or religiously motivated

attack against data compilations, computer programs, and/or information systems
which is intended to disrupt and/or deny service or acquire information which disrupts
the social, physical, or political infrastructure of a target.
5. NEOTRADITIONAL CRIME
Dissemination of Contraband or Offensive Materials
Child Pornography
Child Enticement/Exploitation
Online Pharmacies
Online Gambling
Threatening and Harassing Communications


Cyberstalking and Cyberharassment
Cyberbullying
Online Fraud
Auctions
 Online Credit Card Fraud
Skimming
RFID
 Web-cramming/ISP Jacking
 Fraud via Data Manipulation
 Securities Fraud and Stock Manipulation
False information
o Insider Trading
o e-Fencing
o Fraudulent Instruments
Dissemination of Contraband or Offensive Materials


The four primary motivations for child pornography possession:

Pedophilia or hebephilia—possession is designed to satisfy sexual fantasies or
provide gratification for those individuals who are sexually interested in
prepubescent children or adolescents
Sexual miscreants—possession is designed to satisfy a desire for new and

different sexual stimuli
Curiosity seekers—possession is undertaken to satisfy a peculiar curiosity
Criminal opportunists—possession, and subsequent distribution, is designed

for economic profit
o Online pharmacies benefit consumers by encouraging competitive pricing

with noncyber outlets, but offer little protection against fraud. Virtually all of
the available online pharmacies claim legitimacy, arguing that transactions
require valid prescriptions.
Threatening and Harassing Communications
Cyber stalking may be defined as the willful, malicious, and repeated

following and/ or harassing another person in an effort to inflict or cause fear
of actual harm through words or deeds committed via electronic
communications.
Cyberbullying may be defined as an aggressive, intentional act carried out

by a group or individual, using electronic forms of contact, repeatedly and
over time against a victim who cannot easily defend him or herself.
Cyber harassment focuses on actual harm suffered, including defacement of

character, and the like.
Fraud may be defined as an intentional deception, misrepresentation, or

falsehood made with the intention of receiving unwarranted compensation
or gratification.
Types of fraud include Medicaid fraud, insurance fraud,

telecommunications fraud, stock fraud, corporate fraud, banking
fraud, health care fraud, tax fraud, marriage fraud, real estate fraud,
bankruptcy fraud, and so on.
Auction fraud was one of the most common fraudulent activities on the
Internet.
There are four primary types of Internet auction fraud: nondelivery,

misrepresentation, fee stacking, and shill bidding.
Nondelivery—occurs when a fraudster accepts a payment for

an item and fails to deliver it.
Misrepresentation—occurs when a fraudster deceives the

bidder as to the item’s condition. For example, items might be
counterfeit or is a lower condition than advertised.
Fee stacking—occurs when a fraudster adds hidden charges to

the advertised price, perhaps in shipping or handling.
Shill bidding—occurs when a seller drives up the cost of his or

her own item by making bids on their own items.
Online Credit Card Fraud
Skimming—One way for fraudsters to steal credit card information is to install devices
on card readers located in ATMs, gas pumps, restaurants, grocery stores, retail
establishments, or any other area where magnetic strip card readers are employed. The
information contained on this card may contain account numbers, passwords, and other
information.
RFID, or Radio Frequency Identification, involves the use of radio waves to facilitate
the transfer of information between an electronic tag (or label) and a reader. It was
designed for identification and tracking purposes.
Web-cramming/ISP Jacking
Web-cramming is most often accomplished when criminals develop new Web pages
for small businesses and nonprofit groups for little or no expense. While advertising
their service as free, these criminals actually engage in unauthorized phone charges on
their victim’s accounts.
ISP-jacking involves disconnecting individual users from their selected Internet service
providers and redirecting them to illegitimate servers. The users are lured into
downloading software which surreptitiously disconnects their chosen ISP, silences their
modem, and reconnects them to a remote server.
Fraud via Data Manipulation
Data diddling can be committed by anyone having access to an input device. It refers to
any method of fraud via computer manipulation.
IP spoofing involves the manipulation of packets (i.e., messages that are exchanged
between computers). These communications are indirectly routed across varying
systems.
Securities Fraud and Stock Manipulation
Day trading is the process of buying and selling highly speculative stocks within one
trading day.
False information is another method in which unwitting investors are parted from
their money.
Insider Trading is also increasing due to the proliferation of day trading activity. This
scheme was predicated on the advice of one “insider” who solicited interested
individuals in chat rooms, offering them inside advice for a percentage of their profits.
E-Fencing may be defined as the sale of stolen goods through technological means.
6. ANCILLIARY CRIMES
Money laundering refers to the cleansing or cleaning of money. The process of money
laundering involves the following steps :
.
Placement—the initial point of entry for illicit funds;
Layering—the development and maintenance of complex networks of

transactions designed to obscure the process and the source of illegal funds. This
involves the “layering” of financial and commercial transactions and/or assets.
More specifically, “layering of funds” is accomplished by conducting multiple
transactions or by developing complex hierarchies of assets aimed toward
distancing origination from laundered assets.
(c)Integration—the return of funds into the legitimate economy.
TRADITIONAL PROBLEMS ASSOCIATED WITH COMPUTER CRIME
a. Physicality and Jurisdictional Concerns

b. Perceived Insignificance, Stereotypes, and Incompetence
c. Prosecutorial Reluctance
d. Lack of Reporting
e. Lack of Resources
f. Jurisprudential Inconsistency
a. PHYSICALITY AND JURISDICTIONAL CONCERNS

The physical environment that breeds computer crime is far different from traditional
venues. In fact, the intangible nature of computer interaction and subsequent
criminality poses significant questions for investigative agents. For example, what
forensic tools are available for identifying entry points in data breaking and entering?
The lack of physical boundaries and the removal of traditional jurisdictional

demarcations allow perpetrators to commit multinational crime with little fear (or
potential) of judicial sanctions.
Traditional criminal activity required the physical presence of the perpetrators,

cybercrime is facilitated by international connections that enable individuals to commit
criminal activity.
Electronic crime does not require an extensive array of equipment or tools. It does not
require vehicular transportation, physical storage capability, or labor-intensive
practices, all of which increase the potential for discovery and enforcement.
The physical intangibility of computer crime involves the traditional lack of cooperation
inherent in law enforcement investigations.
Issues of funding, political platforms, and the like have traditionally reduced
communication and cooperation among jurisdictions.
b. PERCEIVED INSIGNIFICANCE, STEREOTYPES, AND INCOMPETENCE
Investigators and administrators have displayed great reluctance to pursue computer

criminals.
A lack of knowledge coupled with general apathy toward cyber criminality has resulted
in an atmosphere of indifference.
Many stereotype computer criminals as nonthreatening socially challenged individuals

(i.e., nerds or geeks) and fail to see the insidious nature of computer crime.
c. PROSECUTORIAL RELUCTANCE
Lack sufficient knowledge and experience to effectively prosecute computer crime.

Traditionally, federal and local prosecutors alike did not perceive electronic crime as
serious and often granted it the lowest priority.
d. LACK OF REPORTING
Companies do not report is the perception that reporting will not result in capture or
identification of a suspect.
It is difficult to determine the proper authorities or question the capabilities of law

enforcement agencies, which are often stereotyped as technologically deficient or
retarded.
Interlapping and overlapping jurisdictions pose additional problems, as it is most rare

that computer crimes occur within one state, let alone one jurisdiction.
Even nonsophisticated computer criminals will access different services to disguise

their location. Such circuitous activity often necessitates federal or international
assistance. Finally, many intrusions are detected long after the violation occurred,
making investigations more difficult.
e. LACK OF RESOURCES
The business communities should have sufficient resources (both financial and legal)
necessary to effectively combat computer crimes.
Emerging technologies require perpetual training, as the potential for computer

criminality has exponentially increased. Wireless technologies and emerging encryption
and steganography programs, for example, are increasingly complicating law
enforcement investigations.
As law enforcement budgets remain strained, it is virtually impossible for

administrators to allocate training funds to update their officers on today’s technology
without assurances that the training would not become obsolete by tomorrow.
The costs associated with training, administrators must consider three additional
areas in support of computer crime investigations:
 Personnel,
 Hardware
 Housing.
The costs associated with staffing computer crime units far exceed the other two areas.
While traditional expenses like salary and benefits are often overlooked, they become a
very expensive component when establishing a new function.
For every officer who is assigned new areas of responsibility, additional staff must be
recruited, hired, and trained as a replacement in his or her original position.
f. JURISPRUDENTIAL INCONSISTENCY
The Supreme Court has remained resolutely averse to deciding matters of law in the
newly emerging sphere of cyberspace.
They have virtually denied cert on every computer privacy case to which individuals
have appealed and have refused to determine appropriate levels of Fourth Amendment
protections of individuals and computer equipment.
IDENTITY THEFT AND IDENTITY FRAUD
INTRODUCTION
Identity theft has been utilized to describe any use of stolen personal information.


Identity fraud, which encompasses identity theft within its purview, may be
defined as the use of a vast array of illegal activities based on fraudulent use of
identifying information of a real or fictitious person.


Identity fraud is committed when a credible identity is created by accessing others’
credit cards, financial or employment records, secure facilities, computer systems, or
such.
Identity theft—illegal use or transfer of a third party’s personal identification

information with unlawful intent.
Identity fraud—a vast array of illegal activities based on fraudulent use of identifying
information of a real or fictitious person.
TYPOLOGIES OF IDENTITY THEFT/FRAUD
There are five main types of identity theft/fraud occurring in the United States :
a. Assumption of Identity
b. Theft for Employment and/or Border
Entry c. Criminal Record Identity
Theft/Fraud d. Virtual Identity Theft/Fraud
e. Credit Identity Theft/Fraud
a. Assumption of Identity
This is the rarest form of identity theft/fraud and occurs when an individual
simply assumes the identity of his or her victim, including all aspects of the
victim’s lives.

Theft for Employment and/or Border Entry
This type of identity theft/fraud is increasingly common due to the growth of

illegal immigration and alien smuggling.

It involves the fraudulent use of stolen or fictitious personal information to
obtain employment or to gain entry into the United States.

Criminal Record Identity Theft/Fraud
This type of identity theft is not as common or because the immediate financial
repercussions are not significant.

It has been used historically by individuals attempting to evade capture or
criminal prosecution.

Reverse criminal record identity theft occurs when a criminal uses a victim’s
identity not to engage in criminal activity but to seek gainful employment.

Virtual Identity Theft/Fraud
Virtual identity theft/fraud involves the use of personal, professional, or other

dimensions of identity toward the development of a fraudulent virtual
personality.

Many individuals develop a virtual identity which is antithetical to their physical
one—making themselves taller, richer, younger, more charismatic, and so on.


Virtual identities are often far removed from reality. They are inherently less
veracious and less trustworthy.


They are often used for online dating, role-playing, and accessing deviant sites
or locations containing questionable content.


Deviant activities associated with this type of identity theft/fraud run the gamut
of traditional illicit behavior.


Some individuals may assume a virtual identity to engage in online flirtation or
facilitate an extramarital affair.
Others may do so to deceive others into revealing personal information to

further harassment or stalking or to facilitate financial fraud.
Credit Identity Theft/Fraud
The most common type of identity theft/fraud, credit identity theft/fraud, is also
the most feared by the American public.


It may be defined as the use of stolen personal and financial information to
facilitate the creation of fraudulent accounts.

It does not include traditional activities like the illegal use of a stolen credit card.


Credit identity theft is limitless and not bound by the amount of cash or credit
which is immediately available. Rather, it allows criminals to create additional
sources of revenue through the establishment of multiple accounts.

Example :

In 2011, the FTC reported that more than 60 percent of all identity theft
victims reported that their personal information was used to open new
accounts, transfer funds, or commit tax/wage related fraud.
PREVALENCE AND VICTIMOLOGY
a. Victims and the Costs Associated with Victimization

b. Future Increases
a. Victims and the Costs Associated with Victimization

The traditional obstacles includes,
Lack of reporting victimization by the public ,
Lack of reporting by police to federal agencies,
Jurisdictional discrepancies in crime measurement, and
Selective enforcement based on community standards and departmental
resources.
The prevalence of identity theft/fraud has been further confounded by additional

 factors, including the following:
Delayed notification or awareness of victimization
The vested interest of private companies to exploit consumer fear
The lack of mandatory reporting and inconsistent application by federal
agencies
Lack of national standards in measurement
There are four primary sources of information on identity theft/fraud data:

 o Credit reporting agencies,
o Software companies,

o Popular and trade media, and
o Government agencies.


It is hard to effectively measure the prevalence of identity theft/fraud, and difficult
to measure the costs incurred by such criminal activity.


Additional difficulties in estimating costs associated with identity theft/fraud are
more direct and may be attributed to the delayed awareness of the victim, a general
lack of reporting, the delayed awareness of the victim, and a trend toward statistical
aggregation by reporting agencies.


Several studies have suggested that the average time between the occurrence of the
crime and the victim becoming aware of being victimized was 12–14 months.


In cases where victims identified their victimization, many victims indicate a
reluctance to report their victimization due to a perception that investigative
agencies would be apathetic to or are incapable of prosecuting their victimization.


Others display a general ignorance as to the identity of the appropriate or applicable
agency.


The exact figures associated with identity theft are impossible; a general profile of
the individual victims has been consistent in a variety of studies.

Across the globe, Americans are most likely to be targeted and victimized by identity
thieves.

In most cases, the victim did not know or was not acquainted with the perpetrator.


According to the Identity Theft Resource Center, victims spend an average of 600
hours attempting to remedy the long-term repercussions of identity theft/fraud due
to the absence of universal police report.


Victims have repeatedly reported difficulty in obtaining a police report which
documents that their identity has been compromised or stolen. Such documentation
is essential for victims seeking to reclaim their lives and recover their personal and
economic stability.
b. Future Increases
It is anticipated that instances of identity theft/fraud will continue to increase as the

globalization of communication and commerce continues.


Criminals have successfully thwarted law enforcement initiatives and safety
precautions.


Fraud alerts placed upon credit reports, for example, are often ignored, and
numerous incidents have occurred where additional fraudulent activity is noted
even after alerts were in place.


Repeat or continuous victimization is made possible due to the lack of cooperation
by lenders and consumer reporting agencies.


The prevalence of identity theft/fraud is also expected to increase in pace with the
increase in the outsourcing of information and services.
PHYSICAL METHODS OF IDENTITY THEFT
a. Mail Theft
b. Dumpster Diving
c. Theft of Computers
d. Bag Operations
e. Child Identity Theft
Insiders
Fraudulent or Fictitious Companies
Card Skimming, ATM Manipulation, and Fraudulent Machines
There are two broad categories of techniques:
Physical, and

Virtual.
a. Mail Theft
The theft of information from physical mailboxes is certainly one of the most
common.
Numerous documents containing personal and financial information are

deposited in unlocked containers on the side of the road until it is retrieved.
Oftentimes, such retrieval is conducted by someone other than the intended
recipient and is used to generate illicit profit or to facilitate criminal

activities.
Physical mailboxes can contain a plethora of valuable information. Even as the

government cautions citizens to take measures to protect their personal and
financial information, they themselves are delivering government identification
documents through Mail.

They even mail breeder documents such as,
driver’s licenses,
o passports, and
o financial statements are tasked.
Some thieves randomly target mail boxes, others target those whose red flag signals
outgoing mail. This technique, known as popcorning, often scores credit card
numbers and banking information.


Ironically, credit card companies are no longer including the entire card number on
statements, but consumers are providing the number on their payment. Thus, a thief
can obtain a credit card number by checking information and other personal
information from an outgoing payment.
b. Dumpster Diving
Dumpster diving is the practice of sifting through commercial or residential trash

or waste for information deemed valuable. Such information includes account
numbers, social security or tax payer identification numbers, and passwords.


It may be located on discarded computer media or in paper form, and may be housed
in personnel records, accounting spreadsheets, receipts, invoices, or the like.

Fortunately, both consumers and businesses have increasingly taken measures to
prevent the misuse of discarded information.


Many now employ paper shredders and disk-wiping software. Diving for
information has been practiced by criminals and law enforcement alike.
c. Theft of Computers
Physical theft of computers is among the most common techniques employed by

Identity thieves, as it alleviates the need to analyze and organize voluminous paper
documents.
d. Bag Operations
Another tactic historically utilized by intelligence agents which is currently used by

identity thieves and fraudsters is known as a “bag operation”.

It involves the surreptitious entry into hotel rooms to steal, photograph, or
photocopy documents; steal or copy magnetic media; or download information from
laptop computers.

Bag operations are typically conducted by the host government’s security or
intelligence services, frequently with the cooperation of the hotel staff. They are
most often committed when guests leave their room.
e. Child Identity Theft
The law enforcement authorities are reporting startling numbers of parents stealing
their children’s identities.

This type of identity theft or fraud is especially difficult to recognize and prosecute.
The primary problem is the delayed identification of the victimization.

Criminals may create alternate identities for themselves for employment, evasion of
authorities, and financial gain.
f. Insiders
Corporate and government insiders pose the greatest risk to identity theft.

Some careless employees account for a large amount of the identity theft.Such
negligence has been committed by both individual employees and corporate
divisions.
In 2005, for example, Bank of America reported that the personal information
of 1.2 million U.S. government employees, including U.S. senators, had been
compromised when tapes were lost during shipment.
In the same year, CitiGroup reported that UPS had lost the personal financial
information of nearly 4 million Citigroup customers.
Fraudulent and Fictitious Companies
It is a method of identity theft/fraud that involves the creation of shell companies. It

most always conducted by an organized ring of criminals, fake companies are
established which are engaged in the processing or collection of personal financial
information.

These fictitious businesses range from debt collection to insurance agents.
h. Card Skimming, ATM Manipulation, and Fraudulent Machines
It is a method of data theft involves the reading and recording of personal

information encoded on the magnetic strip of an automated teller machine (ATM)
or credit card.

Once stored, the stolen data is re-coded onto the magnetic strip of a secondary or
dummy card. This process, known as card skimming, results in a dummy card,
which is a full-service credit or debit card indistinguishable from the original while
purchasing.
VIRTUAL OR INTERNET-FACILITATED METHODS
Phishing
Spyware and Crimeware
Keyloggers and Password Stealers
Trojans
Internet-facilitated identity theft will increase due to the increase in outsourcing of

information, consumer shopping and online banking, and commercial globalization.
a. Phishing
The most commonly recognized method of online identity theft/fraud is phishing.

Phishing means the solicitation of information via e-mail or the culling of
individuals to fake Web sites.


Phishing often occurs when a potential victim receives a cautioning e-mail from a
fraudster which impersonates an ISP, merchant, and/or a financial institution. Such
messages contain solicitations for account or personal information. Normally
alarming in some manner, requests are made to “update or service an account” or to
provide additional information.



People engaging in phishing are also extremely difficult to prosecute as phishing
sites are almost always temporary, and victims are often unaware of their
vulnerability and subsequent victimization for years.

The seven categories of phishing attacks are :


Spoofing involves the spoofing of e-mails or Web sites by using company
trademarks and logos to appear to represent a legitimate financial institution or
Internet service provider. Such scams use banks and online shopping sites
almost exclusively.
Pharming is an advanced form of phishing, which redirects the connection

between an IP address (i.e., consumer seeking legitimate site) and its target serve
(i.e., legitimate site). It can be accomplished at the DNS server through either
cache poisoning or social engineering; or through the local machine through a
Trojan which modifies the host file. This is accomplished when the link is altered
so that consumers are unwittingly redirected to a mirror site.
Redirectors are malicious programs which redirect users’ network traffic to

undesired sites. The most common form of malicious code is designed to modify
DNS server setting or host files so that either specific or all DNS lookups are
directed to a fraudulent server, which replies with “good.”
Advance-fee fraud or 419 frauds—some individuals will willingly divulge

personal and financial information to strangers if they believe that a large
financial windfall will soon follow.
Phishing Trojans and spyware—Trojans and other forms of spyware were

delivered as executable files attached to e-mails.
Floating windows—Phishers may place floating windows over the address

bars in Web browsers. Although the site appears to be legitimate, it is actually a
site designed to steal personal information.
Botnets—Botnets provide a mechanism for cybercriminals to change Web site IP

addresses repeatedly without affecting the domain name.
Spyware and Crimeware
o Spyware may be defined as a broad class of software that is surreptitiously

installed on a user’s machine to intercept or take control over the interaction
between users and their computers.
o spyware is browser-based software designed to capture and transmit privacy-
sensitive information to third parties without the knowledge and consent of the
user.
Keyloggers and Password Stealers
o keyloggers are devices or software programs which record the input activity of a
computer or system via keystrokes.
Depending on the device or software employed, the captured information is

either locally stored or remotely sent to the perpetrator. Such devices are
designed to capture passwords and other private information.
Contemporary keyloggers allow users to view screenshots in addition to

keylogging activity.
USB keyloggers, resembles a typical thumb drive, can be easily attached and removed.
Physical keyloggers are undetectable by software, but are visible to knowledgeable

individuals— both physically and through the machine’s operating system.
Trojans
Trojans and other forms of malware are often referred to as PUPS

(potentially unwanted programs), as they are often housed with commercial
utilities designed for worthwhile goals like parental control, but which are
diverted from their original purpose to commit criminal acts.
CRIMES FACILITATED BY IDENTITY THEFT/FRAUD
Criminal activity facilitated by identity theft/fraud is largely a four-phase process:
Stolen identifiers are procured.

A breeder document (e.g., passport, birth certificate, driver’s license, and social
security card) is created or obtained.
The breeder document is used to create additional fraudulent documents
and solidify an identity.
The fraudulent identity is employed in the commission of a criminal act.
Insurance fraud is another area which has been characterized by an increase in scams
facilitated by identity theft/fraud. On the low end of the spectrum, some individuals
procure a victim’s personal information to obtain “free” (i.e., billed to another) medical
care. Such fraud is often practiced by illegal aliens and petty criminals.
Immigration fraud varies by dynamics, methods, and motivations. It may be conducted

by either individuals or criminal organizations to secure border crossing, obtain
immigration benefits, or further terrorist activity.
Immigration benefit fraud involves the willful misrepresentation of material fact on a

petition or application to secure an immigration benefit.
INCIDENT AND INCIDENT RESPONSE METHODOLOGY
COMPUTER SECURITY INCIDENT
A computer security incident as any unlawful, unauthorized, or unacceptable action

that involves a computer system or a computer network.
It includes,
 Theft of trade secrets

 Email spam or harassment
 Unauthorized or unlawful intrusions into computing systems
 Embezzlement
 Possession or dissemination of child pornography
 Denial-of-service (DoS) attacks
 Tortious interference of business relations
Extortion

Any unlawful action when the evidence of such action may be stored on computer
media such as fraud, threats, and traditional crimes.
GOALS OF INCIDENT RESPONSE
 Prevents a disjointed, noncohesive response (which could be disastrous)

 Confirms or dispels whether an incident occurred
 Promotes accumulation of accurate information
 Establishes controls for proper retrieval and handling of evidence
 Protects privacy rights established by law and policy
 Minimizes disruption to business and network operations
 Allows for criminal or civil action against perpetrators
 Provides accurate reports and useful recommendations
 Provides rapid detection and containment
 Minimizes exposure and compromise of proprietary data
 Protects your organization’s reputation and assets
 Educates senior management
Promotes rapid detection and/or prevention of such incidents in the future.
PERSONNEL INVOLVED IN THE INCIDENT RESPONSE PROCESS
Incident response is a multifaceted discipline. It usually require resources from several

different operational units of an organization such as,
 Human resources personnel,

 Legal counsel,
 Technical experts,
 Security professionals,
 Corporate security officers,
 Business managers,
 End users,
Helpdesk workers, and

Other employees may find themselves involved in responding to a computer
security incident.
Computer Security Incident Response Team (CSIRT) is a team of individuals

respond to any computer security incident.
The CSIRT is a multidisciplined team with the appropriate legal, technical, and other
expertise necessary to resolve an incident.
INCIDENT RESPONSE METHODOLOGY
There are seven major components of incident response:
(1) Pre-incident preparation
Take actions to prepare the organization and the CSIRT before an incident occurs.
(2) Detection of incidents
Identify a potential computer security incident.
(3) Initial response
Perform an initial investigation, recording the basic details surrounding the incident,
assembling the incident response team, and notifying the individuals who need to know
about the incident.
(4) Formulate response strategy
Based on the results of all the known facts, determine the best response and obtain
management approval. Determine what civil, criminal, administrative, or other actions
are appropriate to take, based on the conclusions drawn from the investigation.
(5)Investigate the incident
Perform a thorough collection of data. Review the data collected to determine what
happened, when it happened, who did it, and how it can be prevented in the future.
(6) Reporting
Accurately report information about the investigation in a manner useful to decision

makers.
(7) Resolution
Employ security measures and procedural changes, record lessons learned, and develop
long-term fixes for any problems identified.
(1) PRE-INCIDENT PREPARATION
During this phase, your organization needs to prepare both the organization itself as a
whole and the CSIRT members, prior to responding to a computer security incident.
Preparing the Organization
Preparing the organization involves developing all of the corporate-wide strategies

you need to employ to better posture your organization for incident response.
This includes the following:

 Implementing host-based security measures
 Implementing network-based security measures
 Training end users
 Employing an intrusion detection system (IDS)
 Creating strong access control
 Performing timely vulnerability assessments
Ensuring backups are performed on a regular basis
Preparing the CSIRT
The CSIRT is defined during the pre-incident preparation phase. Your organization will
assemble a team of experts to handle any incidents that occur.
It includes the following,

 The hardware needed to investigate computer security incidents
The software needed to investigate computer security incidents

The documentation (forms and reports) needed to investigate computer security
incidents

The appropriate policies and operating procedures to implement your response
strategies

The training your staff or employees require to perform incident response in a
manner that promotes successful forensics, investigations, and remediation

DETECTION OF INCIDENTS
The detection of incidents phase is one of the most important aspects of incident
response.
It is also one of the most decentralized phases, in which those with incident response
expertise have the least control.
Initially, the incident may be reported by an end user, detected by a system

administrator, identified by IDS alerts, or discovered by many other means.
In most organizations, end users may report an incident through one of three avenues:
 Their immediate supervisor,
 The corporate help desk, or
An incident hotline managed by the Information Security entity.
Typically, end users report technical issues to the help desk, while employee-related
issues are reported to a supervisor or directly to the local Human Resources
department.
The initial response checklist contains the following details:
 Current time and date

 Who/what reported the incident
 Nature of the incident
 When the incident occurred
 Hardware/software involved
Points of contact for involved personnel
After completing the initial response checklist, the CSIRT should be activated and the
appropriate people contacted.
The CSIRT will use the information from the initial response checklist to begin the next
phase of the response process, the initial response.
(3) INITIAL RESPONSE
The initial response phase involves,
Assembling the CSIRT,

Collecting network-based and other data,
Determining the type of incident that has occurred, and
Assessing the impact of the incident.
This phase involves the following tasks:
Interviewing system administrators who might have insight into the technical
details of an incident
Interviewing business unit personnel who might have insight into business
events that may provide a context for the incident
Reviewing intrusion detection reports and network-based logs to identify data
that would support that an incident has occurred
Reviewing the network topology and access control lists to determine if any
avenues of attack can be ruled out
FORMULATE A RESPONSE STRATEGY
The goal of the response strategy formulation phase is to determine the most
appropriate response strategy, given the circumstances of the incident. The strategy
should take into consideration the political, technical, legal, and business factors that
surround the incident.
The final solution depends on the objectives of the group or individual with
responsibility for selecting the strategy.
Incident Example Response Strategy Likely Outcome

DoS attack TFN DDoS attack Reconfigure router Effects of attack
(A Popular to minimize effect mitigated by router
Distributed of the flooding. countermeasures.
Denial Establishment of
of Service Attack) perperator’s identity
may require too
many resources to be
worthwhile investment.
Unauthorized Using work Possible forensic Perpetrator identified,
use computers to duplication and and evidence collected
surf investigation. for disciplinary action.
pornography Interview with Action taken may
sites suspect. depend on employee’s
position, or past
enforcement of
company policy.
Vandalism Defaced website Monitor,Repair,Investigate Web site restored to
web site while it is online. operational status.
Implement web site Decision to identify
“refresher” program. perpetrator may involve
law enforcement
PREPARED BY
SANTHIYA.M/AP/CSE/REC 32
An organization will need to take action to discipline an employee or to respond to a

malicious act by an outsider.
When the incident warrants, this action can be initiated with a criminal referral, a civil
complaint, or some administrative reprimand or privilege revocation.
Legal Action -- It is not uncommon to investigate a computer security incident that is

actionable, or could lead to a lawsuit or court proceeding. The two potential legal
choices are to file a civil complaint or to notify law enforcement.
Administrative Action - Disciplining or terminating employees via administrative

measures is currently more common than initiating civil or criminal actions.
It includes,
Letter of reprimand
Immediate dismissal
Mandatory leave of absence for a specific length of time (paid or unpaid)
Reassignment of job duties (diminished responsibility)
Temporary reduction in pay to account for losses/damage
Public/private apology for actions conducted
Withdrawal of certain privileges, such as network or web access
INVESTIGATE THE INCIDENT
The investigation phase involves determining the who, what, when, where, how,
and why surrounding an incident.
A computer security investigation can be divided into two phases:

Data collection and
Forensic analysis.
During the data collection phase, you gather all the relevant information needed to
resolve the incident in a manner that meets your response strategy.
In the forensic analysis phase, you examine all the data collected to determine the
who, what, when, where, and how information relevant to the incident.
Data Collection
Data collection is the accumulation of facts and clues that should be considered during
your forensic analysis.
Data collection involves several unique forensic challenges:

You must collect electronic data in a forensically sound manner.
You are often collecting more data than you can read in your lifetime .
You must handle the data you collect in a manner that protects its integrity.
The information you obtain during the data collection phase can be divided into three
fundamental areas:
Host-based information,
Network-based information, and o
Other information.
Host-based evidence includes logs, records, documents, and any other information
that is found on a system and not obtained from network-based nodes.
Host-based data collection gathers information in two different ways:
Live data collection and o

Forensic duplication
A live response is conducted when a computer system is still powered on and running.
This means that the information contained in these areas must be collected without
impacting the data on the compromised device.
There are three variations of live response:
Initial live response

This involves obtaining only the volatile data from a target or victim system.
An initial live response is usually performed when you have decided to
conduct a forensic duplication of the media.
In-depth response
The CSIRT obtains enough additional information from the target/victim
system to determine a valid response strategy. Nonvolatile information such
as log files are collected to help understand the nature of the incident.
Full live response

This is a full investigation on a live system. All data for the investigation is
collected from the live system, usually in lieu of performing a forensic
duplication, which requires the system to be powered off.
Network-based Evidence
It includes,
IDS logs
Consensual monitoring logs o
Nonconsensual wiretaps
o Pen-register/trap and traces o
Router logs
oFirewall logs
oAuthentication servers
Other Evidence
The “other evidence” category involves testimony and other information obtained from
people.
Forensic Analysis
Forensic analysis includes reviewing all the data collected.
This includes reviewing

o Log files,
o System configuration
files,
o Trust relationships,
o Web browser history files,
o E-mail messages and their attachments,
o Installed applications, and Graphic files.
Forensic analysis also includes performing more low-level tasks, such as looking
through information that has been logically deleted from the system to determine if
deleted files, slack space, or free space contain data fragments or entire files that may be
useful to the investigation.
(6) REPORTING
Reporting can be the most difficult phase of the incident response process. The
challenge is to create reports that accurately describe the details of an incident, that are
understandable to decision makers, that can withstand the barrage of legal scrutiny, and
that are produced in a timely manner.
(7) RESOLUTION
The following steps are taken to resolve a computer security incident:
Identify your organization’s top priorities. Which of the following is the most
critical to resolve: returning all systems to operational status, ensuring data integrity,
containing the impact of the incident, collecting evidence, or avoiding public disclosure?
Determine the nature of the incident in enough detail to understand how the
security occurred and what host-based and network-based remedies are required to
address it.
Determine if there are underlying or systemic causes for the incident that need to be
addressed.
Restore any affected or compromised systems. You may need to rely on a prior
version of the data, server platform software, or application software as needed to
ensure that the system performs as you expect it to perform.
Apply corrections required to address any host-based vulnerabilities.
Apply network-based countermeasures such as access control lists, firewalls, or

IDS.
Assign responsibility for correcting any systemic issues.
Track progress on all corrections that are required, especially if they will take
significant time to complete.
Validate that all remedial steps or countermeasures are effective.
Update your security policy and procedures as needed to improve your response
process.
FORENSIC DUPLICATION AND INVESTIGATION
FORENSIC DUPLICATE
A forensic duplicate is a file that contains every bit of information from the source,
in a raw bit stream format.

A 5GB hard drive would result in a 5GB forensic duplicate. No extra data is stored
within the file, except in the case where errors occurred in a read operation from the
 original.
A forensic duplicate may be compressed after the duplication process.
Two tools that create a forensic duplicate are

o The Unix dd command and
o The U.S. Department of Defense (DoD) Computer Forensics Lab version of
the dd command called dfcldd.
Another tool is the new, open-source Open Data Duplicator.
QUALIFIED FORENSIC DUPLICATE
A qualified forensic duplicate is a file that contains every bit of information from
the source, but may be stored in an altered form.

 Examples :
 In-band hashes and
Empty sector compression.

 Two tools that create qualified forensic duplicate output files are SafeBack and
EnCase.
RESTORED IMAGE
A restored image is what you get when you restore a forensic duplicate or a
qualified forensic duplicate to another storage medium.
MIRROR IMAGE
A mirror image is created from hardware that does a bit-for-bit copy from one hard
drive to another.
FORENSIC DUPLICATION TOOL REQUIREMENTS
Any forensic duplication tool should possess the following characteristics:
The tool must create a forensic duplicate or mirror image of the original storage
medium.
The tool must handle read errors in a robust and graceful manner. If a process fails
after repeated attempts, the error is noted and the imaging process continues.
A placeholder may be put in the output file with the same dimensions as the portion
of the input with errors.
The contents of this placeholder must be documented in the tool’s documentation.
The tool must not make any changes to the source medium. The tool must have the
ability to be held up to scientific and peer review.
CREATING A FORENSIC DUPLICATE OF A HARD DRIVE
Duplicating with dd and dcfldd
The dd utility is the most reliable tool for creating a true forensic duplicate image.

As long as the operating system kernel recognizes the storage medium, dd will
perform a complete, bit-for-bit copy of the original.


Creating Linux Boot Media
The preparation for duplication using Linux is likely the most difficult. The
easy route is to start with a precompiled version of Linux such as Tomsrtbt,
Trinux, or FIRE (Forensic and Incident Response Environment).
Once you have the basic package up and running, you can disassemble the
packages and add your own binaries, such as dcfldd.
Performing a Duplication with dd


Duplications will be stored in a series of files that are sized to fit on a
particular media type (such as CDs or DVDs) or file system type (such as
files under 2.1GB). This is called as segmented image.
The following is a bash shell script that will create a true forensic duplicate of
a hard drive and store the image on a local storage hard drive,
Duplicating with the Open Data Duplicator (ODD)
The Open Data Duplicator (ODD) is a new open-source tool. This tool follows a
client/ server model that allows the investigator to perform forensic duplications on
a number of computer systems simultaneously over a local LAN.

There are three portions of the ODD package:
Bootable CD-ROMs These are similar to the Trinux Linux distribution.
Server-side application The server will perform most of the processing of

the duplicate image, including the calculation of hashes, string searches, and
the storage of the true forensic duplication.
Client-side application This portion may be run locally if you are

duplicating drives on a forensic workstation.
CREATING A QUALIFIED FORENSIC DUPLICATE OF A HARD DRIVE
Creating a Boot Disk


Imaging a system requires a clean operating environment. When imaging drives
using a DOS application, such as SafeBack or EnCase, this means that you must
create an MS DOS boot disk.

Using MS DOS 6.22 or Windows 95/98, the following command will format and copy
the system files to a floppy:
C:\format a:\ /s
There should be four files in the root directory of the floppy. These files contain the
code to get the computer running a minimal operating system.
Directory of A:\
05/11/2003 20:01 222,390 IO.SYS
05/11/2003 20:01 68,871 DRVSPACE.BIN
05/11/2003 20:01 93,880 COMMAND.COM
03/20/2003 17:49 9 MSDOS.SYS
The first file processed by the computer is IO.SYS. The code in IO.SYS loads the
contents of MSDOS.SYS and begins to initialize device drivers, tests and resets the
hardware, and loads the command interpreter, COMMAND.COM.


During the process of loading device drivers, if a disk or partition connected to the
machine uses compression software, such as DriveSpace or DoubleSpace, IO.SYS
loads the DRVSPACE.BIN driver file.


As the driver loads, it will mount the compressed volume and present the operating
system with an uncompressed view of the file system.
When it mounts the compressed volume, it changes the time/date stamps on the
compressed file.


When you boot from your clean boot disk, you want to ensure that the loading of the
DRVSPACE.BIN driver file fails.


The most effective way to prevent the loading of DRVSPACE.BIN is to load IO.SYS
into a hex editor and alter the strings manually.


Creating a Qualified Forensic Duplicate with SafeBack

Creating a duplicate of a computer system with SafeBack is straightforward. It offers
four modes of operation:


The Backup function produces a forensically sound image file of the source
media.
The Restore function restores forensically sound image files.
The Verify function verifies the checksum values within an image file.
The Copy function performs the Backup and Restore operations in one action.
Creating a Qualified Forensic Duplicate with EnCase


EnCase, from Guidance Software, is the most popular forensic tool suite available
commercially.

Its popularity is based primarily on the easy-to-navigate GUI interface. A flexible
scripting language is included, allowing the examiner to customize the types of
searches performed by the tool.

During the first stages of an investigation, you can use the preview function to
quickly ascertain whether a computer system is material to the issue being
investigated.

To use the preview option, boot the suspect computer system with an EnCase boot
disk.

Instead of acquiring an image, you connect to the suspect computer through a
parallel cable or a network connection with a copy of EnCase running on your
forensic workstation.

Once the connection is established, the analysis process is the same as if you were
working on an EnCase image file.
PREPARATION FOR IR: CREATING RESPONSE TOOL KIT AND IR TEAM
CREATING A RESPONSE TOOLKIT
The response toolkit is a critical component of pre-incident preparation.


The response toolkit includes,
o Hardware,
o Software, and
Documentation.
THE RESPONSE HARDWARE
The major hardware are,



o Large hard drives,
o A SCSI card,

o A 10/100 NIC, and
 o A tape drive.
o The CPU and memory should be hefty

The hardware specifications are :

o High-end processor

o A minimum of 256MB of RAM
o Large-capacity IDE drives

o Large-capacity SCSI drives
o SCSI card and controller o
 A fast CD-RW drive
o 8mm exabyte tape drive (20GB native, 40GB compressed), or a drive for DDS3
 tapes (4mm)
o Extra power extenders for peripherals such as drives and any gear that goes in
 o your forensic tower
o Extra power-extension cords

o Numerous SCSI cables and active terminators
 o Parallel-to-SCSI adapters
o Plenty of Category 5 cabling and hubs

o Ribbon cables with more than three plugs
 o Power strips
o An uninterruptible power supply (UPS)
CD-Rs, 100 or more o

Labels for the CDs
o A permanent marker for labeling CDs
o Jaz or Zip media
o Folders and folder labels for evidence
o Operating manuals for all your hardware
o A digital camera
o Toolkit or Victorinox Cybertool
o Lockable storage containers for evidence
o Printer and printer paper
o Burn bags
THE RESPONSE SOFTWARE
Two to three native operating systems on the machine, such as
Windows 98,
Windows NT,
Windows 2000, and
Linux, all bootable via GRUB (a GNU bootloader) or on a CD-ROM “ghost”
image
Safeback, EnCase, DiskPro, or another forensics software package, used to
create exact images of computer media for forensic-processing purposes
All the drivers for all of the hardware on your forensic machine
Selection of boot disks (DOS, EnCase, Maxtor, and so on)
Quick View Plus or some other software that allows you to view nearly all
types of files
Disk-write blocking utilities
An image of the complete setup on backup media such as DVD
The Networking Monitoring Platform
The system running the network monitor should be a Pentium-class

machine, 500MHz or higher, with at least 512MB of RAM (or more,
depending on network traffic and the host operating system).
Hard drive size depends on the amount of traffic collected, but a 30GB
hard drive is a good start.
DOCUMENTATION
The documentation includes how the evidence is obtained, all actions taken, and where
and how the evidence is stored.
To facilitate complete documentation, standardized reporting and forms are useful.
ESTABLISHING AN INCIDENT RESPONSE TEAM
The missions of CIRT are:
Respond to all security incidents or suspected incidents using an organized, formal

investigative process.
Conduct a complete investigation free from bias.
Quickly confirm or dispel whether an intrusion or security incident actually

occurred.
Assess the damage and scope of an incident.
Establish a 24-hour, 7-day-a-week hotline for clients during the duration of

the investigation.
Control and contain the incident.
Collect and document all evidence related to an incident.
Maintain a chain of custody (protect the evidence after collection).
Select additional support when needed.
Protect privacy rights established by law and/or corporate policy.
Provide liaison to proper law enforcement and legal authorities.
Maintain appropriate confidentiality of the incident to protect the organization from

unnecessary exposure.
Provide expert testimony.
Provide management with incident-handling recommendations that are fully

supported by facts.
Training the Team
Today, there are numerous classes that provide hands-on hacking and incident
response training. Some institutions that offer computer incident response training
are Foundstone, Carnegie Mellon, and SANS.

There are several professional organizations that allow law enforcement officers to
mingle with computer security professionals:
InfraGard
An FBI program designed to address the need for private and public-sector
information sharing, at both the national and local level.
High Technology Crime Investigation Association (HTCIA)
An association designed to encourage and facilitate the exchange of

information relating to computer incident investigations and security.
Information Systems Security Association (ISSA)
A not-for-profit international organization of information security

professionals and practitioners.
It provides education forums, publications, and peer interaction

opportunities.
Forum of Incident Response and Security Teams (FIRST)
A coalition that brings together incident response teams from government,

commercial, and academic organizations.
FORENSICS TECHNOLOGY AND SYSTEMS
FORENSICS TECHNOLOGY
Types of Military Computer Forensic Technology

Types of Law Enforcement: Computer Forensic Technology
Types of Business Computer Forensic Technology
Specialized Forensics Techniques
TYPES OF COMPUTER FORENSICS TECHNOLOGY
Criminal investigators rely on recognized scientific forensic disciplines, such as

medical pathology, to provide vital information used in apprehending criminals and
determining their motives. Today, an increased opportunity for cyber crime exists,
making advances in the law enforcement, legal, and forensic computing technical
arenas imperative.


Two distinct components exist in the emerging field of cyber forensics technology.
The first, computer forensics, deals with gathering evidence from computer media
seized at the crime scene.


The second component, network forensics, is a more technically challenging aspect
of cyber forensics. It involves gathering digital evidence that is distributed across
large-scale, complex networks. Often this evidence is transient in nature and is not
preserved within permanent storage media.
1. Types of Military Computer Forensic Technology
The central hypothesis of CFX-2000 (Cyber Forensics Experiment) is used to

accurately determine the motives, intent, targets, sophistication, identity, and
location of cyber criminals and cyber terrorists by deploying an integrated forensic
analysis framework.


The execution of CFX-2000 required the development and simulation of a realistic,
complex cyber crime scenario exercising conventional, as well as R&D prototype,
cyber forensic tools.


The cyber forensic tools involved in CFX-2000 consisted of commercial off the- shelf
software and directorate-sponsored R&D prototypes.


The Synthesizing Information from Forensic Investigations (SI-FI) integration
environment supports the collection, examination, and analysis processes employed
during a cyber forensic investigation.


The SI-FI prototype uses digital evidence bags (DEBs), which are secure and
tamperproof containers used to store digital evidence.


Investigators can seal evidence in the DEBs and use the SI-FI implementation to
collaborate on complex investigations.


Authorized users can securely reopen the DEBs for examination, while automatic
audit of all actions ensures the continued integrity of their contents.


The teams used other forensic tools and prototypes to collect and analyze specific
features of the digital evidence, perform case management and timelining of digital
events, automate event

link analysis, and perform
steganography detection.


The results of CFX- 2000
verified is possible to
ascertain the intent and
identity of cyber
criminals.
2. Types of Law Enforcement Computer Forensic Technology
Computer forensics tools and techniques have proven to be a valuable resource for
law enforcement in the identification of leads and in the processing of computer
related evidence.

Computer forensics tools and techniques have become important resources for use
in internal investigations, civil lawsuits, and computer security risk management.


Forensic software tools and methods can be used to identify passwords, logons, and
other information that is automatically dumped from the computer memory as a
transparent operation of today’s popular personal computer operating systems.
Such computer forensic software tools can also be used to identify backdated files
and to tie a diskette to the computer that created it.


Law enforcement and military agencies have been involved in processing
computer evidence for years.
Windows XP and Windows 2003 are operating systems that are often used on
notebook and desktop computers in corporations and government agencies.
Computer Evidence Processing Procedures
Processing procedures and methodologies should conform to federal computer

evidence processing standards.


Computer forensic trainers and instructors should be well qualified to teach the
correct computer-processing methods and procedures.
Preservation of Evidence
Computer evidence is fragile and susceptible to alteration or erasure by any number

of occurrences.


Computer forensic instructors should expose their trainees to bit stream backup
theories that ensure the preservation of all storage levels that may contain
evidence.

Example :
SafeBack is used to create mirror-image (bit-stream) backup files of hard

disks or to make a mirror-image copy of an entire hard disk drive or
partition.
The process is analogous to photography and the creation of a photo

negative. Once the photo negative has been made, several exact
reproductions can be made of the original. Unlike a photo, SafeBack image
files cannot be altered or modified to alter the reproduction.
This is because SafeBack is an industry standard self-authenticating
computer forensics tool that is used to create evidence-grade backups of
hard drives.
The primary uses of SafeBack are as follows:
Used to create evidence-grade backups of hard disk drives on Intel-based

computer systems.
Used to exactly restore archived SafeBack images to another computer
hard disk drive of equal or larger storage capacity.
Used as an evidence preservation tool in law enforcement and civil
litigation matters.
Used as an intelligence gathering tool by military agencies.
Trojan Horse Programs

CF techniques should be able to demonstrate the ability to avoid destructive
programs and traps that can be planted by computer users bent on destroying data
and evidence. Such programs can also be used to covertly capture sensitive
information, passwords, and network logons.
Computer Forensics Documentation

The documentation of forensic processing methodologies and findings is important.
This is even true concerning computer security risk assessments and internal audits,
because without proper documentation, it is difficult to present findings.
File Slack
Denotes the occurrence of random memory dumps in hidden storage areas. Such
data is the source of potential security leaks regarding passwords, network logons,
email, database entries, and word processing documents.
Data-Hiding Techniques
Trade secret information and other sensitive data can easily be concealed using any
of techniques. It is possible to hide diskettes within diskettes and to hide entire
computer hard disk drive partitions.
E-Commerce Investigations
Net Threat Analyzer can be used to identify past Internet browsing and email
activity done through specific computers.
Dual-Purpose Programs
Programs can be designed to perform multiple processes and tasks at the same time.
They can also be designed for delayed tasking.
Text Search Techniques

New Technology Inc. has also developed specialized search techniques and tools
that can be used to find targeted strings of text in files, file slack, unallocated file
space, and Windows swap files.
Fuzzy Logic Tools Used to Identify Unknown Text

New Technology Inc. has also developed a methodology and tools that aid in the
identification of relevant evidence and unknown strings of text.
3. Types of Business Computer Forensic Technology
The types of business computer forensics technology are :


Remote monitoring of target computers

Creating trackable electronic documents

Theft recovery software for laptops and PCs

Basic forensic tools and techniques

Forensic services available


Remote Monitoring of Target Computers
Data Interception by Remote Transmission (DIRT) from Codex Data Systems (CDS),
Inc. is a powerful remote control monitoring tool that allows stealth monitoring of all
activity on one or more target computers simultaneously from a remote command
center.
No physical access is necessary. Application also allows agents to remotely seize and
secure digital evidence prior to physically entering suspect premises.
Creating Trackable Electronic Documents
These tools identify unauthorized intruders who access, download, and view these
tagged documents.
The tools also allow security personnel to trace the chain of custody and chain of
command of all who possess the stolen electronic documents.
Theft Recovery Software for Laptops and PCs
PC PhoneHome is a software application that, when installed in your laptop or desktop

computer, secretly transmits an electronic message to an email address of your choice.
This allows you to track and locate your computer, thus providing the potential for its
ultimate recovery as well as apprehension of the thief.
4. Specialized Forensics Techniques
Encryption methods and vulnerabilities
Some of the most commonly used applications provide encryption protected by

passwords that can be readily defeated by investigators with the right tools and the
time to use them.
Other types of encryption, readily available to the general public, can be configured and
used to create encrypted data that goes beyond them ability of the professional
investigator to decrypt it using software.
The most popular encryption program is called PGP, or Pretty Good Privacy, invented
by Phil Zimmerman is a dual key, algorithm-based code system that makes encrypted
data practically impossible to decipher.
TYPES OF COMPUTER FORENSICS SYSTEMS
Internet security systems

Intrusion detection systems
Firewall security systems
Storage area network security systems
Network disaster recovery systems
Public key infrastructure security systems
Wireless network security systems
Satellite encryption security systems
Instant messaging (IM) security systems
Net privacy systems
Identity management security systems
Identity theft prevention systems
Biometric security systems
Homeland security systems
1. INTERNET SECURITY SYSTEMS
1.1 General Internet Security Principles and Architecture
The first step in defining a corporate Internet security policy is to draft a high-level
management policy statement establishing a framework and context for security within
an organization. This policy needs to define the adequate and appropriate Internet
security measures necessary to safeguard a company’s systems, networks, transactions,
and data.
The next step is to start a systematic analysis of the assets of an organization,

determining the value of information, or the possible damage to reputation should it be
disclosed, along with possible risks.
1.1.1 Security Hierarchy
Information such as trade secrets, vault and

authorization codes, and lock and key
information are clearly of a mission critical
nature, and their unintended disclosure could
cause severe loss to a business or operation.
Departmental information is typically data that

is private to a particular department, such as
payroll information in finance and medical
records in personnel.
Company private information varies from
company to company but typically consists of
information that should only be disclosed to employees and partners of a company,
such as policy and procedure manuals.
Public information is information such as product literature, brochures, and catalogs

that needs to be freely available to anyone, but whose integrity needs to be assured to
prevent unauthorized alteration. This information is often provided to customers and
interested parties by means of the Internet.
Establishing a corporate Internet security policy involves the following:

 High-level management policy statement
 Systematic analysis of organizations assets
 Examination of risks
Develop implementation strategy
1.2 Public and Private Key Encryption
For many business and electronic commerce applications, it is necessary to transmit

information over communications lines and networks where there is the potential for
data to be altered, forged, or illicitly introduced. A powerful technique for securely
sending information is public key encryption or public key infrastructure.
Two keys exist, one public, the other private. The public key is freely distributed and is
used to encrypt the information to be sent. The private key is retained by the recipient
and is used to decrypt the received information.
To use public key encryption across the Internet, steps must be taken to ensure the
integrity of the public key and the identity of its owner. A trusted third party, called a
“certificate authority,” provides an unique “digital signature” for the public key, which
cannot be forged, and both identifies the owner of the key and certifies that the key has
not been altered.
To achieve secure, two-way communication across the Internet, without having

previously exchanged keys, the Diffie-Hellman scheme may be used.
Each party obtains the public key for the other from a certificate authority and performs
a special calculation with their own private keys.
The result of the algorithm will be the same for both parties and may be used as the new
secret shared key for secure communications between the two parties.
1.3 Secure Payment Solutions
Purchasing online may seem to be quick and easy. For it to work correctly, merchants
must connect to a network of banks (both acquiring and issuing banks), processors, and
other financial institutions so that payment information provided by the customer can
be routed securely and reliably. The solution is a payment gateway that connects your
online store to these institutions and processors.
Because payment information is highly sensitive, trust and confidence are essential
elements of any payment transaction. This means the gateway should be provided by a
company with in-depth experience in payment processing and security.
1.3.1 The Payment Processing Network
Acquiring Bank: In the online payment processing world, an acquiring bank provides
internet merchant accounts. A merchant must open an internet merchant account with
an acquiring bank to enable online credit card authorization and payment processing.
Examples of acquiring banks include Merchant eSolutions and most major banks.
Authorization: The process by which it is verified that a customer’s credit card is active
and they have the credit available to make a transaction. In the online payment
processing world, an authorization also verifies that the billing information the
customer has provided matches up with the information on record with their credit
card company.
Credit Card Association: A financial institution that provides credit card services that
are branded and distributed by customer issuing banks. Examples include Visa® and
MasterCard®.
Customer: The holder of the payment instrument—such as credit card, debit card, or
electronic check.
Customer Issuing Bank: A financial institution that provides a customer with a credit
card or other payment instrument. Examples include Citibank and Suntrust.
Internet Merchant Account: A special account with an acquiring bank that allows the
merchant to accept credit cards over the Internet. The merchant typically pays a
processing fee for each transaction processed, also known as the discount rate.
Merchant: Someone who owns a company that sells products or services.
Payment Gateway: A service that provides connectivity among merchants, customers,

and financial networks to process authorizations and payments. The service is usually
operated by a third-party provider such as VeriSign.
Processor: A large data center that processes credit card transactions and settles funds
to merchants. The processor is connected to a merchant’s site on behalf of an acquiring
bank via a payment gateway.
Settlement: The process by which transactions with authorization codes are sent to the
processor for payment to the merchant.
Settlement is a sort of electronic bookkeeping procedure that causes all funds from
captured transactions to be routed to the merchant’s acquiring bank for deposit.
1.4 Controlling Access
One aspect of implementing a security policy is being able to control which users have
access to particular systems and the data that they can access.
1.4.1 Authenticated Access
Within a company, card keys and security personnel can ensure that only employees are
accessing its systems, but for remote users, there is a much higher perceived security
risk. Many companies provide each of their remote users with a digital token card
(also called hard tokens) to increase their assurance of the identity of each remote
user.
Verisign is a commercial
certification authority that
issues digital certificates
providing assurance of the
identify of an individual.
It contains the owner’s

public key, name, expiration
date of public key, name of
issuer (Verisign), serial
number of the certificate,
and Verisign’s digital
signature.
1.5 Secure Virtual Private Networks
Many corporate networks used for electronic data interchange (EDI) and funds transfer
have been implemented using either private networks or costly services from
specialized telecommunications network providers. Significant reduction in internal
corporate networking costs can be achieved by using secure, encrypted, Internet
protocol (IP)-level network communications over less expensive public networks, called
secure virtual private networks (SVPN).
1.6 Security Futures: Smart Cards
A smart card is equivalent to an electronic safe deposit box. Implemented as a credit-

card-sized piece of plastic, a smart card contains a semiconductor chip with logic and
nonvolatile memory. The software within the card detects attempts at intrusion and
tampering and monitors abnormal usage.
Smart cards can be read using conventional contact readers or interrogated remotely by
microwave or infrared signals.
2. INTRUSION DETECTION SYSTEMS
Intrusion detection systems help computer systems prepare for and deal with attacks.
They accomplish this goal by collecting information from a variety of system and
network sources and then analyzing the information for symptoms of security
problems.
Intrusion detection systems perform a variety of functions:
 Monitoring and analysis of user and system activity

 Auditing of system configurations and vulnerabilities
 Assessing the integrity of critical system and data files
 Recognition of activity patterns reflecting known attacks
Statistical analysis of abnormal activity patterns

 Operating system audit trail management, with recognition of user activity reflecting
policy violations
Network Security Management
Network security management is a process in which one establishes and maintains

policies, procedures, and practices required for protecting networked information
system assets. Intrusion detection and vulnerability assessment products provide
capabilities needed as part of sound network security management practice.
3. FIREWALL SECURITY SYSTEMS
A firewall is a system or group of systems that enforces an access control policy

between two networks.
A firewall is a network security product that acts as a barrier between two or more
network segments.
The firewall is a system (which consists of one or more components) that provides an
access control mechanism between your network and the network(s) on the other
side(s) of the firewall. A firewall can also provide audit and alarm mechanisms that will
allow you to keep a record of all access attempts to and from your network, as well as a
real-time notification of things that you determine to be important.
A firewall system can be a router, a personal computer, a host, or a collection of hosts,

set up specifically to shield a site or subnet from protocols and services that can be
abused from hosts outside the subnet.
A firewall system is usually located at a higher-level gateway, such as a site’s connection

to the Internet.
The benefits of using a firewall:
 Protection from vulnerable services

 Controlled access to site systems
 Concentrated security
 Enhanced privacy
 Logging and statistics on network use and misuse
Policy enforcement

STORAGE AREA NETWORK SECURITY SYSTEMS
SANs are a relatively new methodology for attaching storage, whereby a separate
network (separate from the traditional LAN) connects all storage and servers.
This network would be a high-performance implementation, such as a fiber channel,

that encapsulates protocols such as a small computer system interface (SCSI).
SANs promise the ability to make any-to-any connections among multiple servers and
storage devices. They can create a shared “pool” of storage that can be accessed by
multiple servers through multiple paths, resulting in higher availability— especially
during a network disaster recovery (NDR).
Benefits:
A SAN provides a perfect environment for clustering that can extend to dozens of
servers and storage devices—all the while having redundant links in a fibre channel
fabric. Servers will continue to function because their data is still available through the
SAN, even if storage devices fail during an NDR.
The benefits are:
 Centralized Management
 Scalability
 Reliability
Performance

NETWORK DISASTER RECOVERY SYSTEMS
Network disaster recovery (NDR) is the ability to respond to an interruption in

network services by implementing a disaster recovery plan to restore an organization’s
critical business functions.
Staff training is clearly the greatest missing link in disaster recovery preparations. The
next most important issue is backing up corporate data more frequently.
The person most frequently cited as being responsible for the management of an NDR
plan is the company’s chief information officer (CIO) or another IT manager.
A majority of companies indicate they review their NDR plans every quarter, but some
companies haven’t reviewed their plans at all.
6. PUBLIC KEY INFRASTRUCTURE SYSTEMS
The purpose of PKI is to provide an environment that addresses today’s business, legal,
network, and security demands for trust and confidentiality in data transmission and
storage.
PKI is a system for supporting digital signatures and document encryption for an
organization.
The banking services are the most popular usage of this technology, which is quickly
spreading over all the applications that need security to be fully operational.
A PKI enables users of an insecure public network such as the Internet to securely and
privately exchange data through the use of a public and a private cryptographic key pair
that is obtained and shared through a trusted authority. The PKI provides for digital
certificates that can identify individuals or organizations and directory services that can
store and, when necessary, revoke them. PKI is the underlying technology that provides
security for the secure sockets layer (SSL) and hyper text transfer protocol secure
sockets (HTTPS) protocols, which are used extensively to conduct secure e-business
over the Internet.
A PKI consists of:
A certificate authority that issues and verifies digital certificates


A registration authority that acts as the verifier for the certificate authority
 before
 a digital certificate is issued to a requestor
 One or more directories where the certificates (with their public keys) are held
A certificate management system

WIRELESS NETWORK SECURITY SYSTEMS
To date, most wireless attacks have happened outside the U.S., in markets where
wireless devices are more widely used. Nevertheless, one virus that did hit U.S.
handhelds was known as the liberty virus.
Some PDA users received what they thought was a program that would allow
them to play a certain game for free, but when they double-clicked on the link, it
launched a virus that erased all the data on the devices.
New types of malicious code have been written that force wireless devices to make
phone calls, because many of them also have telephony capabilities.
One incident in Japan caught the attention of wireless operators and software
companies around the globe. Users of NTT DoCoMo’s
(http://www.nttdocomo.com/) popular I-mode service received an email with
what looked like an embedded Web site link.
When customers clicked on the link, their phones automatically dialed Japan’s
emergency response number. Luckily, they could stop it before it got too bad, but
such code could shut down a 911 system and have serious consequences.
The wireless network is essentially everywhere, sniffing is an inherent problem in

wireless. Sniffers must have access to physical parts of the network in order to break
into the wired world. The problem is that with wireless, they don’t even have to be in
the network. They can be in a van outside with a transmitter.
The more capabilities supported by devices, the greater the potential for viruses to
spread between PCs and mobile devices, which could enable viruses to spread very
quickly.
8. SATELLITE ENCRYPTION SECURITY SYSTEMS
For the sake of public trust in the Internet, an infrastructure must be designed to
support the safe use of land-based communication links or ground stations.
An encryption infrastructure can be effectively designed to solve most of the

confidentiality and authentication concerns of satellite transmission with the Internet.
Secure exchanges can be done by:
 One-way encounter,
Two-way counter
A one-way transaction is typified by email transmissions to and from satellites over

the Internet. Although email messages are frequently answered, each message
transmission is a unique, stand-alone event. A message sender may want assurance that
the message can only be read by the intended recipient (confidentiality); a recipient
may want assurance that the message came from the alleged sender without being
altered en route (authenticity).
A two-way transaction first involves some sort of a logon function, in which a user
connects to a service, and then an exchange of information between the user and the
service occurs.
First, the service wants assurance that the user is not an impostor but actually the
person claimed (authenticity). Then, once the service has accepted a user as legitimate
and authorized, both the user and the service may wish to ensure that all information
exchange between them is safe from eavesdropping (confidentiality).
9. INSTANT MESSAGING (IM) SECURITY SYSTEMS
With the public IM networks, the individual employee registers for service. If the
employee leaves a company, the firm has no (technology-based) way to prevent him
from continuing to use the account, or from continuing to represent himself as still
working for the company. Furthermore, without additional tools, the company has no
way of archiving IM messages for legal or regulatory purposes, or of monitoring and
controlling the content of messages to filter for inappropriate communications.
IM management and security systems act as proxies for IM traffic going into the
network, which imposes policies before letting traffic through. Besides addressing
security, this architecture puts the IM management and security vendors in a position to
deal with the pesky problem of the lack of interoperability among networks.
10. NET PRIVACY SYSTEMS
The philosophical focus of a privacy management perspective is geared toward the

improvement of the bottom line for private companies and cost control and resource
optimization for nonprofit and government organizations.
All types of organizations need to develop privacy policies that maximize the benefit of
reusing information in as many ways as possible while minimizing the risks associated
with potential privacy violations.
Protecting the privacy of enterprise information, data on customers, and corporate

trade secrets has become a major concern for managers in all types and sizes of
organizations. Laws are often ambiguous, social thought toward privacy is volatile,
emerging technologies present new and complex challenges, and political winds are
blowing hard from many directions. Surviving the chaos surrounding information
privacy requires a comprehensive company-wide privacy plan.
Business managers must develop and implement an enterprise-wide privacy plan. This
is important because organizations are becoming more dependent on information
systems to manage critical financial data as well as customer records and product data.
It is also important because of increasing regulatory and social pressures concerning the
protection of individual privacy and proprietary corporate information.
This author’s position on privacy is very straightforward. Enterprises need to avoid

potentially costly lawsuits and embarrassing public relations incidents that may result
from revealing information that is protected by law, that management has determined
could be detrimental to the enterprise if known by competitors or the public, or that
customers feel should be kept private.
The goal here is to provide you with a process to manage privacy in your enterprise.
This is done by giving you basic building blocks to understand the process of
developing, implementing, and monitoring privacy plans, policies, and procedures.
11. IDENTITY MANAGEMENT SECURITY SYSTEMS
Identity management is the creation, management, and use of online, or digital,

identities.
Identity management will help organizations do business and get things done. By
authenticating and authorizing digital identities, an identity management system will
improve administrative productivity while keeping enterprise resources secure, as well
as streamline e-business transactions.
Users will enjoy a more convenient experience, and organizations will benefit from
more efficient processes and expanded business opportunities.
There have been three distinct approaches to developing an identity management

system, each appropriate to different circumstances and requirements.
 Silo
 Closed Community
Federated
In a silo model, each business creates a unique relationship with its customers,
employees, and partners through Internet, intranet, and extranet sites, respectively.
A closed community is one in which a central business unit defines and brokers trust
to all member organizations in the community. An example would be any group of
companies, government agencies, or educational institutions that have banded together
to serve a common user group or to establish an online B2B exchange. From any
member Web site, a user can gain access to the Web sites of other partners.
In a federated model, each partner agrees to trust user identities issued or

authenticated
by other organizations while maintaining control of the identity and preference
information of its own users. A common example of a federated model is the passport:
each country independently issues passports that are trusted by all the other countries.
12. IDENTITY THEFT
Identity theft is the appropriation of an individual’s personal information in order to

impersonate that person in a legal sense.
Identity theft can still be done by such low-tech means as knowing someone else’s basic
identifying information and initiating personal transactions in that person’s name, but
today, identities can also be stolen using highly technical and sophisticated means of
obtaining the personal data of a stranger.
An identity thief who has enough information about you can open a new credit card
account in your name.
13. HOMELAND SECURITY SYSTEMS
The homeland security systems consist of the following structures:
Border and transportation security

Emergency preparedness and response
Chemical, biological, radiological, and nuclear countermeasures o
Information analysis and infrastructure protection
UNDERSTANDING COMPUTER INVESTIGATION
Preparing a Digital Forensics Investigation
The role of a digital forensics professional is to gather data from a suspect’s

computer and determine whether there’s evidence that a crime was committed or
company policy or industry regulations had been violated.


If the evidence suggests that a crime or policy violation has been committed, a case
is prepared, which is a collection of evidence you can offer in court or at a private-
sector inquiry.


The process involves investigating the suspect’s computer and then preserving the
evidence on a different computer.

To begin an investigation, an accepted procedure to prepare a case should be
followed.


By approaching each case methodically, the evidence can be thoroughly investigated
and document the chain of evidence, or chain of custody, which is the route the
evidence takes from the time you find it until the case is closed or goes to court.
An Overview of a Computer Crime
Law enforcement officers often find computers, smartphones, and other devices as
they are investigating crimes, gathering other evidence, or making arrests.


These devices can contain information that helps law enforcement officers
determine the chain of events leading to a crime or information providing evidence
that’s more likely to lead to a conviction.

An example case in which computers were involved in a crime:

The police raided a suspected drug dealer’s home and found a desktop computer,
several USB drives (also called “flash drives” or “thumb drives”), a tablet computer,
and a cell phone in a bedroom.


The computer was “bagged and tagged,” meaning it was placed in evidence bags
along with the storage media and then labeled with tags as part of the search and
seizure.


The lead detective on the case wants you to examine the computer and cell phone to
find and organize data that could be evidence of a crime, such as files containing
names of the drug dealer’s contacts, text messages, and photos.
The acquisitions officer gives you documentation of items the investigating officers
collected with the computer, including a list of other storage media, such as
removable disks and flash drives.


The acquisitions officer also notes that the computer is a Windows 8 system, and the
machine was running when it was discovered.


Before shutting down the computer, the acquisitions officer photographs all open
windows on the Windows desktop, including one showing File Explorer, and gives
you the photos. Before shutting down the computer, a live acquisition should be
done to capture RAM, too.
An Overview of a Company Policy Violation
Companies often establish policies for employee use of computers.



Employees surfing the Internet, sending personal e-mail, or using company
computers for personal tasks during work hours can waste company time. Because
lost time can cost companies millions of dollars, digital forensics specialists are often
used to investigate policy violations.
TAKING A SYSTEMATIC APPROACH
When preparing a case, the standard systems analysis steps are to be applied.
Make an initial assessment about the type of case under investigation —To
assess the type of case , talk to others involved in the case and ask questions about
the incident
Determine a preliminary design or approach to the case — Outline the general

steps needed to be followed to investigate the case.
Create a detailed checklist — Refine the general outline by creating a detailed

checklist of steps and an estimated amount of time for each step. This outline helps
you stay on track during the investigation
Determine the resources you need - Based on the OS of the computer you’re
investigating, list the software you plan to use for the investigation, noting any other
software, tools, or expert assistance you might need.
Obtain and copy an evidence drive—In some cases, you might be seizing multiple
computers along with CDs, DVDs, USB drives, mobile devices, and other removable
media. Make a forensic copy of the disk.
Identify the risks—List the problems that are normally expected in the case. This
list is known as a standard risk assessment.
Mitigate or minimize the risks — Identify how you can minimize the risks. Make
multiple copies of the original media before starting. Then if you destroy a copy
during the process of retrieving information from the disk, you have additional
copies.
Test the design—Review the decisions made and the steps that are completed.
Compare hash values to ensure that the data has been copied from the original
media correctly.
Analyze and recover the digital evidence—Using the software tools and other
resources examine the disk to find digital evidence.
Investigate the data you recover—View the information recovered from the disk,
including existing files, deleted files, e-mail, and Web history, and organize the files
to help find information relevant to the case.
Complete the case report—Write a complete report detailing what was done and
what was found.
Critique the case—Self-evaluation and peer review are essential parts of

professional growth. After completing a case, review it to identify successful
decisions and actions and determine how to improve the performance.
A systematic approach helps to gather as much information as possible.



For all computing investigations, the investigator must be prepared for the
unexpected, so a a contingency plan for the investigation is always required. A
contingency plan can consist of anything to help you complete the investigation,
from alternative software and hardware tools to other methods of approaching the
investigation.
ASSESSING THE CASE
Identifying case requirements involves determining the type of case that is being
investigated.


It requires outlining the case details systematically, including the nature of the case,
the type of evidence available, and the location of evidence.
Example :
Situation — Employee abuse of resources.

Nature of the case — Side business conducted on the company computer.
Specifics of the case —The employee is reportedly conducting a side
business on his company computer .Company policy states that all company-
owned computing assets are subject to inspection by company management
at any time.
Type of evidence — Small-capacity USB drive connected to a company
computer.
Known disk format — NTFS.
Location of evidence — One USB drive recovered from the employee’s
computer
The case requirements:


The USB drive retrieved from the employee’s computer,
To duplicate the USB drive and find deleted and hidden files, a reliable digital
forensics tool is required.
PLANNING YOUR INVESTIGATION
Once the requirements of the case have been identified, plan the investigation.

A basic investigation plan should include the following activities:
Acquire the evidence
Complete an evidence form and establish a chain of custody
Transport the evidence to a computer forensics lab
Secure evidence in an approved secure container
Identify the specific steps to gather the evidence, establish a chain of custody, and
perform the forensic analysis.


Use an evidence custody form, also called a chain-of-evidence form, to document
evidences.


An evidence custody form usually contains the following information: ( REFER
PAGE:

Case number—The number your organization assigns when an
investigation is initiated.
Investigating organization—The name of your organization. In large
corporations with global facilities, several organizations might be conducting
investigations in different geographic areas.
Investigator—The name of the investigator assigned to the case. If many

investigators are assigned, specify the lead investigator’s name.
Nature of case—A short description of the case.
Location evidence was obtained—The exact location where the evidence
was collected.
Description of evidence—A list of the evidence items, such as “hard drive,
250 GB” or “one USB drive, 8 GB, possibly include photos.
Vendor name—The name of the manufacturer of the computer component.
o Model number or serial number—List the model number or serial number
(if available) of the computer component.
o Evidence recovered by—The name of the investigator who recovered the
evidence.
o Date and time—The date and time the evidence was taken into custody. This
information establishes exactly when the chain of custody starts.
o Evidence placed in locker—Specifies which approved secure container is
used to store evidence and when the evidence was placed in the container.
o Item #/Evidence processed by/Disposition of evidence/Date/Time—
When you or another authorized investigator retrieves evidence from the
evidence locker for processing and analysis, list the item number and your
name, and then describe what was done to the evidence.
o Page—The forms used to catalog all evidence for each location should have
page numbers.
SECURING YOUR EVIDENCE
Some evidence is small enough to fit into an evidence bag. Other items, such as CPU
cabinets, monitors, keyboards, and printers, are too large.


To secure and catalog the evidence contained in large computer components, use
large evidence bags, tape, tags, labels, and other products available from police
supply vendors or office supply stores.


When gathering products to secure your computer evidence, make sure they are
safe and effective to use on computer components.

Use computer safe products
Antistatic bags
Antistatic pads
Use well padded containers


Use evidence tape to seal all openings
Avoid damaging the component or coming into contact with static electricity, which
can destroy digital data.

 Securing evidence often requires building secure containers.
Computer components require specific temperature and humidity ranges.

When collecting computer evidence, make sure you have a safe environment for
transporting and storing it until a secure evidence container is available.
PROCEDURES FOR PRIVATE-SECTOR HIGH-TECH INVESTIGATIONS
Procedures are necessary to ensure that correct techniques are used in an

investigation.


Some sample procedures that computing investigators commonly use in private-
 sector high-tech investigations are as follows:
Employee Termination Cases
o Majority of investigative work for termination cases involves employee abuse
of corporate assets
a. Internet abuse investigations
To conduct an investigation you need:
Organization’s Internet proxy server
logs Suspect computer’s IP address
Suspect computer’s disk drive
Your preferred computer forensics analysis
tool o Recommended steps
Use standard forensic analysis techniques and procedures
Use appropriate tools to extract all Web page URL information
Contact the network firewall administrator and request a proxy server
log
Compare the data recovered from forensic analysis to the proxy server
log
Continue analyzing the computer’s disk drive data
b. E-mail abuse investigations

To conduct an investigation you need:
An electronic copy of the offending e-mail that contains message
header data
If available, e-mail server log records
 For e-mail systems that store users’ messages on a central server,
access to the server
 Access to the computer so that you can perform a forensic analysis
on it
Your preferred computer forensics analysis tool
Recommended steps
Use the standard forensic analysis techniques
 Obtain an electronic copy of the suspect’s and victim’s e-mail
folder or data
 For Web-based e-mail investigations, use tools such as FTK’s
Internet Keyword Search option to extract all related e-mail
address information
Examine header data of all messages of interest to the investigation
c. Attorney-Client Privilege Investigations
Under attorney-client privilege (ACP) rules for an attorney

o You must keep all findings confidential
o Many attorneys like to have printouts of the data you have recovered
o You need to persuade and educate many attorneys on how digital evidence
can be viewed electronically
o You can also encounter problems if you find data in the form of binary files
o Attorney-Client Privilege Investigations (continued)
Steps for conducting an ACP case

 Request a memorandum from the attorney directing you to start the
investigation
 Request a list of keywords of interest to the investigation
 Initiate the investigation and analysis
 For disk drive examinations, make two bit-stream images using
different tools
 Compare hash signatures on all files on the original and re-created
disks
 Methodically examine every portion of the disk drive and extract all
data
 Run keyword searches on allocated and unallocated disk space
 For Windows OSs, use specialty tools to analyze and extract data from
the Registry Access Data Registry Viewer
 For binary data files such as CAD drawings, locate the correct software
product
 For unallocated data recovery, use a tool that removes or replaces
nonprintable data
 Consolidate all recovered data from the evidence bit-stream image
into folders and subfolders
Media Leak Investigations

o In the corporate environment, controlling sensitive data can be difficult.
Disgruntled employees might send an organization’s sensitive data to a news

reporter.
Premature release of information about new products can disrupt operations and
cause market share loss.
Guidelines for media leak investigations

Examine email, message boards and search for information about the
company or product
Examine proxy server logs track for email and determine the source
Examine known suspect workstations and develop leads on possible
associates
Examine company phone records for calls to media organizations
Steps to take for media leaks:

Interview management to get a list of employees who have direct knowledge
of sensitive data
Identify media source that published the information
Review company phone records
Obtain a list of keywords related to the media leak
Perform keyword searches on proxy and e-mail servers
Discreetly (unnoticeably) conduct forensic disk acquisitions and analysis.
From the forensic disk examinations, analyze all e-mail correspondence and
trace any sensitive messages to other people
Expand the discreet forensic disk acquisition and analysis
Consolidate and review your findings periodically
Routinely report findings to management
e. Industrial Espionage Investigations
All suspected industrial espionage (spying) cases should be treated as criminal

investigations
Staff needed
Computing investigator who is responsible for disk forensic examinations
Technology specialist who is knowledgeable of the suspected compromised
technical data
Network specialist who can perform log analysis and set up network
sniffers Threat assessment specialist (typically an attorney)
Guidelines
Determine whether this investigation involves a possible industrial
espionage incident
Consult with corporate attorneys and upper management
Determine what information is needed to substantiate the allegation

Generate a list of keywords for disk forensics and sniffer monitoring
List and collect resources for the investigation
Steps for conducting an industrial espionage case

o Gather all personnel assigned to the investigation and brief them on the
plan
o Gather resources to conduct the investigation
o Place surveillance systems
o Discreetly gather any additional evidence
o Collect all log data from networks and e-mail servers
o Report regularly to management and corporate attorneys
o Review the investigation’s scope with management and corporate
attorneys
o Interviews and Interrogations in High-Tech Investigations
INTERVIEWS AND INTERROGATIONS IN HIGH-TECH INVESTIGATIONS
Becoming a skilled interviewer and interrogator can take many years of

experience
Interview
Usually conducted to collect information from a witness or suspect about

specific facts related to an investigation
Interrogation
It is the process of trying to get a suspect to confess to a specific incident or

crime
Role as a computing investigator
To instruct the investigator conducting the interview on what questions to

ask and what the answers should be
Ingredients for a successful interview or interrogation
Being patient throughout the session

Repeating or rephrasing questions to zero in on specific facts from a reluctant
witness or suspect
Being tenacious(stubborn)
UNDERSTANDING DATA RECOVERY WORKSTATIONS AND SOFTWARE
Investigations are conducted on a computer forensics lab (or data-recovery lab)

Computer forensics and data-recovery are related but different
Computer forensics workstation
– Specially configured personal computer
– Loaded with additional bays and forensics software
To avoid altering the evidence use:
– Forensics boot floppy disk
– Write-blockers devices
Setting Up your Computer for Computer Forensics
The basic requirements needed are :
– A workstation running Windows XP or Vista

– A write-blocker device
– Computer forensics acquisition tool
– Computer forensics analysis tool
– Target drive to receive the source or suspect disk data
– Spare PATA or SATA ports
– USB ports
– Network interface card (NIC)
– Extra USB ports
– FireWire 400/800 ports
– SCSI card
– Disk editor tool
– Text editor tool
– Graphics viewer program
– Other specialized viewing tools
Conducting an Investigation
Gather resources identified in investigation plan

Items needed
– Original storage media
– Evidence custody form
– Evidence container for the storage media
– Bit-stream imaging tool
– Forensic workstation to copy and examine your evidence
– Securable evidence locker, cabinet, or safe
Gathering the Evidence
Avoid damaging the evidence

Steps
– Meet the IT manager to interview him
– Fill out the evidence form, have the IT manager sign
– Place the evidence in a secure container
– Complete the evidence custody form
– Carry the evidence to the computer forensics lab
– Create forensics copies (if possible)
– Secure evidence by locking the container
Understanding Bit-Stream Copies
Bit-stream copy
– Bit-by-bit copy of the original storage medium
– Exact copy of the original disk
– Different from a simple backup copy
Backup software only copy known files
Backup software cannot copy deleted files, e-mail messages or
recover file fragments
Bit-stream image
– File containing the bit-stream copy of all data on a disk or partition
– Also known as forensic copy
Copy image file to a target disk that matches the original disk’s manufacturer, size
and model
Acquiring an Image of Evidence Media
First rule of computer forensics

– Preserve the original evidence
Conduct your analysis only on a copy of the data
Using ProDiscover Basic to acquire a thumb drive
– Create a work folder for data storage
– Steps
On the thumb drive locate the write-protect switch and place the
drive in write-protect mode
Start ProDiscover Basic
Using ProDiscover Basic to acquire a thumb drive (continued)
– Steps (continued)
In the main window, click Action, Capture Image from the menu
Click the Source Drive drop-down list, and select the thumb drive
Click the >> button next to the Destination text box
Type your name in the Technician Name text box
ProDiscover Basic then acquires an image of the USB thumb drive
Click OK in the completion message box
Analyzing Your Digital Evidence
Steps
– Start ProDiscover Basic
– Create a new case
– Type the project number
– Add an Image File
Steps to display the contents of the acquired data

– Click to expand Content View
– Click All Files under the image filename path
Analyze the data

– Search for information related to the complaint
With ProDiscover Basic you can:

– Search for keywords of interest in the case
– Display the results in a search results window
– Click each file in the search results window and examine its content in the
data area
– Export the data to a folder of your choice
– Search for specific filenames
– Generate a report of your activities
Completing the Case
You need to produce a final report

– State what you did and what you found
Include ProDiscover report to document your work
Repeatable findings
– Repeat the steps and produce the same result
If required, use a report template
Report should show conclusive evidence
– Suspect did or did not commit a crime or violate a company policy
Critiquing the Case
Ask yourself the following questions:

– How could you improve your performance in the case?
– Did you expect the results you found? Did the case develop in ways you
did not expect?
– Was the documentation as thorough as it could have been?
– What feedback has been received from the requesting source?
– Did you discover any new problems? If so, what are they?
– Did you use new techniques during the case or during research?
DATA ACQUISITION
Digital acquisition is the process of copying data. For computer forensics, it is the task
of collecting digital evidence from electronic media.
There are two types of data acquisition:
 Static Acquisitions,
Live Acquisitions.
STORAGE FORMATS FOR DIGITAL EVIDENCE
The process of acquiring data from a USB drive and storing it in a data file. The
acquisition tool used, ProDiscover Basic, performed a bit-by-bit (or sector-by-sector)
copy of the USB drive and wrote it to an image file, which was an exact duplicate of the
source device (the USB drive). The data a forensics acquisition tool collects is stored as
an image file, typically in an opensource or proprietary format.
The different data acquisition formats are:
 Raw format,
 Proprietary formats, and
Advanced Forensic Format
1. Raw Format
This copy technique creates simple sequential flat files of a suspect drive or data
set. The output of these flat files is referred to as a raw format.

 Advantages
 – Fast data transfers
 – Can ignore minor data read errors on source drive
– Most computer forensics tools can read raw format
 Disadvantages
 – Requires as much storage as original disk or data
 – Tools might not collect marginal (bad) sectors
 – Validation check must be stored in a separate file
Message Digest 5 ( MD5)
Secure Hash Algorithm ( SHA-1 or newer)
Cyclic Redundancy Check ( CRC-32)
Proprietary formats
Features:
– The option to compress or not compress image files of a suspect drive, thus saving
space on the target drive
– The capability to split an image into smaller segmented files for archiving purposes,
such as to CDs or DVDs, with data integrity checks integrated into each segment
– The capability to integrate metadata into the image file, such as date and time of the
acquisition, hash value (for self-authentication) of the original disk or medium,
investigator or examiner name, and comments or case details
Disadvantages
Inability to share an image between different tools
ILookIX imaging tool IXimager produces three proprietary

formats—IDIF, IRBF, and IEIF—that can be read only by ILookIX
File size limitation for each segmented volume
Typical segmented file size is 650 MB or 2 GB
Advanced Forensic Format
Dr. Simson L. Garfinkel developed an open-source acquisition format called Advanced

Forensic Format (AFF). File extensions include .afd for segmented image files and .afm
for AFF metadata. AFF is open source.
This format has the following design goals:
– Capable of producing compressed or uncompressed image files

– No size restriction for disk-to-image files
– Space in the image file or segmented files for metadata
– Simple design with extensibility
– Open source for multiple computing platforms and OSs

– Internal consistency checks for self-authentication
DETERMINING THE BEST ACQUISITION METHOD
To determine which acquisition method to use for an investigation, consider the size of
the source (suspect) disk, whether you can retain the source disk as evidence or must
return it to the owner, how much time you have to perform the acquisition, and where
the evidence is located.
There are four methods for data collection :
– Creating a disk-to-image file,

– Creating a disk-to-disk copy,
– Creating a logical disk-to-disk or disk-to-data file,
– Creating a sparse copy of a folder or file.
Determining the best acquisition method depends on the circumstances of the
investigation.
Creating a disk-to-image file
 It is the most common method.

 Can make many copies of the suspect’s drive
Copies are bit-for-bit replications of the original drive

Tools for reading these files: ProDiscover, EnCase, FTK, SMART,Sleuth Kit, X-
Ways, ILook

Creating a disk-to-disk copy
Used when disk-to-image copy is not possible

– Because of hardware or software errors or incompatibilities
– This problem is more common when acquiring older drives
Adjusts target disk’s geometry (cylinder, head, and track configuration) to
match the suspect's drive
Tools: EnCase, SafeBack (MS-DOS), Snap Copy
Logical Acquisition and Sparse Acquisition
When your time is limited, and evidence disk is large

Logical acquisition captures only specific files of interest to the case
– Such as Outlook .pst or .ost files
Sparse acquisition collects fragments of unallocated (deleted) data
CONTINGENCY PLANNING FOR IMAGE ACQUISITIONS
Create a duplicate copy of your evidence image file

Make at least two images of digital evidence
– Use different tools or techniques
Copy host protected area of a disk drive as well
– Consider using a hardware acquisition tool that can access the drive at the
BIOS level (link Ch 4c)
Be prepared to deal with encrypted drives

– Whole disk encryption feature in Windows Vista Ultimate and
Enterprise editions
USING ACQUISITION TOOLS
Acquisition tools for Windows

– Advantages
Make acquiring evidence from a suspect drive more convenient
– Especially when used with hot-swappable devices
– Disadvantages
Must protect acquired data with a well-tested write-blocking
hardware device
Tools can’t acquire data from a disk’s host protected area
Windows Write-Protection with USB Devices
USB write-protection feature
– Blocks any writing to USB devices
Target drive needs to be connected to an internal PATA (IDE), SATA, or SCSI

controller
Works in Windows XP SP2, Vista, and Win 7
Acquiring Data with a Linux Boot CD
The Linux OS has many features that are applicable to digital forensics, especially data
acquisitions.
One unique feature is that Linux can access a drive that isn’t mounted. Physical access
for the purpose of reading data can be done on a connected media device, such as a disk
drive, a USB drive, or other storage devices.
In Windows OSs and newer Linux kernels, when you connect a drive via USB, FireWire,
external SATA, or even internal PATA or SATA controllers, both OSs automatically
mount and access the drive.
On Windows drives, an acquisition workstation can access and alter data in the Recycle
Bin; on Linux drives, the workstation most likely alters metadata, such as mount point
configurations for an Ext3 or Ext4 drive.
If you need to acquire a USB drive that doesn’t have a write-lock switch, use one of the
forensic Linux Live CDs to access the device.
Using Linux Live CD Distributions
Several Linux distributions, such as Ubuntu, openSUSE, Arch Linux, Fedora, and
Slackware, provide ISO images that can be burned to a CD or DVD. They’re called “Linux
Live CDs.” Most of these Linux distributions are for Linux OS recovery, not for digital
forensics acquisition and analysis.
The following are some well-designed Linux Live CDs for digital forensics:
 Penguin Sleuth (www.linux-forensics.com)
 F.I.R.E (http://fire.dmzs.com)
 CAINE (www.caine-live.net)
 Deft (www.deftlinux.net)
 Kali Linux (www.kali.org), previously known as BackTrack
 Knoppix (www.knopper.net/knoppix/index-en.html)
SANS Investigate Forensic Toolkit

Linux can read data from a physical device without having to mount it.


You can download these ISO images to any computer, including a Windows system,
and then burn them to CD/DVD with burner software, such as Roxio or Nero.
Creating a bootable image from an ISO file. After creating a Linux Live CD, test it
on your workstation.


To test the Live CD, simply place it in the CD or DVD drive and reboot your system. If
successful, Linux loads into your computer’s memory, and a common GUI for
Linux is displayed. If you have problems with the video display on your
workstation, try another computer with a different video card. No one Live CD
distribution has all video drivers. Linux Live CDs load the OS into a computer’s
RAM, so performance can be affected when you’re using GUI tools.
Acquiring data with dd in Linux
The dd command, available on all UNIX and Linux distributions, means “data
dump.”


This command, which has many functions and switches, can be used to read and
write data from a media device and a data file.


The dd command isn’t bound by a logical file system’s data structures, meaning the
drive doesn’t have to be mounted for dd to access it.
Example, if you list a physical device name, the dd command copies the entire
device—all data files, slack space, and free space (unallocated data) on the
device.
The dd command creates a raw format file that most forensics analysis tools can
read, which makes it useful for data acquisitions.
Acquiring Data with dcfldd in Linux
The dd command is intended as a data management tool; it’s not designed for
forensics acquisitions.


Nicholas Harbour of the Defense Computer Forensics Laboratory (DCFL) developed
a tool that can be added to most UNIX/Linux OSs.


This tool, the dcfldd command, works similarly to the dd command but has many
features designed for forensics acquisitions.

The following are important functions dcfldd:
Specify hexadecimal patterns or text for clearing disk space.
o Log errors to an output file for analysis and review.
o Use the hashing options MD5, SHA-1, SHA-256, SHA-384, and SHA-512 with
logging and the option of specifying the number of bytes to hash, such as
specific blocks or sectors.
o Refer to a status display indicating the acquisition’s progress in bytes.
o Split data acquisitions into segmented volumes with numeric extensions
(unlike dd’s
o limit of 99).
o Verify the acquired data with the original disk or media data.
CAPTURING AN IMAGE WITH PRODISCOVER BASIC
The steps to perform the first task of connecting the suspect’s drive to your workstation:
Document the chain of evidence for the drive you plan to acquire.
Remove the drive from the suspect’s computer.
For IDE drives, configure the suspect drive’s jumpers as needed.
Connect the suspect drive to the USB or FireWire write-blocker device.
Create a storage folder on the target drive. For this activity, you use your work folder
Using ProDiscover’s Proprietary Acquisition Format
Start ProDiscover Basic.

In the ProDiscover Basic window, click Action, Capture Image from the menu.
In the Capture Image dialog box, click the Source Drive list arrow, and then click
PhysicalDrive1 xxxx GB.
Click the >> button next to the Destination text box, and click Choose Local Path.
Click the Split button.
In the Capture Image dialog box, click the Image Format list arrow, and click
ProDiscover Format.
In the Technician Name text box, type your name, and in the Image Number text
box.
When you’re finished entering information in the Capture Image dialog box, click OK
to begin the acquisition. ProDiscover then creates a segmented image file in your
work folder. During this acquisition, ProDiscover displays a status bar in the lower-
right corner to show the progress for each volume segment it’s creating.
When the acquisition is done, ProDiscover displays a message box instructing you to
examine a log file for errors. Click OK to finish the acquisition, and then exit
ProDiscover Basic.
Using ProDiscover’s Raw Acquisition Format
ProDiscover can produce raw format acquisitions that many other forensics tools can
read.
To perform a raw format acquisition, the steps are :

In the Capture Image dialog box select the “UNIX style dd” format in the Image
Format list box.

When you select this option, the input fields at the bottom of the Capture Image
 dialog box are grayed out.
To segment the image acquisition, click the Split button.

To initiate the raw acquisition, click OK, and then click Proceed in the warning box.
When the raw acquisition is finished, click OK in the message box.
The raw format creates a log file (.pds extension) and segmented volume files, just like
the proprietary format acquisition.
Capturing an Image with AccessData FTK Imager Lite
Boot your forensic workstation to Windows, using an installed write-blocker.
Connect the evidence drive to a write-blocking device or USB device.
Connect the target drive to a USB external drive, if you’re using a write-blocker.
Start FTK Imager Lite. If prompted by the User Account Control message box, click
Yes.
In the FTK Imager main window, click File, Create Disk Image from the menu.
In the Select Source dialog box, click the Physical Drive option button, if necessary,
and then click Next.
In the Select Drive dialog box, click the Source Drive Selection list arrow , click the
suspect drive, and then click Finish.
In the Create Image dialog box, click to select the Verify images after they are created
check box, if necessary, and then click Add. In the Select Image Type dialog box that
opens , click the Raw (dd) option button, if necessary, and then click Next.
In the Evidence Item Information dialog box, complete the case information and then
click Next.
In the Select Image Destination dialog box, click Browse, navigate to the location for
the image file (your work folder), and click to clear the Use AD Encryption check box, if
necessary.
In the Image Filename (Excluding Extension) text box, type InChp03-ftk, and then
click Finish.
Next, in the Create Image dialog box, click Start to initiate the acquisition.
When FTK Imager finishes the acquisition, review the information in the
Drive/Image Verify Results dialog box, and then click Close. Click Close again in the
Creating Image dialog box .
Exit FTK Imager Lite by clicking File, Exit from the menu.
VALIDATING DATA ACQUISITIONS
 Most critical aspect of computer forensics

Requires using a hashing algorithm utility
Validation techniques
CRC-32, MD5, and SHA-1 to SHA-512
Linux Validation Methods

 use md5sum or sha1sum utilities
hashlog option outputs hash results to a text file that can be stored with the image
 files
vf (verify file) option compares the image file to the original medium
Windows Validation Methods

 Windows has no built-in hashing algorithm tools
Third-party utilities can be used
PERFORMING RAID DATA ACQUISITIONS
How RAID systems are designed, configured, and sized.


Size is the biggest concern because many RAID systems are now pushing into
terabytes of data.

Redundant array of independent (formerly “inexpensive”) disks (RAID) is a
computer configuration involving two or more physical disks.

Originally, RAID was developed as a data redundancy measure to minimize data loss
 caused by a disk failure.
 As technology improved, RAID also provided increased storage capabilities.
For Windows XP, 2000, and NT servers and workstations, RAID 0 or 1 is available.

For a high-end data-processing environment, RAID 5 is common and is often based
in special RAID towers.

These high-end RAID systems usually have integrated controllers that connect to
high-end servers or mainframes. These systems provide redundancy and high-speed
data access and can make many small disks appear as one very large drive.
Raid 0
RAID 0 provides rapid access and increased data storage.
In RAID 0, two or more disk drives become one large volume, so the computer
views the disks as a single disk.
The tracks of data on this mode of storage cross over to each disk.
Advantage:
o Increased speed and data storage capability spread over two or more disks that
can be one large disk partition.
Disadvantage:
Lack of redundancy; if a disk fails, data isn’t continuously available.
Raid 1
It is made up of two disks for each volume and is designed for data recovery in the
event of a disk failure.
The contents of the two disks in RAID 1 are identical.
When data is written to a volume, the OS writes the data twice—once to each
disk at the same time.
If one drive fails, the OS switches to the other disk.
Advantages:
Data isn’t lost and helps prevent computer downtime.
Disadvantage:
It takes two disks for each volume, which doubles the cost of disk storage.
Raid 2
It provides rapid access and increased storage by configuring two or more disks
as one large volume.
The difference with RAID 2 is that data is written to disks on a bit level.
An error-correcting code (ECC) is used to verify whether the write is successful. o
RAID 2 has better data integrity checking than RAID 0.
o Because of the bit-level writes and the ECC, however, RAID 2 is slower than RAID
0.
Raid 3
RAID 3 uses data striping and dedicated parity and requires at least three disks. o
RAID 3 stripes tracks across all disks that make up one volume.
o RAID 3 also implements dedicated parity of data to ensure recovery if data is
corrupted.
o Dedicated parity is stored on one disk in the RAID 3 array.
Raid 4
RAID 4 uses data striping and dedicated
parity (block writing), except data is written in blocks rather than bytes.
Raid 5
RAID 5 is similar to RAID 0 and RAID 3 in that it uses distributed data and
distributed parity and stripes data tracks across all disks in the RAID array.
RAID 5 places parity data on each disk.
If a disk in a RAID array has a data failure, the parity on other disks rebuilds the
corrupt data automatically when the failed drive is replaced.
Raid 6
In RAID 6, distributed data and distributed parity (double parity) function the
same way as RAID 5, except each disk in the RAID array has redundant parity.
Advantage :
It recovers any two disks that fail because of the additional parity stored on each
disk.
Raid 10
RAID 10, or mirrored striping, also known as RAID 1 + 0, is a combination of RAID 1
and RAID 0.
It provides fast access and redundancy of data storage.
Raid 15
RAID 15, or mirrored striping with parity, also known as RAID 1+5, is a
combination of RAID 1 and RAID 5.
It offers the most robust data recovery capability and speed of access of all RAID
configurations and is also more costly.
ACQUIRING RAID DISKS
Concerns


o How much data storage is needed?
 o What type of RAID is used?
o Do you have the right acquisition tool?

o Can the tool read a forensically copied RAID image?
o Can the tool read split data saves of each RAID disk?

o Older hardware-firmware RAID systems can be a challenge when you’re making
an image


Vendors offering RAID acquisition functions o
 Technologies Pathways ProDiscover
o Guidance Software EnCase
 o X-Ways Forensics
 o Runtime Software
o R-Tools Technologies

 Occasionally, a RAID system is too large for a static acquisition
– Retrieve only the data relevant to the investigation with the sparse or logical
acquisition method
USING REMOTE NETWORK ACQUISITION TOOLS

You can remotely connect to a suspect computer via a network connection and copy
 data from it.
 Remote acquisition tools vary in configurations and capabilities
 Drawbacks
o LAN’s data transfer speeds and routing table conflicts could cause problems
 o Gaining the permissions needed to access more secure subnets
 o Heavy traffic could cause delays and errors
o Remote access tool could be blocked by antivirus
Remote Acquisition with ProDiscover Investigator
Preview a suspect’s drive remotely while it’s in use o

Perform a live acquisition
o Also called a “smear” because data is being altered
o Encrypt the connection
o Copy the suspect computer’s RAM
o Use the optional stealth mode to hide the connection
Remote Acquisition with ProDiscover Incident Response
All the functions of ProDiscover Investigator plus

o Capture volatile system state information
o Analyze current running processes

o Locate unseen files and processes o
 Remotely view and listen to IP ports
o Run hash comparisons to find Trojans and rootkits
o Create a hash inventory of all files remotely
PDServer Remote Agent
 ProDiscover utility for remote access

 Needs to be loaded on the suspect computer
PDServer installation modes
Trusted CD
Preinstallation
Pushing out and running remotely
PDServer can run in a stealth mode
Can change process name to appear as OS function
Remote Connection Security Features
 Password Protection
 Encrypted communications
 Secure Communication Protocol
 Write Protected Trusted Binaries
Digital Signatures
Remote Acquisition with EnCase Enterprise
 Remotely acquires media and RAM data

 Integration with intrusion detection system (IDS) tools
 Options to create an image of data from one or more systems
 Preview of systems
 A wide range of file system formats
RAID support for both hardware and software
Other Remote Acquisition Tools
 R-Tools R-Studio
 WetStone LiveWire
F-Response
Remote Acquisition with Runtime Software
Compact Shareware Utilities o

DiskExplorer for FAT o
 DiskExplorer for NTFS
o HDHOST (Remote access program)

Features for acquisition
Create a raw format image file
Segment the raw format or compressed image
o Access network computers’ drives
Using Other Forensics-Acquisition Tools

 Tools
 SnapBack DatArrest
 SafeBack
 DIBS USA RAID
 ILook Investigator IXimager
 Vogon International SDi32
 ASRData SMART
Australian Department of Defence PyFlag
SnapBack DatArrest
 Columbia Data Products

Old MS-DOS tool

Can make an image on three ways o
 Disk to SCSI drive
o Disk to network drive
 o Disk to disk
 Fits on a forensic boot floppy
SnapCopy adjusts disk geometry
NTI SafeBack
 Reliable MS-DOS tool

 Small enough to fit on a forensic boot floppy
 Performs an SHA-256 calculation per sector copied
Creates a log file
Functions
Disk-to-image copy (image can be on tape)
o Disk-to-disk copy (adjusts target geometry)
o Parallel port laplink can be used
o Copies a partition to an image file
o Compresses image files
DIBS USA RAID
Rapid Action Imaging Device (RAID)

Makes forensically sound disk copies
Portable computer system designed to make disk-to-disk images o
Copied disk can then be attached to a write-blocker device
ILook Investigator IXimager

 Runs from a bootable floppy or CD
 Designed to work only with ILook Investigator
Can acquire single drives and RAID drives
ASRData SMART
 Linux forensics analysis tool that can make image files of a suspect drive
Capabilities
Robust data reading of bad sectors on drives
Mounting suspect drives in write-protected mode
o Mounting target drives in read/write mode
o Optional compression schemes
CS6004 CYBER FORENSICS UNIT IV
UNIT IV EVIDENCE COLLECTION AND FORENSICS TOOLS
Processing Crime and Incident Scenes – Working with Windows and DOS Systems.
Current Computer Forensics Tools: Software/ Hardware Tools.
PROCESSING CRIME AND INCIDENT SCENES
IDENTIFYING DIGITAL EVIDENCE
Digital evidence can be any information stored or transmitted in digital form. All
digital evidence be printed out to be presented in court.
Groups such as the Scientific Working Group on Digital Evidence (SWGDE) and the
International Organization on Computer Evidence (IOCE) set standards for
recovering, preserving, and examining digital evidence.
The general tasks investigators perform when working with digital evidence:
Identify digital information or artifacts that can be used as evidence.
Collect, preserve, and document evidence.
Analyze, identify, and organize evidence.
Rebuild evidence or repeat a situation to verify that the results can be
reproduced reliably.
Collecting computers and processing a criminal or incident scene must be done
systematically.
To minimize confusion, reduce the risk of losing evidence, and avoid damaging
evidence, only one person should collect and catalog digital evidence at a crime
scene or lab, if practical.
If there’s too much evidence or too many systems to make it practical for one
person to perform these tasks, all examiners must follow the same established
operating procedures, and a lead or managing examiner should control collecting
and cataloging evidence.
You should also use standardized forms for tracking evidence to ensure that you
consistently handle evidence in a safe, secure manner.
o An important challenge investigators face today is establishing recognized
standards for digital evidence.
UNDERSTANDING RULES OF EVIDENCE
Computer-generated records, such as system logs or the results of a mathematical

formula in a spreadsheet, aren’t hearsay.
PREPARED BY SANTHIYA.M/AP/REC-CSE DEPT 1

Computer-stored records that a person generates are subject to rules governing

hearsay, however. For the evidence to qualify as a business record exception to the
hearsay rule, a person must have created the computer-stored records, and the
records must be original.
The Federal Rules of Evidence treat images and printouts of digital files as original
evidence.
COLLECTING EVIDENCE IN PRIVATE-SECTOR INCIDENT SCENES
Private-sector organizations include businesses and government agencies aren’t

involved in law enforcement.
In the United States, these agencies must comply with state public
disclosure and federal Freedom of Information Act (FOIA) laws and make
certain documents available as public records. State public disclosure laws
define state public records as open and available for inspection.
State public disclosure laws apply to state records, but the FOIA allows citizens to
request copies of public documents created by federal agencies.
Some Web sites provide copies of publicly accessible records for a fee. A special
category of private-sector businesses includes ISPs and other communication
companies.
ISPs can investigate computer abuse committed by their employees, but not by
customers.
ISPs must preserve customer privacy, especially when dealing with e-mail.
However, federal regulations related to the Homeland Security Act and the Patriot
Act of 2001 has redefined how ISPs and large corporate Internet users
operate and maintain their records.
o ISPs and other communication companies now can investigate customers’ activities
that are deemed to create an emergency situation.
An emergency situation under the Patriot Act is the immediate risk of death
or personal injury, such as finding a bomb threat in an e-mail message.
Investigating and controlling computer incident scenes in the corporate

environment is much easier than in the criminal environment.
In the private sector, the incident scene is often a workplace, such as a
contained office or manufacturing area, where a policy violation is being
investigated.

Everything from the computers used to violate a company policy to the

surrounding facility is under a controlled authority—that is, company
management.
Businesses have inventory databases of computer hardware and
software.
Having access to this database and knowing what applications are on
suspected computers help identify the computer forensics tools
needed to analyze a policy violation and the best way to conduct the
analysis.
Example: Most companies use a single Web browser, such as
Microsoft Internet Explorer, Mozilla Firefox, or KDE Konqueror.
Knowing which browser a suspect used helps you develop standard
examination procedures to identify data downloaded to the suspect’s
workstation.
To investigate employees suspected of improper use of company computing

assets, a corporate policy statement about misuse of computing assets allows
corporate investigators to conduct covert surveillance with little or no cause and
access company computer systems without a warrant.
If a company doesn’t display a warning banner or publish a policy stating
that it reserves the right to inspect computing assets at will, employees have
an expectation of privacy.
When an employee is being investigated, this expected privacy prevents the
employer from legally conducting an intrusive investigation.
A well-defined corporate policy should state that an employer has the right
to examine, inspect, or access any company-owned computing assets.
If a company issues a policy statement to all employees, the employer can
investigate computing assets at will without any privacy right restrictions;
this practice applies in most countries.
Companies should use both warning banners and policy statements.
Corporate Investigators should know under what circumstances they can
examine an employee’s computer.
With a policy statement, an employer can freely initiate any inquiry
necessary to protect the company or organization. However, every
organization must also have a well-defined process describing when an
investigation can be initiated.

At a minimum, most corporate policies require that employers have a

“reasonable suspicion” that a law or policy is being violated.
Example :
If a policy states that employees may not use company computers for
outside business and a supervisor notices a change in work behavior that
could indicate an employee is violating this rule, generally it’s enough to
warrant an investigation.
If a corporate investigator finds that an employee is committing or has
committed a crime, the employer can file a criminal complaint with the
police.
Employers are usually interested in enforcing company policy, not seeking
out and prosecuting employees, so they approve computer investigations
only to identify employees who are misusing company assets.
Corporate investigators are primarily concerned with protecting company
assets.
If you discover evidence of a crime during a company policy investigation ,

First determine whether the incident meets the elements of criminal law.
You might have to consult with your corporate attorney to determine
whether the situation is a potential crime.
Next, inform management of the incident.
The management has concerns such as protecting confidential
business data that might be included with the criminal evidence. It is
referred to as “commingled data”.
• After you submit evidence containing sensitive information to the police, it
becomes public record.
Public record laws do include exceptions for protecting sensitive
corporate information.
PROCESSING LAW ENFORCEMENT CRIME SCENES
To process a crime scene properly, you must be familiar with criminal rules of
search and seizure.
You should also understand how a search warrant works and what to do when
you process one.
A law enforcement officer can search for and seize criminal evidence only with
probable cause.

Probable cause refers to the standard specifying whether a police officer

has the right to make an arrest, conduct a personal or property search, or
obtain a warrant for arrest.
A police officer can obtain a search warrant from a judge that authorizes a search
and the seizure of specific evidence related to the criminal complaint.
Without specific evidence and the description of a particular location, a warrant
might be weak and create problems later during prosecution.
Understanding Concepts and Terms Used in Warrants
Innocent information - Unrelated information (referred to as innocent

information) is often included with the evidence you’re trying to recover.
This unrelated information might be personal and private records of
innocent people or confidential business information.
Limiting Phrase - When you find commingled evidence, judges often issue a
limiting phrase to the warrant, which allows the police to separate innocent
information from evidence. The warrant must list which items can be seized.
Plain view doctrine - When approaching or investigating a crime scene, you

might find evidence related to the crime but not in the location the warrant
specifies. You might also find evidence of another unrelated crime. In these
situations, this evidence is subject to the plain view doctrine.
The plain view doctrine states that objects falling in the direct sight of an
officer who has the right to be in a location are subject to seizure without a
warrant and can be introduced into evidence.
PREPARING FOR A SEARCH
Preparing for a computer search and seizure is the most important step in
computing investigations.
The steps are,

Identifying the Nature of the Case
Identifying the Type of Computing System
Determining Whether You Can Seize a Computer
Obtaining a Detailed Description of the Location

Determining Who Is in Charge

Using Additional Technical Expertise
Determining the Tools You Need
Preparing the Investigation Team
Identifying the Nature of the Case

Identify the nature of the case, including whether it involves the private or public
sector.
The nature of the case dictates how you proceed and what types of assets or
resources you need to use in the investigation.
Identifying the Type of Computing System

Determine the type of computing systems involved in the investigation.
If you can identify the computing system, estimate the size of the drive on the
suspect’s computer and how many computers you have to process at the scene.
Determine which OSs and hardware might be involved and whether the evidence is
located on a Microsoft, Linux, UNIX, Macintosh, or mainframe computer.
Consultants to the private sector or law enforcement officers might have to
investigate more thoroughly to determine these details.
Determining Whether You Can Seize a Computer

The ideal situation for incident or crime scenes is seizing the computers and taking
them to your lab for further processing.
The type of case and location of the evidence determine whether you can remove
computers from the scene.
Law enforcement investigators need a warrant to remove computers from a
crime scene and transport them to a lab.
If removing the computers will irreparably harm a business.
An additional complication is files stored offsite that are accessed remotely. You
must decide whether the drives containing those files need to be examined.
Another consideration is the availability of online data storage services that rent
space, which essentially can’t be located physically.
The data is stored on drives where data from many other subscribers might be
stored.
If you aren’t allowed to take the computers to your lab, determine the resources
you need to acquire digital evidence and which tools can speed data acquisition.

Obtaining a Detailed Description of the Location

Environmental and safety issues are the primary concerns during this process.
o Identify potential hazards to your safety as well as that of other examiners.
o Some computer cases involve dangerous settings, such as a drug bust of a
methamphetamine lab or a terrorist attack using biological, chemical, or nuclear
contaminants.
o For these types of investigations, you must rely on the skills of hazardous
materials (HAZMAT) teams to recover evidence from the scene.
The recovery process might include decontaminating computing
components needed for the investigation.
If the decontamination procedure might destroy electronic evidence, a
HAZMAT specialist or an investigator in HAZMAT gear should make an
image of a suspect’s drive.
Before acquiring the data, a HAZMAT technician might suggest that you put
the target drive in a special HAZMAT bag, leaving the IDE and power cables
out of the bag but providing an airtight seal around the cables to prevent
any contaminants from entering the bag and affecting the target drive.
When the data acquisition is completed, power down the computer and
then cut the IDE and power cables from the target drive.
The temperature in the contaminated room is higher than 80 degrees,
measures should be taken to avoid damage to the drive from overheating. In
a dry desert region, cooling the target drive is done by using sealed ice packs
or double-wrapped bags of ice so that moisture doesn’t leak out and
damage the drive.
5. Determining Who Is in Charge
Corporate computing investigations usually require only one person to respond to

an incident or crime scene.
Processing evidence involves acquiring an image of a subject’s drive.
For large-scale investigations, a crime or incident scene leader should be
designated.
Anyone assigned to a large-scale investigation scene should cooperate with the
designated leader to ensure that the team addresses all details when collecting
evidence.

Using Additional Technical Expertise
After you collect evidence data, determine whether you need specialized help to
process the incident or crime scene.
When working at high-end computing facilities, identify the applications the
suspect uses, such as Oracle databases.
Recruit an Oracle specialist or site support staff to help extract data for the
investigation.
Develop a training program to educate the specialist in proper investigative
techniques.
An untrained specialist can easily and unintentionally destroy evidence.
Determining the Tools You Need

Prepare your tools using incident and crime scene information.
Creating an initial-response field kit and an extensive response field kit.
o Initial-response field kit
Lightweight and easy to transport,
Number
Tools
needed
1 Small computer toolkit
1 1 Large-capacity drive
1 IDE ribbon cable (ATA-33 or ATA-100)
1 SATA cable
1 Forensic boot media containing your preferred acquisition utility
1 Laptop IDE 40- to 44-pin adapter, other adapter cables
1 Laptop computer
1 FireWire or USB dual write-protect external bay
1 Flashlight
1 Digital or 35mm camera with film and flash
10 Evidence log forms
1 Notebook or dictation recorder
10 Computer evidence bags (antistatic bags)
20 Evidence labels, tape, and tags
1 Permanent ink marker
10 External USB devices or a portable hard drive
Tools in an initial-response toolkit

An extensive-response field kit should include all the tools you can afford to take
to the field.
Number
Tools
needed
1 Initial-response field kit
1 Portable PC with SCSI card for DLT tape drive or suspect’s SCSI drive
2 Electrical power strips
1 Additional hand tools, including bolt cutters, pry bar, and hacksaw
1 Leather gloves and disposable latex gloves (assorted sizes)
1 Hand truck and luggage cart
10 Large garbage bags and large cardboard boxes with packaging tape
1 Rubber bands of assorted sizes
1 Magnifying glass
1 Ream of printer paper
1 Small brush for cleaning dust from suspect’s interior CPU cabinet
10 USB drives of varying sizes
2 External hard drives (200 GB or larger) with power cables
Assorted Converter cables
5 Additional assorted hard drives for data acquisition
Tools in an extensive - response toolkit
Preparing the Investigation Team

Review all the available facts, plans, and objectives with the investigation team
you have assembled.
Develop the skills to assess the facts quickly, make your plan, gather the needed
resources, and collect data from the incident or crime scene.
SECURING A COMPUTER INCIDENT OR CRIME SCENE
Investigators secure an incident or crime scene to preserve the evidence and to

keep information about the incident or crime confidential.
To secure a computer incident or crime scene, use yellow barrier tape to prevent
bystanders from accidentally entering the scene.
Use police officers or security guards to prevent others from entering the scene. o
Access to the scene should be restricted to only those people who have a specific
reason to be there.

For incidents primarily involving computers, the computers can be a crime scene
within a crime scene, containing evidence to be processed.
The evidence is in the computer, but the courts consider it physical evidence.
Computers can also contain actual physical evidence, such as DNA evidence or
fingerprints on keyboards.
Crime labs can use special vacuums to extract DNA residue from a keyboard to
compare with other DNA samples. In a major crime scene, law enforcement
usually retains the keyboard.
Evidence is commonly lost or corrupted because of professional curiosity, which
involves police officers and other professionals who aren’t part of the crime scene
processing team.
Professional curiosity can destroy or corrupt evidence, including digital evidence.
When working at an incident or crime scene, be aware of what you’re doing and
what you have touched, physically or virtually.
SEIZING DIGITAL EVIDENCE AT THE SCENE
When seizing computer evidence in criminal investigations, follow the U.S. DOJ
standards for seizing digital data.
For civil investigations, follow the same rules of evidence as for criminal
investigation.
In a criminal matter, investigators seize entire drives to preserve as much
information as possible and ensure that no evidence is overlooked. If you have any
questions, doubts, or concerns, consult with your attorney for additional guidance.
It involves:
Preparing to Acquire Digital Evidence
Processing an Incident or Crime Scene
Processing Data Centers with RAID Systems
Using a Technical Advisor Documenting
Evidence in the Lab Processing and
Handling Digital Evidence
Preparing to Acquire Digital Evidence

The evidence you acquire at the scene depends on the nature of the case and the
alleged crime or violation.

Before you collect digital evidence, ask your supervisor or senior forensics
examiner in the organization the following questions:
Do you need to take the entire computer and all peripherals and media in
the immediate area? How are you going to protect the computer and media
 while transporting them to your lab?
 Is the computer powered on when you arrive?
Is the suspect you’re investigating in the immediate area of the computer? Is
it possible the suspect damaged or destroyed the computer, peripherals, or
media? Will you have to separate the suspect from the computer?
Processing an Incident or Crime Scene
Keep a journal o
Secure the scene
o Be professional and courteous with onlookers
o Remove people who are not part of the investigation
o Video record the computer area
o Pay attention to details
o Sketch the incident or crime scene o
Check computers as soon as possible
o Save data from current applications as safe as possible
o Make notes of everything you do when copying data from a live suspect computer
o Close applications and shutdown the computer

o Look for information related to the investigation
o Passwords, passphrases, PINs, bank accounts
o Collect documentation and media related to the investigation
o Hardware, software, backup media
o To complete your analysis and processing of a scene, collect all documentation
and media related to the investigation, including the following material:
 Hardware, including peripheral devices
 Software, including OSs and applications
 All media, such as backup tapes and disks
All documentation, manuals, printouts, and handwritten notes
Processing Data Centers with RAID Systems

Computer investigators perform forensics analysis on RAID systems or server.

The technique for extracting evidence from large systems is called sparse
acquisition.
This technique extracts only data related to evidence for your case from
allocated files and minimizes how much data you need to analyze.
Drawback: It doesn’t recover data in free or slack space.
Using a Technical Advisor
Recruit a technical advisor who can help you list the tools you need to process
the incident or crime scene.
At large data centers, the technical advisor is the person guiding you about where
to locate data and helping you extract log records or other evidence from large
RAID servers.
In law enforcement cases, the technical advisor can help create the search
warrant by itemizing what you need for the warrant.
If you use a technical advisor for this purpose, you should list his or her name in the
warrant.
At the scene, a technical advisor can help direct other investigators to collect
evidence correctly.
Technical advisors have the following responsibilities:
 Know all aspects of the system being seized and searched.
Direct investigators on how to handle sensitive media and systems to
prevent damage.
 Help ensure security of the scene.
 Help document the planning strategy for the search and seizure.
Conduct ad hoc training for investigators on the technologies and
components being seized and searched.
 Document activities during the search and seizure.
Help conduct the search and seizure.
Documenting Evidence in the Lab
After you collect digital evidence at the scene, you transport it to a forensics lab,
which should be a controlled environment that ensures the security and integrity
of digital evidence.
In any investigative work, be sure to record your activities and findings as you
work.
Maintain a journal to record the steps you take as you process evidence.
Processing and Handling Digital Evidence
You must maintain the integrity of digital evidence in the lab.

First task is to preserve the disk data. If you have a suspect computer that hasn’t
been copied with an imaging tool, you must create a copy.
Make the suspect drive read-only (typically by using a write-blocking device), and
document this step.
STORING DIGITAL EVIDENCE
With digital evidence, you need to consider how and on what type of media to
save it and what type of storage device is recommended to secure it.
The media you use to store digital evidence usually depends on how long you need
to keep it.
The ideal media on which to store digital data are CDRs or DVDs.
o You can also use magnetic tape to preserve evidence data.
The 4-mm DAT magnetic tapes store between 40 to 72 GB or more of data.
DLT systems have been used with mainframe computers for several decades and
are reliable data-archiving systems.
Evidence Retention and Media Storage Needs
To help maintain the chain of custody for digital evidence, restrict access to your
lab and evidence storage area.
When the lab is open for operations, authorized personnel must keep these areas
under constant supervision.
When the lab is closed, at least two security workers should guard evidence
storage cabinets and lab facilities.
The lab should have a sign-in roster for all visitors.
Most labs use a manual log system that an authorized technician maintains when
an evidence storage container is opened and closed.
These logs should be maintained for a period based on legal requirements,
including the statute of limitations, the maximum sentence, and expiration of
appeal periods.
The evidence custody form should contain an entry for every person who handles
the evidence.

Documenting Evidence
An evidence custody form serves the following functions:
 Identifies the evidence
 Identifies who has handled the evidence
Lists dates and times the evidence was handled
OBTAINING A DIGITAL HASH
To verify data integrity, different methods of obtaining a unique identity for file
data have been developed.
Methods:
Cyclic Redundancy Check (CRC) is a mathematical algorithm that determines

whether a file’s contents have changed. The most recent version is CRC-32.
Message Digest 5 (MD5)
MD5 is a mathematical formula that translates a file into a hexadecimal code
value, or a hash value.
If a bit or byte in the file changes, it alters the hash value, a unique
hexadecimal value that identifies a file or drive.
 After you process the file, you produce another digital hash.
If it’s the same as the original one, you can verify the integrity of your digital
evidence with mathematical proof that the file didn’t change.

Secure Hash Algorithm version 1 (SHA-1),
It was developed by the National Institute of Standards and Technology
(NIST).
In both MD5 and SHA-1, collisions have occurred, meaning two different
files have the same hash value.
If a collision is suspected, you can do a byte-by-byte comparison to verify
that all bytes are identical. Byte-by-byte comparisons can be performed with
the MS-DOS Comp command or the Linux/UNIX diff command.
Most computer forensics hashing needs can be satisfied with a nonkeyed hash set,
which is a unique hash number generated by a software tool, such as the Linux
md5sum command.
A keyed hash set is created by an encryption utility’s secret key. You can use the
secret key to create a unique hash value for a file.

Steps to use the MD5 function in FTK Imager to obtain the digital signature of a
file or an entire drive.
Power on your forensic workstation, booting it to Windows.
Insert a blank, formatted USB drive into your computer.
Next, start Notepad. In a new text file, type This is a test to see how an
MD5 digital hash works.
Click File, Save As from the menu.
Exit Notepad.
Steps to use a FTK Imager to determine the MD5 and SHA-1 hash values:
Start FTK Imager.
Click File, Add Evidence Item from the menu. In the Select Source dialog
box, click the Logical Drive option button, and then click Next.
In the Select Drive dialog box, click the Drive Selection list arrow, click your
USB drive in the drop-down list, and then click Finish.
Right-click the USB drive at the upper left and click Verify Drive/Image. Copy
the MD5 and SHA-1 hash values for this file to a text file in Notepad, and
then click Close. Save the text file and then exit Notepad.
In FTK Imager, click File, Remove Evidence Item from the menu.
Using FTK Imager to verify hash values
REVIEWING A CASE
The following are the general tasks you perform in any computer forensics case:
 Identify the case requirements.
 Plan your investigation.
Conduct the investigation.

 Complete the case report.

Critique the case.
Sample Civil Investigation

Recover specific evidence
– Suspect’s Outlook e-mail folder (PST file)
Covert surveillance
– Company policy
– Risk of civil or criminal liability
Sniffing tools
– For data transmissions
Sample Criminal Investigation

Computer crimes examples
– Fraud
– Check fraud
– Homicides
Need a warrant to start seizing evidence
– Limit searching area
Identifying the Case Requirements

Identify requirements, such as:
 Nature of the case
 Suspect’s name
 Suspect’s activity
Suspect’s hardware and software specifications
Planning Your Investigation
List what you can assume or know

 Several incidents may or may not be related
 Suspect’s computer can contain information about the case
Whether someone else has used suspect’s computer
Make an image of suspect’s computer disk drive
o Analyze forensics copy
CONDUCTING THE INVESTIGATION: Acquiring Evidence with AccessData FTK
Start FTK
In the AccessData FTK Startup dialog box, click the Start a new case option
button, and then click OK.
In the New Case dialog box, enter your name as the investigator, case number,
and a suitable case name, and then click Next.
Fill out the information in the Forensic Examiner Information dialog box as you
want it to appear in your final report, and then click Next until you reach the
Evidence Processing Options dialog box.
In the Refine Case - Default dialog box, click the Include All Items button and then
click Next.

In the Refine Index - Default dialog box, accept the default settings, and then click
Next.
In the main Add Evidence to Case dialog box, click the Add Evidence button.
In the second Add Evidence to Case dialog box, click the Acquired Image of Drive
option button, and then click Continue.
In the Open dialog box, navigate to your work folder, click to select the file, and
then click Open.
In the Evidence Information dialog box, enter the additional information. Click the
Local Evidence Time Zone list arrow at the bottom, click the suspect’s time zone in
the drop-down list, and then click OK.
In the main Add Evidence to Case dialog box accept the default settings, and then
click Next.

12. In the Case Summary dialog box, click Finish to initiate the analysis.
When FTK finishes cataloging and indexing, the FTK window opens to the Overview
tab. To analyze an image with FTK, click the Explore tab.
After you have selected all files of interest, click Tools, Create Bookmark from the
menu.
After you have bookmarked key files containing possible evidence, click File, Report
Wizard from the menu.
WORKING WITH WINDOWS AND DOS SYSTEMS
UNDERSTANDING FILE SYSTEMS
A file system gives an OS a road map to data on a disk. The type of file system an
OS uses determines how data is stored on the disk. A file system is usually directly
related to an OS.
Understanding the Boot Sequence
To ensure that you don’t contaminate or alter data on a suspect’s Windows or DOS
PC, you must know how to access and modify a PC’s Complementary Metal Oxide
Semiconductor (CMOS) and Basic Input/output System (BIOS) settings.

A computer stores system configuration and date and time information in the
CMOS when power to the system is off.
The system BIOS contains programs that perform input and output at the hardware
level.
When a subject’s computer starts, you must make sure it boots to a forensic floppy
disk or CD because booting to the hard disk overwrites and changes evidentiary
data.
To do this, you access the CMOS setup by monitoring the subject’s computer
during the initial bootstrap process to identify the correct key or keys to use.
The bootstrap process is contained in ROM and tells the computer how to
proceed.
As the computer starts, the screen usually displays the key or keys, such as the
Delete key, you press to open the CMOS setup screen.
Understanding Disk Drives

Disk drives are made up of one or more platters coated with magnetic material,
and data is stored on platters in a particular way.
The drive components are :
Geometry—Geometry refers to a disk’s structure of platters, tracks, and
sectors.
Head—The head is the device that reads and writes data to a drive.
There’s one head per platter.
Tracks—Tracks are concentric circles on a disk platter where data is located.

Cylinders—A cylinder is a column of tracks on two or more disk platters.

Each platter has two surfaces: top and bottom.
Sectors—A sector is a section on a track, usually made up of 512 bytes.
To determine the total number of addressable bytes on a disk, multiply the

number of cylinders by the number of heads (actually tracks) and by the number of
sectors (groups of 512 or more bytes).
Disk drive vendors refer to this formula as a cylinder, head, and sector (CHS)
calculation.
The various disk properties are :
 Zoned bit recording (ZBR),
 Track density,
 Areal density, and
Head and cylinder skew
ZBR is how most manufacturers deal with a platter’s inner tracks being shorter
than its outer tracks. Grouping tracks by zones ensures that all tracks hold the same
amount of data.
Track density is the space between each track.

Areal density refers to the number of bits in one square inch of a disk platter.
This number includes the unused space between tracks.
Head and cylinder skew are used to improve disk performance. As the read-write
head moves from one track to another, starting sectors are offset to minimize lag
time.

MICROSOFT FILE STRUCTURES
In Microsoft file structures, sectors are grouped to form clusters, which are
storage allocation units of one or more sectors.
Clusters are typically 512, 1024, 2048, 4096, or more bytes each. Combining sectors
minimizes the overhead of writing or reading files to a disk.
The OS groups one or more sectors into a cluster. The number of sectors in a
cluster varies according to the disk size.
Clusters are numbered sequentially starting at 2 because the first sector of all disks
contains a system area, the boot record, and a file structure database. The
OS assigns these cluster numbers, which are referred to as logical addresses.
Sector numbers are referred to as physical addresses because they reside at the
hardware or firmware level and go from address 0 (the first sector on the disk) to
the last sector on the disk.
Disk Partitions
A partition is a logical drive.
FAT16 does not recognize disks larger than 2 MB, so these disks have to be
partitioned into smaller sections for FAT to recognize the additional space.
Someone who wants to hide data on a hard disk can create hidden partitions or
voids—large unused gaps between partitions on a disk drive. For example,
partitions containing unused space (voids) can be created between the primary
partition and the first logical partition. This unused space between partitions is
called the partition gap.
If data is hidden in a partition gap, a disk editor utility is used to alter information
in the disk’s partition table.
Steps to determine a disk’s OS by using Hex Workshop:

Insert a USB drive into a USB port.
Start Hex Workshop by right-clicking the Hex Workshop desktop icon and clicking
Run as administrator, and then clicking the Continue button in the UAC message
box.
In Hex Workshop, click Disk, Open Drive from the menu to see a list of your
logical drives. Click the C: drive (or your working drive), and click OK.
Click Disk, Open Drive again, but this time, in the Open Drive drop-down list, click
your USB drive, and then click OK. Compare the file system label for this drive to
the one you saw in Step 4.

Steps to identify file headers to identify file types with or without an extension using
Hex Workshop:
To open a bitmap file on your computer, click File, Open from the HexWorkshop
menu.
Navigate to a folder containing a bitmap (.bmp) file, and then double-click the
.bmp file. For .bmp files, it shows “BM6,” “BM,” or “BMF.”
To open a Word document, click File, Open from the menu. Navigate to a folder
containing a Word document (.doc) file, and then double-click the .doc file.
Exit Hex Workshop.
Master Boot Record

On Windows and DOS computer systems, the boot disk contains a file called the
Master Boot Record (MBR), which stores information about partitions on a disk and
their locations, size, and other important items.
Examining FAT Disks

File Allocation Table (FAT) is the file structure database that Microsoft
originally designed for floppy disks. FAT is used on file systems before Windows
 NT and 2000.
The FAT database is typically written to a disk’s outermost track and contains
filenames, directory names, date and time stamps, the starting cluster number,
 and file attributes.
There are four versions of FAT—FAT12, FAT16, FAT32, and FATX (used by Xbox
game systems)—and a variation called Virtual File Allocation Table (VFAT).
FAT12—It is used for floppy disks and it has a limited amount of storage
space. It was designed for MS-DOS 1.0, the first Microsoft OS, used for
floppy disk drives and drives up to 16 MB.

FAT16—To handle large disks, Microsoft developed FAT16.FAT16
supports disk partitions with a maximum storage capacity of 2 GB.

FAT32—When disk technology improved and disks larger than 2 GB were
created, Microsoft developed FAT32 is used on Microsoft OSs such as
Windows 95 , 98, Me, 2000, XP, and Vista. FAT32 can access up to 2 TB of
disk storage.

FATX—Xbox media is stored in the FATX format and can be read by any
Windows system. start at 1980.

FAT32 file systems, cluster sizes are determined by the OS. Clusters can range from
1 sector consisting of 512 bytes to 128 sectors of 64 KB.
Microsoft OSs allocates disk space for files by clusters. This practice results in drive
slack, composed of the unused space in a cluster between the end of an active file
and the end of the cluster.
Drive slack includes RAM slack and file slack.

RAM slack is created in the unused space on a sector.
When you run out of room for an allocated cluster, the OS allocates another
cluster for your file, which creates more slack space on the disk.
As files grow and require more disk space, assigned clusters are chained together.
The chain can be broken or fragmented.
When the OS stores data in a FAT file system, it assigns a starting cluster position
to a file
Data for the file is written to the first sector of the first assigned cluster
 o When this first assigned cluster is filled and runs out of room
FAT assigns the next available cluster to the file
If the next available cluster isn’t contiguous to the current cluster
File becomes fragmented
Deleting FAT Files
When a file is deleted in Windows Explorer or with the MS-DOS Delete command,
the OS inserts a HEX E5 (0xE5), which many hex-editing programs reflect as the
lowercase Greek letter sigma ( ) in the filename’s first letter position in the FAT
database.
The sigma symbol tells the OS that the file is no longer available and a new file can
be written to the same cluster location.
Examining NTFS Disks
New Technology File System (NTFS) was introduced when Microsoft created
Windows NT and is the primary file system for Windows Vista.
Features :
NTFS provides more information about a file, including security features, file
ownership, and other file attributes.

NTFS uses journaling file system. The journaling feature is records a
transaction before the system carries it out. That way, in a power failure or
other interruption, the system can complete the transaction or go back to
the last good setting.

In NTFS, everything written to the disk is considered a file. On an NTFS disk,
the first data set is the Partition Boot Sector, which starts at sector
of the disk and can expand to 16 sectors.
After the Partition Boot Sector is the Master File Table (MFT). The MFT is
the first file on the disk.

An MFT file is created at the same time a disk partition is formatted
as an NTFS volume and usually consumes about 12.5% of the disk
when it’s created. As data is added, the MFT can expand to take up
50 % of the disk.
Advantages:
In NTFS, file slack space is reduced.


In NTFS. Clusters are smaller for smaller disk drives. This feature saves more
space on all disks using NTFS.

NTFS also uses Unicode, an international data format. Unicode uses an 8-bit,
a 16-bit, or a 32-bit configuration. These configurations are known as UTF-8
(Unicode Transformation Format), UTF-16, and UTF-32.

NTFS System files
In NTFS disk is a file, the first file, the MFT, contains information about all files on
the disk, including the system files the OS uses.
In the MFT, the first 15 records are reserved for system files. Records in the MFT
are referred to as metadata.
MFT and File Attributes
In the NTFS MFT, all files and folders are stored in separate records of 1024 bytes
each.
Each record contains file or folder information. This information is divided into
record fields containing metadata about the file or folder and the file’s data or links
to the file’s data.
A record field is referred to as an attribute ID.
File or folder information is typically stored in one of two ways in an MFT record:
resident and nonresident.
For very small files, about 512 bytes or less, all file metadata and data are stored
in the MFT record. These types of records are called resident files because all their
information is stored in the MFT record.
Files larger than 512 bytes are stored outside the MFT. The file or folder’s MFT
record provides cluster addresses where the file is stored on the drive’s partition.
These cluster addresses are referred to as data runs. This type of MFT record is
called nonresident because the file’s data is stored in its own separate file outside
the MFT.
When a disk is created as an NTFS file structure, the OS assigns logical clusters to
the entire disk partition. These assigned clusters, called logical cluster numbers
(LCNs), are sequentially numbered from the beginning of the disk partition, starting
with the value 0.
When data is initially written to nonresident files, an LCN address is assigned to
the MFT (attribute 0x80 field); it’s the first data run for a nonresident file. If the
file can’t be stored contiguously on the disk, another data run is added.
The second and all other data runs have a virtual cluster number (VCN) assigned. o
A VCN is the offset position from the previous LCN value in the data run.

MFT Structures for File Data

The first section of an MFT record is the header.
It defines the size and starting position of the first attribute.
The next sections are the attributes that are specific for the file type, such as an
application file or a data file.
MFT Header Fields

 At offset 0x00—The MFT record identifier FILE; the letter F is at offset 0.
At offset 0x1C to 0x1F—Size of the MFT record; the default is 0x400 (1024)
bytes, or two sectors.
At offset 0x14—Length of the header, which indicates where the next
attribute starts; it’s typically 0x38 bytes.
At offset 0x32 and 0x33—The update sequence array, which stores the 2
two bytes of the first sector of the MFT record. It’s used only when MFT data
exceeds 512 bytes.
NTFS Data Streams

In NTFS, a data stream allows the file to be associated with different applications.
As a result, it remains one data unit. You can also store information about a file in
data stream.
o Example :
Microsoft states: “A graphics program can store a thumbnail image of a bitmap
in a named data stream within the NTFS file containing the image.”
From a Windows NT and later command prompt, you can create a data stream
with this MS-DOS command:
C:\echo text_string > myfile.txt:stream_name
In the command, the data stream is defined in the MFT by the colon between
the file extension and the data stream label.
To display a data stream’s content as a simple text string, use this command:
C:\more < myfile.txt:stream1
NTFS Compressed Files
In NTFS, files, folders, or entire volumes can be compressed.

With FAT16, you can compress only a volume. On a Windows Vista, XP, 2000, or NT
system, compressed data is displayed normally when you view it in Windows
Explorer or applications such as Microsoft Word.

NTFS Encrypting File System (EFS)
In Microsoft Windows 2000, it added built-in encryption to NTFS called Encrypting

File System (EFS).
EFS implement a public key and private key method of encrypting files,
folders, or disk volumes (partitions).
Only the owner or user who encrypted the data can access encrypted files.
The owner holds the private key, and the public key is held by a certificate
authority, such as a global registry, network server, or company such as
VeriSign.
When EFS is used in Windows Vista Business Edition or higher, XP Professional, or
2000, a recovery certificate is generated and sent to the local Windows
administrator account.
The purpose of the recovery certificate is to provide a mechanism for
recovering encrypted files under EFS if there’s a problem with the user’s
original private key.
The recovery key is stored in one of two places. When the user of a network
workstation initiates EFS, the recovery key is sent to the local domain
 server’s administrator account.
If the workstation is standalone, the recovery key is sent to the
workstation’s administrator account.
Windows 2000 and XP decrypt the data automatically when the user or an
application the user runs accesses an EFS file, folder, or disk volume.
EFS Recovery Key Agent
The Recovery Key Agent implements the recovery certificate, which is in the
windows administrator account.
Windows administrators can recover a key in two ways:
 Through Windows or
From an MS-DOS command prompt.
These three commands are available from the MS-DOS command prompt:
 Cipher
 Copy
Efsrecvr (used to decrypt EFS files)
To recover an encrypted EFS file, a user can e-mail it or copy the file to the
administrator.
The administrator can then run the Recovery Key Agent function to restore the
file.
Deleting NTFS Files
When a file is deleted in Windows XP, 2000, or NT

The OS renames it and moves it to the Recycle Bin
 o Can use the Del (delete) MS-DOS command
Eliminates the file from the MFT listing in the same way FAT does
UNDERSTANDING WHOLE DISK ENCRYPTION
The current whole disk encryption tools offer the following features:
 Preboot authentication
 Full or partial disk encryption with secure hibernation
 Advanced encryption algorithms
 Key management function
A Trusted Platform Module (TPM) microchip to generate encryption keys
and authenticate logins
The whole disk encryption tools encrypt each sector of a drive separately.
o Many of these tools encrypt the drive’s boot sector.
To prevent any efforts to bypass the secured drive’s partition
 o To examine an encrypted drive, decrypt it first
Run a vendor-specific program to decrypt the drive
Examining Microsoft BitLocker
Microsoft’s utility for protecting drive data is called BitLocker, available only with
Vista Enterprise and Ultimate editions.
Hardware and software requirements

 A computer capable of running Windows Vista
 The TPM microchip, version 1.2 or newer
 A computer BIOS compliant with Trusted Computing Group (TCG)
 Two NTFS partitions
The BIOS configured so that the hard drive boots first before checking
other bootable peripherals
Examining Third-Party Disk Encryption Tools

Some available third-party WDE utilities:
PGP Whole Disk Encryption

It can be used on PCs, laptops, and removable media to secure an entire disk
volume. This tool works in Windows 2000, XP Professional (SP1 and SP2),
and Mac OS X 10.4 and can also encrypt FAT volumes.
 Voltage SecureDisk
 It is designed for an enterprise computing environment.
 Utimaco SafeGuard Easy
 Provides whole disk encryption for NTFS and FAT file systems.
 Jetico BestCrypt Volume Encryption
Provides whole disk encryption for older MS-DOS and Windows NTFS
systems.
 SoftWinter Sentry 2020 for Windows XP
It doesn’t encrypt the entire drive. To secure data, it creates a virtual drive
saved to a large data file.
Some available open-source encryption tools:

 TrueCrypt
Creates a virtual encrypted volume—a file mounted as though it were a disk
 drive. Data is encrypted automatically and in real time.
 CrossCrypt
It also creates a virtual encrypted volume and provides Filedisk, a command-
line utility with options for creating, mounting, dismounting, and encrypting
volumes.

 FreeOTFE
It creates a virtual disk that can encrypt data with several popular
algorithms. FreeOTFE can be used in Windows 2000, XP, and Vista as well as
with PDAs.
UNDERSTANDING THE WINDOWS REGISTRY
Registry
A database that stores hardware and software configuration information,
network connections, user preferences, and setup information
For investigative purposes, the Registry can contain valuable evidence.

[
To view the Registry, you can use:
 Regedit (Registry Editor) program for Windows 9x systems
Regedt32 for Windows 2000 and XP

Registry Terminologies
Registry—A collection of files containing system and user information .

Registry Editor—A Windows utility for viewing and modifying data in the Registry.
 There are two Registry Editors:
 Regedit and
Regedt32.
HKEY—Windows splits the Registry into categories with the prefix HKEY_. Windows
9x systems have six HKEY categories and Windows 2000 and later have five.
Windows programmers refer to the “H” as the handle for the key.
Key—Each HKEY contains folders referred to as keys. Keys can contain other key
folders or values.
Subkey—A key displayed under another key is a subkey.
Branch—A key and its contents, including subkeys, make up a branch in the
Registry.
Value—A name and value in a key; it’s similar to a file and its data content.
Default value—All keys have a default value that may or may not contain data. o
Hives—Hives are specific branches in HKEY_USER and HKEY_LOCAL_MACHINE. o
When examining Registry data from a suspect drive, you need to know where
these files are located so that you can extract them and analyze their content. You
can find these files with tools such as AccessData Registry Viewer.
Examining the Windows Registry
Steps to extract Registry files with ProDiscover Basic :

1. Start ProDiscover Basic with the Run as administrator option. If the Launch
Dialog dialog box opens, click Cancel.
Click File, New Project from the menu.
In the New Project dialog box, type the Project Number text box and the
Project File Name text box, and then click OK.
In the tree view of the main window, click to expand Add and then click Image
File.
In the Open dialog box, navigate to your work folder, click the GCFI-Win98.eve
image file, and click Open. Click Yes in the Auto Image Checksum message box,
if necessary.
Click the Search toolbar button. In the Search dialog box, click the Content
Search tab. Click the Search for files named option button, and in the Search
text box, type system.dat and user.dat. Under Select the Disk(s)/Image(s) you
want to search in, click the image file and then click OK.
In the search results, click the check box next to the SYSTEM.DAT file. When the
Add Comment dialog box opens, type Registry files to extract, click the Apply
to all items check box, and then click OK .
Click the check box next to the USER.DAT file, and then click Tools, Copy
Selected Files from the menu. In the Choose Destination dialog box, click
Browse. In the Browse for Folder dialog box, navigate to and click your work
folder, and then click OK. Click OK again in the Choose Destination dialog box.
Exit ProDiscover Basic.
Steps to extract Registry files with AccessData Registry viewer :
Start Notepad or another text editor.

Start Registry Viewer by clicking Start, pointing to All Programs, pointing to
AccessData, pointing to Registry Viewer, right-clicking Registry Viewer, clicking
Run as administrator, and then clicking Continue.
In Registry Viewer’s main window, click the Open toolbar button and navigate to
location where the image file is stored. Click USER.DAT, and then click Open.
Click Edit, Find from the menu. In the Find dialog box, type superior in the Find
what text box, and then click Find Next.
When the search results are displayed, right-click the folder in the left pane
containing the key, click Copy Key Name, and paste it into Notepad.
In the Registry Viewer, Press F3 to search for the next occurrence of the keyword
“denise,” and copy and paste the key name as before. Repeat until no more
occurrences are found.
Click USER.DAT in the left pane, and then click Edit, Find from the menu again. This
time, type denise in the Find what text box and click Find Next.
When the search results are displayed, right-click the folder in the left pane
containing the key, click Copy Key Name, and paste it into Notepad. Press F3 to
search for the next occurrence of the keyword “denise,” and copy and paste the
key name as before. Repeat until no more occurrences are found.
Exit Registry Viewer by clicking File, Exit from the menu, and then clicking Yes in
the Exit Registry Viewer dialog box.
Delete any redundant folder names in Notepad and save this text document .Exit
Notepad.

UNDERSTANDING MICROSOFT STARTUP TASKS
Startup in Windows NT and Later
All NTFS computers perform the following steps when the computer is turned on:
Power-on self test (POST)
Initial startup
Boot loader
Hardware detection and configuration
Kernel loading
User logon
Startup Files for Windows Vista

When Microsoft developed Vista, it updated the boot process to use the new
Extensible Firmware Interface (EFI) as well as the older BIOS system.
The EFI boot firmware is designed to provide better protection against
malware than BIOS does.
EFI Vista’s boot processes have also changed since Windows XP.
The Ntldr program in Windows XP used to load the OS has been replaced with
these three boot utilities:
Bootmgr.exe—The Windows Boot Manager program controls boot flow and
allows booting multiple OSs, such as booting Vista along with XP.
Winload.exe—The Windows Vista OS loader installs the kernel and the
Hardware
Abstraction Layer (HAL) and loads memory with the necessary boot drivers.

Winresume.exe—This tool restarts Vista after the OS goes into hibernation
mode.
Windows Vista also includes a tool for modifying boot options called Boot
Configuration Data (BCD); it replaces Windows XP’s Boot.ini file.
The startup files for Windows XP are located in the root folder of the system
partition.
The NT Loader (Ntldr) file loads the OS.
When the system is powered on, Ntldr reads the Boot.ini file, which displays a
boot menu.

After you select the mode to boot to, Boot.ini runs Ntoskrnl.exe and reads
Bootvid.dll, Hal.dll, and startup device drivers.
Boot.ini specifies the Windows XP path installation and contains options for
selecting the Windows version.
If a system has multiple boot OSs, including older ones such as Windows 9x or
DOS, Ntldr reads BootSect.dos (a hidden file), which contains the address (boot
sector location) of each OS.
When the boot selection is made, Ntldr runs NTDetect.com, a 16-bit real-mode
program that queries the system for device and configuration data, and then
passes its findings to Ntldr.
This program identifies components and values on the computer system, such as
the following:
 CMOS time and date value
Buses attached to the motherboard, such as Industry Standard Architecture
(ISA) or
 Peripheral Component Interconnect (PCI)
 Disk drives connected to the system
 Mouse input devices connected to the system
Parallel ports connected to the system
NTBootdd.sys is the device driver that allows the OS to communicate with SCSI or
ATA drives that aren’t related to the BIOS.
o Ntoskrnl.exe is the Windows XP OS kernel, located in the %system-

root%\Windows\System32 folder.
Hal.dll is the Hardware Abstraction Layer (HAL) dynamic link library, located in the
%system-root%\Windows\System32 folder. The HAL allows the OS kernel to
communicate with the computer’s hardware.
Device drivers contain instructions for the OS for hardware devices, such as the
keyboard, mouse, and video card, and are stored in the %system-
root%\Windows\System32\Drivers folder.
Startup in Windows 9x/Me
System files in Windows 9x/Me containing valuable information can be altered

easily during startup
Windows 9x and Windows Me have similar boot processes
With Windows Me you can’t boot to a true MS-DOS mode

Windows 9x OSs have two modes:

 DOS protected-mode interface (DPMI)
Protected-mode GUI
The system files used by Windows 9x have their origin in MS-DOS 6.22`
Io.sys communicates between a computer’s BIOS, the hardware, and the OS
kernel
If F8 is pressed during startup, Io.sys loads the Windows Startup
menu
 Msdos.sys is a hidden text file containing startup options for Windows 9x
Command.com provides a command prompt when booting to MS-DOS
mode (DPMI)
UNDERSTANDING MS-DOS STARTUP TASKS

Two files are used to configure MS-DOS at startup:
 Config.sys
A text file containing commands that typically run only at system startup to
enhance the computer’s DOS configuration
 Autoexec.bat
A batch file containing customized settings for MS-DOS that runs
automatically.
Io.sys is the first file loaded after the ROM bootstrap loader finds the disk drive.
o Msdos.sys is the second program to load into RAM immediately after Io.sys.
It looks for the Config.sys file to configure device drivers and other settings.
Msdos.sys then loads Command.com

As the loading of Command.com nears completion, Msdos.sys looks for and loads
Autoexec.bat.
Disk Operating Systems
Control Program for Microprocessors (CP/M)

 First nonspecific microcomputer OS
 Created by Digital Research in 1970
8-inch floppy drives; no support for hard drives
Digital Research Disk Operating System (DR-DOS)

 Developed in 1988 to compete with MS-DOS
Used FAT12 and FAT16 and had a richer command environment

Personal Computer Disk Operating System (PC-DOS)

 Created by Microsoft under contract for IBM
PC-DOS works much like MS-DOS
UNDERSTANDING VIRTUAL MACHINES
Virtual machines enable you run another OS on an existing physical computer

known as the host computer) by emulating a computer’s hardware environment.
A virtual machine acts like any other file.

It performs all the tasks the OS running on the physical computer can, up
to a certain point.
The virtual machine recognizes hardware components of the host computer it’s
loaded on, such as the mouse, keyboard, and CD/DVD drive.
In computer forensics, virtual machines make it possible to restore a suspect

drive on a virtual machine and run nonstandard software the suspect might have
loaded.
From a network forensics standpoint, a virtual machine used to attack another
system or network.
Creating a Virtual Machine

Common applications used for creating virtual machines are :
 VMware Server and Vmware Workstation,
 Sun Microsystems VirtualBox, and
Microsoft Virtual PC
o VirtualBox is an open-source program that can be downloaded at
www.virtualbox.org. Virtual PC 2007 can be downloaded free from
www.microsoft.com/virtualpc.
Steps to create virtual machine using VirtualBox

Install Microsoft Virtual PC.
Start Virtual PC. In Virtual PC 2007, the New Virtual Machine Wizard starts
automatically.
In the welcome window of the New Virtual Machine Wizard, click Next.
In the Options window, click the Create a virtual machine option button.
In the Virtual Machine Name and Location window, type Windows Server
2003 for the virtual machine name. Then, Click Next.

In the Operating System window, click Windows Server 2003 in the

Operating system list box, and then click Next.
In the Memory window, you allocate the amount of RAM.
In the Virtual Hard Disk Options window, click the A new virtual hard disk
option button, and then click Next.
In the Virtual Hard Disk Location window, accept the default location and
then click Next.
Click Finish.
CURRENT COMPUTER FORENSICS TOOLS: SOFTWARE/ HARDWARE TOOLS.
To evaluate a forensic tool, the following parameters have to be considered:

 On which OS does the forensics tool run?
Is the tool versatile? For example, does it work in Windows 98, XP, and Vista
and produce the same results in all three OSs?
Can the tool analyze more than one file system, such as FAT, NTFS, and Ext2fs?

Can a scripting language be used with the tool to automate repetitive functions
and tasks?
Does the tool have any automated features that can help reduce the time
needed to analyze data?
What is the vendor’s reputation for providing product support?
TYPES OF COMPUTER FORENSICS TOOLS
Computer forensics tools are divided into two major categories:

Hardware and Software.
Hardware Forensics Tools
Hardware forensics tools are :
 Simple,
Single purpose components to complete computer systems and servers.
Single-purpose components are devices, such as,

ACARD AEC-7720WP Ultra Wide SCSI-to-IDE Bridge, which is designed to
write-block an IDE drive connected to a SCSI cable.
Examples :
 Digital Intelligence F.R.E.D. systems,
 DIBS Advanced Forensic Workstations, and
Forensic Computers Forensic Examination Stations and portable units.
Software Forensics Tools
Software forensics tools are grouped into,

 Command-line applications and
GUI applications.
Examples:
 SafeBack, a command-line disk acquisition tool.
Technology Pathways Pro-Discover, X-Ways Forensics, Guidance Software
EnCase, and AccessData FTK are GUI tools designed to perform most
 computer forensics acquisition and analysis functions.
ProDiscover, EnCase, FTK, X-Ways Forensics, ILook are analysis tools.
TASKS PERFORMED BY COMPUTER FORENSICS TOOLS The
tasks performed by any computer forensics tools are :
Acquisition
Validation and discrimination
Extraction
Reconstruction
Reporting
Acquisition
1. Acquisition
Acquisition is the first task in computer forensics investigations which is making a
copy of the original drive.
It preserves the original drive to make sure it doesn’t become corrupt and damage
the digital evidence.
 Sub functions :
 – Physical data copy
 – Logical data copy
 – Data acquisition format
 – Command-line acquisition
 – GUI acquisition
 – Remote acquisition
 – Verification
 Two types of data-copying methods are used in software acquisitions:
 – Physical copying of the entire drive and
– Logical copying of a disk partition.
Most software acquisition tools include the option of imaging an entire physical
drive or just a logical partition. Reason to choose a logical acquisition is drive
encryption.
All computer forensics acquisition tools have a method for verification of the data-
copying process that compares the original drive with the image.
 Software computer forensics acquiring tools:
 – AccessData FTK and
– EnCase
2. Validation and Discrimination
 The validation of data is to ensure the integrity of data being copied.

The discrimination of data involves sorting and searching through all investigation
data.
 – Hashing
 – Filtering
 – Analyzing file headers
 Validating data is done by obtaining hash values.
This method produces a unique hexadecimal value for data, used to make sure the
original data hasn’t changed.
In the corporate environment, an investigator could ignore all files on this known
good list and focus on other files on the disk that aren’t on this list. This process is
 known as filtering.
Filtering can also be used to find data for evidence in criminal investigations or to
build a case for terminating an employee.
The primary purpose of data discrimination is to remove good data from
suspicious data.
Good data consists of known files, such as OS files and common programs
(Microsoft Word, for example).
The National Software Reference Library (NSRL) has compiled a list of known file
hashes for a variety of OSs, applications, and images.
Several computer forensics programs can integrate known good file hash sets, such
as the ones from the NSRL, and compare them to file hashes from a suspect drive
to see whether they match. With this process, you can eliminate large amounts of
data quickly so that you can focus your evidence analysis.

3. Extraction
 The extraction function is the recovery task in a computing investigation.

 Sub functions:
 – Data viewing
 – Keyword searching
 – Decompressing
 – Carving
 – Decrypting
 – Bookmarking
 Computer forensics tools include a data-viewing mechanism are :
 – ProDiscover,
 – X-Ways Forensics,
 – FTK,
 – EnCase,
 – SMART,
 – ILook,
These tools also display allocated file data and unallocated disk areas with special
file and disk viewers.
Some tools can set filters to select the file types to search, such as searching only
PDF documents.
 Another function in some forensics tools is indexing all words on a drive.
Part of the investigation process also involves reconstructing fragments of files that
have been deleted from a suspect drive. In North America, this reconstruction is
referred to as “carving”; in Europe, it’s called “salvaging.”
 Tools used for data carving :
 – DataLifter and
– Davory
4. Reconstruction
To re-create a suspect drive to show what happened during a crime or an incident.

 – Disk-to-disk copy
 – Image-to-disk copy
 – Partition-to-partition copy
– Image-to-partition copy

 Disk-to-disk copy
– The simplest method of duplicating a drive is using a tool that makes a direct
disk-to-disk copy from the suspect drive to the target drive.
 Example : UNIX/Linux dd command
– Disadvantage : The target drive being written to must be identical to the
original (suspect) drive, with the same cylinder, sector, and track count.
 – For a disk-to-disk copy, both hardware and software duplicators are used.
– Hardware duplicators are the fastest way to copy data from one disk to
another.
 Example :
 Logicube Talon,
 Logicube Forensic MD5, and
 ImageMASSter Solo III Forensics Hard Drive Duplicator
 – Software duplicators are slower than hardware duplicators.
 Example :
SnapBack,
SafeBack,
EnCase, and

X-Ways Forensics.


 Image-to-disk and Image-to-partition copies
– The following are some tools that perform an image-to-disk copy:
SafeBack
SnapBack
EnCase
FTK Imager
ProDiscover
X-Ways Forensics
5. Reporting
To complete a forensics disk analysis and examination, you need to create a report.

 Sub functions:
 – Log reports
 – Report generator
 The following tools offer report generators displaying bookmarked evidence:
– EnCase
– FTK
– ILook
– X-Ways Forensics
– ProDiscover
The log report can be added to your final report as additional documentation of the
steps you took during the examination, which can be useful if repeating the
 examination is necessary.
For a case that requires peer review, log reports confirm what activities were
performed and what results were found in the original analysis and examination.
COMPUTER FORENSICS SOFTWARE TOOLS
Command-Line Forensics Tools
The first tools that analyzed and extracted data from floppy disks and hard disks
were MS-DOS tools for IBM PC file systems.
Example for MS-DOS Tools :

 Norton DiskEdit
 NTI, Digital Intelligence,
 MaresWare,
 DataLifter, and
 ByteBack
 Advantage :
 Runs on minimum configuration
Saves time and effort.
UNIX/Linux Forensics Tools
Example:
 SMART,
 BackTrack,
 Autopsy with Sleuth Kit, and
Knoppix-STD.
SMART
SMART is designed to be installed on numerous Linux versions, including
Gentoo, Fedora, SUSE, Debian, Knoppix, Ubuntu, Slackware, and more.
You can analyze a variety of file systems with SMART.
 SMART includes several plug-in utilities.

 SMART is the hex viewer.
Hex values are color-coded to make it easier to see where a file
begins and ends.
 SMART also offers a reporting feature.
 Everything you do during your investigation with SMART is logged.
 Advantage :
Multithreading capabilities in OSs and hardware.
Helix
 Helix can be loaded on a live Windows system, and it loads as a bootable
 Linux OS from a cold boot.
Its Windows component is used for live acquisitions.
BackTrack
It includes a variety of tools and has an easy-to-use KDE interface.
Autopsy and Sleuth Kit

Sleuth Kit is a Linux forensics tool, and Autopsy is the GUI browser interface
for accessing Sleuth Kit’s tools.
Knoppix-STD
Knoppix Security Tools Distribution (STD) is a collection of tools for
configuring security measures, including computer and network forensics.
Knoppix-STD is forensically sound, so it doesn’t allow you to alter or damage
the system you’re analyzing.
COMPUTER FORENSICS HARDWARE TOOLS
Forensic Workstations
Forensic workstations can be divided into the following categories:

Stationary workstation—A tower with several bays and many peripheral
devices
Portable workstation—A laptop computer with a built-in LCD monitor and
almost as many bays and peripherals as a stationary workstation
Lightweight workstation—Usually a laptop computer built into a carrying
case with a small selection of peripheral options
If you decide that building a forensic workstation is beyond your skills, several
vendors offer workstations designed for computer forensics, such as the

 F.R.E.D. unit from Digital Intelligence or

The Dual Xeon Workstation from ForensicPC.
Using a Write-Blocker
Writeblockers protect evidence disks by preventing data from being written to

them.
They are of two types:
 Software Write-Blockers
Hardware write-Blockers
Software write-blockers
 Example : PDBlock from Digital Intelligence,
 Runs in a shell mode .
PDBlock changes interrupt 13 of a workstation’s BIOS to prevent
writing to the specified drive.
If you attempt to write data to the blocked drive, an alarm sounds,
advising that no writes have occurred.
PDBlock can run only in a true DOS mode not in a Windows MS-DOS
shell.
Hardware write-blockers,
You can connect the evidence drive to your workstation and start the OS as
usual.
 Hardware write-blockers are ideal for GUI forensics tools.
 They prevent Windows or Linux from writing data to the blocked drive.
Hardware write-blockers act as a bridge between the suspect drive and the
forensic workstation.
VALIDATING AND TESTING FORENSICS SOFTWARE
The National Institute of Standards and Technology publishes articles, provides

tools, and creates procedures for testing and validating computer forensics
software.
o Software should be verified to improve evidence admissibility in judicial
proceedings.
NIST sponsors the Computer Forensics Tool Testing (CFTT) project to manage
research on computer forensics tools.

NIST has created criteria for testing computer forensics tools, which are included in
the article “General Test Methodology for Computer Forensic Tools”.
The criteria’s are :
Establish categories for computer forensics tools—Group computer
forensics software according to categories, such as forensics tools
 designed to retrieve and trace e-mail.
Identify computer forensics category requirements—For each
category, describe the technical features or functions a forensics tool
 must have.
Develop test assertions—Based on the requirements, create tests
that prove or disprove the tool’s capability to meet the requirements.

Identify test cases—Find or create types of cases to investigate with
the forensics tool, and identify information to retrieve from a sample
drive or other media.
Establish a test method—Considering the tool’s purpose and design,
specify how to test it.
Report test results—Describe the test results in a report that
complies with ISO 17025, which requires accurate, clear,
unambiguous, and objective test reports.
Using Validation Protocols

After retrieving and examining evidence data with one tool, you should verify your
results by performing the same tasks with other similar forensics tools.
To satisfy the need for verification, you need at least two tools to validate software
or hardware upgrades. The tool you use to validate the results should be well
tested and documented.
Computer Forensics Examination Protocol
First, conduct your investigation of the digital evidence with one GUI tool.
Then perform the same investigation with a disk editor to verify that the GUI tool is
seeing the same digital evidence in the same places on the test or suspect drive’s
image.
If a file is recovered, obtain the hash value with the GUI tool and the disk editor,
and then compare the results to verify whether the file has the same value in both
tools.
Computer Forensics Tool Upgrade Protocol
You should test all new releases and OS patches and upgrades to make sure they ’ re
reliable and don’t corrupt evidence data.
New releases and OS upgrades and patches can affect the way your forensics tools
perform.
If you determine that a patch or upgrade isn’t reliable, don’t use it on your forensic
workstation until the problem has been fixed.
If you have a problem, such as not being able to read old image files with the new
release or the disk editor generating errors after you apply the latest service pack, you
can file an error report with the vendor.
One of the best ways to test patches and upgrades is to build a test hard disk to store
data in unused space allocated for a file, also known as file slack.
You can then use a forensics tool to retrieve it. If you can retrieve the data with that
tool and verify your findings with a second tool, you know the tool is reliable.

UNIT V ANALYSIS AND VALIDATION
Validating Forensics Data – Data Hiding Techniques – Performing Remote Acquisition

Network Forensics – Email Investigations – Cell Phone and Mobile Devices Forensics
5.1 VALIDATING FORENSICS DATA
Examining and analyzing digital evidence depends upon the following
 Nature of the case


 Amount of data to process

 Search warrants

 Court orders

 Company policies

Scope creep – investigation expands beyond the original description because of unexpected
evidence. It increases the time & resource requirement

Attorney has the right of full discovery of digital evidence
Approaching Computer Forensic Cases
The approach depends on the specific type of the case
Email harassment involves gathering email server backups
Varies based on corporate, civil ,criminal investigation
Corporate investigators have ready access to the necessary records &
files In criminal cyber stalking cases contact the ISP and email service
Industrial espionage case needs monitoring the physical activities
Refining the Investigation Plan

Steps:
Determine the scope of the investigation
Estimate number of hours to complete the case
Determine whether you should collect all information
Plan what to do in case of scope creep
Determine if you have adequate
resources Establish the deadline

Performing a Computer Forensics Analysis
• Steps:
• Use recently wiped target disks that has been reformatted and inspected for computer
virus
• Inventory suspect’s hardware & note the condition
• Remove the original disk and check date and time on CMOS
• Record data acquisition steps
• Process the data methodically and logically
• List all directories and files on the copied image
• If possible, examine all directories and files starting at root
• Recover content of encrypted files
• Identify functions of every executable file
• Always maintain control of evidence
Validating with Computer Forensics Programs
• Commercial computer forensics program has builtin validation features
• ProDiscover’s .eve files contain metadata that includes the hash value
• When an image file is loaded in Prodiscover, it is hashed and then compared to the hash
value stored in the meta data.
• If the hashes don’t match, the acquisition cannot be considered as a reliable evidence.
• This feature is called Auto Image Checksum Verification
• Raw format image files (.dd extension ) don’t contain meta data , so validate them
manually to ensure integrity
• Hash values can also be used to check if the image file has been corrupted.
• In AccessData FTK Imager , when .e01 or .s01 format files are selected additional options for
validation are available.
• The validation report list MD5 and SHA-1 values
• MD5 is added to the proprietary format image file
• When the image file is loaded using any tool such as FTK,SMART or X-ways Forensics the
MD5 value is compared and verified.

5.2 ADDRESSING DATA-HIDING TECHNIQUES
• Data hiding involves changing or manipulating a file to conceal information

• It includes
– Hiding entire partitions
– Changing file extensions
– Changing the file attribute to Hidden
– Marking Bad Clusters
– Bit shifting
– Steganography
– Using Encryption
– Setting up password protection
1. Hiding entire partitions

• Hide a partition using disk editor such as Norton DiskEdit
• Delete references to a partition
– Re-create links for accessing it
• Another way is to use disk-partitioning utilities
– GDisk
– PartitionMagic
– System Commander
– GRUB ( Linux Grand Unified Bootloader)
• Account for all disk space when analyzing a disk
• To circumvent these techniques, be sure to account for all disk space when you’re
examining an evidence drive.
• Analyze any disk areas containing space you can’t account for so that you can determine
whether they contain additional evidence.

• Partition gap in Windows is created automatically but a gap of larger size indicates a cause for
investigation
Example:
• Partition gap in Windows 2000/XP is 63 sectors so 109.8 MB is too large to be a standard
partition gap , In Vista the gap is 128 sectors
• Hidden partitions are shown as Unknown Partitions
• The drive letters are non consecutive , which is another clue for hidden partition
• In ProDiscover hidden partition appears as the highest available drive letter set in the BIOS
2. Marking Bad Clusters

• Another data-hiding technique, more common in FAT file systems, is placing sensitive or
incriminating data in free or slack space on disk partition clusters.
• Use a disk editor to mark that space as a bad cluster
• Common with FAT systems
• To mark a good cluster as bad using Norton Disk Edit
– Type B in the FAT entry corresponding to that cluster
• The OS considers these bad sectors as unusable
• Can be converted to good sectors using Disk editor
3. Bit-shifting
• Old technique, uses Assembly language to create a low level encryption program that
changes the order of binary data
• Shift bit patterns to alter byte values of data
• Make files look like binary executable code
• Tool
– Hex Workshop
Bit-shifting changes data from readable code to data that looks like binary executable code. Hex
Workshop includes a feature for shifting bits and altering byte patterns of entire files or specified data.

To shift bits in a text file, follow these steps:

1. Start Notepad, and in a text document, type TEST FILE. Test file is to see how shifting bits will alter
the data in a file.
2. Save the file as Bit_shift.txt in your work folder, and exit Notepad.
3. Start Hex Workshop. Click File, Open from the menu. Navigate to your work folder, and then
double-click Bit_shift.txt.
4. Click Options, Toolbars from the menu.
5. In the Customize dialog box, click the Data Operations check box, and then click OK.
6. Click the Shift Left button (<< icon) on the Data Operations toolbar
4. Using Steganography
• Greek for “hidden writing”
• Steganography tools were created to protect copyrighted material
– By inserting digital watermarks into a file
• Suspect can hide information on image or text document files
– Most steganography programs can insert only small amounts of data into a file
• Very hard to spot without prior knowledge
• Tools: S-Tools, DPEnvelope, jpgx, and tte
• To help identify steganography files, use the following list as a guideline:
1. Locate the last modified date by checking the steganography tool’s timestamp.

2. Look for files that appear as both a .bmp and a .jpg file, which might indicate files that
started out in one format and then were modified (perhaps by a steganography tool) and
saved in another format.
3. Generate a list of all files with a date and time equal to or after the last modified date of
the steganography tool, and then examine each file in the generated listing.
5.Examining Encrypted Files

People who want to hide data can also use advanced encryption programs, such as PGP or
BestCrypt. Encrypted files are encoded to prevent unauthorized access. To decode an encrypted file,
users supply a password or passphrase.
• Recovering data is difficult without password
– Key escrow
• Designed to recover encrypted data if users forget their passphrases or if the
user key is corrupted after a system failure
– Cracking password
• Requires expert and powerful computers
• Most preferable option is to persuade the suspect to reveal password
5. Recovering Passwords
• Password recovery is a fairly easy task in computer forensics analysis.
• Several password cracking tools are available, such
as AccessData PRTK,
NTI Advanced Password Recovery Software Toolkit, and
John the Ripper
• Techniques used are
– Dictionary attack
– Brute-force attack
– Password guessing based on suspect’s profile
• Using AccessData tools with passworded and encrypted files
– AccessData offers a tool called Password Recovery Toolkit (PRTK)
• Can create possible password lists from many sources
• Can create your own custom dictionary based on facts in the case
• Can create a suspect profile and use biographical information to generate
likely passwords

5.3 PERFORMING REMOTE ACQUISITIONS
Remote acquisitions are useful for making an image of a drive when the computer is far away from
your location or when you don’t want a suspect to be aware of an ongoing investigation.
Remote Acquisitions with Runtime Software

• Runtime Software offers the following shareware programs for remote acquisitions:
– DiskExplorer for FAT
– DiskExplorer for NTFS
– HDHOST
• HDHOST is a remote access program for communication between two computers.
• The connection is established by using the DiskExplorer program (FAT or NTFS)
corresponding to the suspect (remote) computer’s file system.
• Requires the Runtime Software, a portable media device (USB thumb drive or floppy
disk), and two networked computers
• Making a remote connection with DiskExplorer requires running HDHOST on a suspect’s
computer
• To establish a connection with HDHOST, the suspect’s computer must be:
– Connected to the network
– Powered on
– Logged on to any user account with permission to run noninstalled applications
• HDHOST can’t be run secretly
• Plug the USB onto the suspect’s computer.
• Double-click HDHOST.exe to start the remote connection.
• When the HDHOST startup window opens, click the TCP/IP option button

• On the acquisition workstation, start the correct DiskExplorer program.

• In the acquisition workstation’s DiskExplorer window, click File, Drive from the menu.
• In the Select drive dialog box , click Remote at the bottom of the pane listing the drives.
• In the Remote dialog box, click the LAN option button.

• Referring to the Connection drop-down list in the suspect computer’s HDHOST
window, write down its IP address, and then click the Wait for connection button
• In the Remote dialog box, type the suspect computer’s IP address in the IP of host text
box and then click the Connect button.

• At a successful connection, the acquisition workstation’s Remote dialog box changes to a

list of drives on the suspect computer. Click the first drive (HD128) to access the C
partition, and then click OK. Click OK again in the Select drive dialog box.
Making a Remote Acquisition with DiskExplorer

• After you have established a connection with DiskExplorer from the acquisition
workstation, you can navigate through the suspect computer’s files and folders or copy
data.
• The following steps explain how to make an acquisition.
1. To initiate the remote acquisition, in the main window of DiskExplorer, click Tools,
2. Create image file from the menu.
3. In the Create an Image File dialog box, click the Lookup button .
4. Navigate to the target drive and folder
5. Monitor the data copying progress. When the acquisition is finished, click Cancel in
the Create an Image File dialog box to return to the DiskExplorer main window.
6. Click File, Exit from the menu to close the program on the acquisition workstation.
7. On the suspect computer, click File, Exit to close HDHOST.
The Runtime tools don’t generate a hash for acquisitions; therefore, you need to use another tool,
such as Hex Workshop or FTK, to calculate a hash value for the validation.

5.4 NETWORK FORENSICS

Network forensics is the process of collecting and analyzing raw network data and tracking network
traffic systematically to ascertain how an attack was carried out or how an event occurred on a
network.
When intruders break into a network, they leave a trail behind.
Ability to spot variations in network traffic can help in tracking
intrusions. Knowing typical traffic patterns is important.
Network Forensics examiner must establish standard procedures to acquire data after an attack,
get the compromised machines offline and restore them with minimum downtime
1. Securing a Network
Steps must be taken to harden networks before a security breach occurs. Hardening includes a
range of tasks such as
 Applying the latest patches

 Using layered network defense strategy

 Defense in depth(DID)

Patches - A patch is a piece of software designed to update a computer program or its
supporting data, to fix or improve it. This includes fixing security vulnerabilities.

Layered Network defense strategy sets up layers of protection to hide most valuable data at
the innermost part of the network.

Defense in Depth strategy approach was developed by NSA (National Security Agency) and
has three modes of protection.

1.People

2.Technology
3.Operations
If one mode fails, others can be used to thwart (prevent) the attack.
People : Organizations must hire well-qualified people and treat them well. Employees should be
trained adequately in security procedures and be familiar with organizations security policy.
Technology: It includes choosing strong network architecture and using tested tools such as
Intrusion Detection Systems
Firewalls
Operations: addresses day to day operations
Updating security patches
Antivirus software & OS
Assessment & Monitoring procedures
Disaster Recovery Plans

2. Performing Live Acquisitions

Live acquisitions are done before taking a system offline, since attacks may leave footprints only in
running process or RAM.
Order of Volatility (OOV) -indicates how long a piece of information lasts on a system.
Data on RAM or running process lasts only few
milliseconds. Data on files on the hard drive lasts for years.
General procedure for Live Acquisition

1. Create or download a bootable forensics CD.
2. Document and log all actions and reasons.
3. Store the information collected in a network drive or a USB thumb drive.
4. Copy the physical memory(RAM).Use built-in tool of Microsoft or freeware.
5. Check for rootkit, changes in the firmware.
6. Get a forensically sound hash value of all files to make sure that they are not altered.
Tools:
Mantech memory DD
Win32dd
Guidance Software: Winen.exe
Backtrack
3. Developing Standard Procedures for Network Forensics

Network forensics is a long tedious process. A standard procedure is used as follows:
1. Always use a standard installation image for systems on a network.
2. Fix vulnerabilities when an intrusion incident happens.
3. Perform a live acquisition to retrieve all volatile data from RAM and running processes.
4. Acquire the compromised drive and make a forensics image of it.
5.Compare files on the forensics image to the original installation image.
4. Reviewing Network Logs:

Network logs record traffic in and out of a network. The devices that record the events are
 Network Servers

 Routers

 Firewalls

Tcpdump: Program can be used to examine network traffic. The sample output is as below.
TCP log from 2016-08-20 15:06:33 to 2016-08-29-16:15:06:33
Sat Aug 20 15:06:33 2016, TCP, eth 0, 1296 bytes from 132.147.179.10:1916 to 132.149.83.16:126
The first line of the output is the header.
The remaining lines follow the format time, protocol, interface, size, source, and destination.
The output shows that data was transmitted on Aug 20th 2016, at 15:06:33. It was a TCP
packet sent via Ethernet 0 interface of 1296 bytes. The packet was sent from
132:147:179:10:1916 to the destination with IP Address 132.149.183.16:126. Where the
number after colon represents the port number.
Port Numbers above 1024 should raise a flag.
Using Network analysis tool such as Ethereal, a list of top 10 users or top ten Websites could
be listed, along with the bytes transferred.
Example : Top 10 External sites Visited
These network logs can show patterns such as an employee transmitting data to or from a particular
IP address frequently. Further investigation of the IP Address could show that the employee is the
accessing an online shopping site during company time.
5. Using Network Tools

A Variety of tools are available for the Network administrators to perform remote shutdown, monitor
device use and more.

These tools help to monitor the network efficiently and thoroughly.
UNIX /LINUX Tools

• Knoppix Security Tools Distribution (STD)
– It is a Bootable Linux CD intended for computer and network forensics
• Knoppix-STD tools
– Dcfldd, the U.S. DoD dd version for data acquisition
– memfetch forces a memory dump
– photorec grabs files from a digital camera
– snort, an intrusion detection system, packet capture and analysis in real time.
– oinkmaster helps manage your snort rules
– john latest version of john the ripper (password cracking)
– chntpw resets passwords on a Windows PC
– tcpdump and ethereal are packet sniffers
With the Knoppix STD tools on a portable CD almost any network system can be examined.
• The Auditor
– Robust security tool whose logo is a Trojan warrior
– Based on Knoppix and contains more than 300 tools for network scanning, brute-force
attacks, Bluetooth and wireless networks, and more
– Includes forensics tools, such as Autopsy and Sleuth
– Easy to use and frequently updated

Using Packet Sniffers

Packet Sniffers are devices or software that monitor network traffic
Most work at layer 2 or 3 (Data Link & Network layer) of the OSI model
Some sniffers perform packet captures, some are used for analysis, and some handle both
tasks.
Most tools follow the PCAP (packet capture) format.
o Libcap – Unix/Linux,
o Wincap - Windows
Some packets can be identified by examining the flags in their TCP
headers Tcpdump, Tethereal, Snort use pcap format.
Choose the tool that best suits your purposes.
In a SYN flood attack, the attacker keeps asking your server to establish a connection.
To find these packets, Tcpdump, Tethereal and Snort can be programmed to examine TCP
headers to find the SYN flag.
Figure below shows a TCP header; the Flags area contains several flags, including the SYN
flag (denoted as S in the figure)
Other Tools:
Tcpslice is a good tool for extracting information from large Libpcap files; you simply specify
the time frame you want to examine. It’s also capable of combining files.
Tcpreplay is a suite of tools called Tcpreplay is used to replay network traffic recorded in
Libpcap format; this information can be used to test network devices, such as IDSs, switches,
and routers.

Tcpdstat works close to real time to generate Libpcap statistics and break packets down by
protocol so that you can get a quick overall view of network traffic, including average and
maximum transfer rates
Ngrep can be used to examine e-mail headers or IRC logs. It collects and hashes data for
verification.
Ethereal, which comes with Knoppix-STD, offers a Windows version.
Ethereal can be used in a real-time environment to open saved trace files from packet
captures and to rebuild sessions
To use this feature, right click a frame in the upper pane and click Follow TCP
stream. Ethereal then traces the packets associated with an exploit.
Packet Capture using Ethereal

1. Download Ethereal for Windows (www.ethereal.com) and install it on your workstation.

2. Start Ethereal, and click Capture Interfaces from the menu to open the Capture Interfaces
dialog box.
3. Click the Capture button to the right of the network interface that shows traffic.
4. After several frames have been captured, click Stop.
5. After the trace has been loaded, scroll through the upper pane until you see a TCP frame.
6. Right-click the frame and click Follow TCP stream.

Examining the Honeynet Project

The Honeynet Project (www.honeynet.org) was developed to make information widely
available in an attempt to prevent Internet and network attackers.
The objectives are :
o Awareness - make people and organizations aware that threats exist and they might
be targets
o Information - to provide information on how to protect against these threats, including

how attackers operate, how they communicate, and what tactics they use
o Tools - Honeynet Project offers tools and methods to do research
Distributed denial-of-service (DDoS) attacks : A type of DoS attack in which other online
machines are used, without the owners’ knowledge, to launch an attack. In DDoS attacks,
hundreds or even thousands of machines can be used. These machines are known as
zombies because they have accidentally become part of the attack.
Zero day attacks - Attacks launched in the network or OS before vendors or network
administrators have discovered vulnerabilities and patches for them have been released.
A honeypot is a computer set up to look like any other machine on your network; its purpose
is to attract attackers to your network, but the computer contains no information of real value.
In this way, you can take the honeypot offline and not affect the running of your network.
Honeywalls are computers set up to monitor what’s happening to honeypots on your network
and record what attackers are doing.
Honeystick – A UK honeynet project. It contains a honeywall and honeypot on a bootable

memory stick.
The Manuka Project used the Honeynet Project’s principles to create a usable database for
students to examine compromised honeypots and determine what happened to them.
A software package retrieves a compromised drive’s image remotely over the network and
stores it on the server.
The original machine is loaded with the standard software, a forensic image of it is
created. If the machine is compromised, it’s taken offline and another image of it is made.
The software then compares the two images to determine what method of attack was used
and what files were altered or added.

5.5 EMAIL INVESTIGATIONS
Email has become the primary means of communication and most computers have email
programs to receive , send and manage email. These programs differ in the way they store and track
email.
5.5.1. Exploring the role of email investigations
Email evidence has become an important part of many computing investigations.
With the increase in email scams and fraud attempts with phishing or spoofing, investigator
need to know how to examine and interpret the content of email messages.
Phishing emails are in HTML format, which allows creating links to web pages. Using this
technique a phishing message could redirect to a different web site.
Check whether redirection has been used in the HTML source code.
One of the most noteworthy e-mail scams was 419, or the Nigerian Scam
Spoofing e-mail can be used to commit fraud
5.5.2. Exploring the Roles of the Client and Server in E-mail
• Sending and receiving e-mail can be in two environments
– Internet
– Intranet : Controlled LAN, MAN, or WAN (private use)
• Messages are distributed in a central server to many connected client computers. (Client
Server architecture)
• Server OS and e-mail software differs from those on the client side. The Server runs an email
server program such as Microsoft Exchange Server, Novell Groupwise or UNIX Sendmail to
provide email services.

• Client computers use email programs such as Novell Evolution or Microsoft Outlook.
• Users access their email based on the permissions the email server administrator grants -
Require usernames and passwords
• Name conventions
– Corporate: john.smith@somecompany.com
– Public: whatever@hotmail.com
– Everything after @ belongs to the domain name
• Tracing corporate e-mails is easier
– Because accounts use standard names the administrator establishes
5.5.3. Investigating E-mail Crimes and Violations
• Investigating crimes or policy violations involving e-mail is similar to investigating other types
of computer abuse and crimes.
• The goal is to
– Find who is behind the crime
– Collect the evidence
– Present your findings
– Build a case
• Email crimes and violations depend on the city, state, or country
• Example: In Washington State sending unsolicited email is illegal, in other states, it isn’t
considered a crime
• Always consult with an attorney
• Committing crime using email has become a commonplace
• Examples of crimes involving e-mails
– Narcotics trafficking
– Extortion
– Sexual harassment
– Child abductions and pornography
5.5.4. Examining E-mail Messages
• Access victim’s computer to recover the evidence
• Using the victim’s e-mail client
• Find and copy evidence in the e-mail
• Access protected or encrypted material
• Print e-mails
• Guide victim on the phone

• Open and copy e-mail including headers. The header contains unique identifying numbers,
such as the IP address of the server that sent the message. This information helps you trace
the e-mail to the suspect.
• Sometimes deleted e-mails have to be recovered.
5.5.6. Copying an E-mail Message

Before you start an e-mail investigation, copy and print the e-mail involved in the crime or
policy violation.
Forward the message as an attachment to another e-mail address, depending on your
organization’s guidelines.
Example:
o Start Outlook by clicking Start, pointing to All Programs, pointing to Microsoft Office,
and clicking Microsoft Office Outlook 2007.
o Click the Inbox folder. A list of messages in that folder is displayed in the pane in the
middle.
o Click the message you want to copy.
o Then click File, Save As from the menu.
o In the Save As dialog box, click the Save in list arrow and navigate to where you want
to copy the message, making sure you select the .msg format if you want to make a
copy. (For Outlook Express, select the .eml format.) If you select the .txt format, you
get only the message contents.
o Finally, click the Save button.
After you copy an e-mail, work only with the copy, not the original version, to avoid altering the
original evidence by mistake.
5.5.7. Viewing E-mail Headers

After you copy and print a message, use the e-mail program that created it to find the e-mail
header.
There are 3 types of email programs
1. Windows GUI clients,
2. A UNIX command-line e-mail program, and
3. Web-based e-mail providers
After you open e-mail headers, copy and paste them into a text document using any of the
text editing tools.
o Notepad,KEdit,gedit,Pico or Apple TextEdit

Headers contain useful information

o Unique identifying numbers, IP address of sending server, and sending time
Outlook
o Open the Message Options dialog box
o Copy headers
o Paste them to any text
editor Outlook Express
o Open the message Properties dialog box
o Select Message Source
o Copy and paste the headers to any text editor
Novell Evolution
o Click View, All Message Headers
o Copy and paste the e-mail header
Pine (UNIX – command line email program)
o Type S->Type c->Check enable-full-headers
AOL headers
o Mail Tab, Settings, Click Action, View Message Source
o Copy and paste headers
Hotmail
o Click Options, and then click the Mail Display Settings
o Click the Advanced option button under Message Headers

Apple Mail
o Click View from the menu, point to Message, and then click Long Header
Yahoo
o Click Mail Options
o Click General Preferences and Show All headers on incoming
messages o Copy and paste headers
5.5.8. Examining E-mail Headers

The next step is examining the e-mail header that has been saved to gather information about the e-
mail and track the suspect to the e-mail’s originating location.
The e-mail header in Figure above provides a lot of information.

Lines 1 to 5 show the e-mail servers through which the message traveled.
Line 1 shows the return path, which is the address an e-mail program uses for sending a
reply, usually indicated as the “Reply to” field in an e-mail.
Spoofing (faking) an e-mail address in the Return-Path line is easy to do.
Line 2 identifies the recipient’s e-mail address. Verify this address by confirming it with the e-
mail service provider. Request a bill or log to the account.

Line 3 indicates the type of e-mail service that sent the e-mail, such as qmail (UNIX e-mail),
and includes an ID number, such as 12780 in Figure.
With these ID numbers, you can examine logs from the transmitting e-mail server to determine
whether the message was actually sent from it.
If the transmitting e-mail server doesn’t list this unique ID number, there’s a good chance the
message was spoofed.
Line 4 lists the IP address of the e-mail server that sent the message—192.152.64.20, in this
example. It also identifies the name of the server sending the message: in this case,
smtp.superiorbicycles.biz.
Line 5 contains the name of the e-mail server (or list of e-mail servers) that sent or passed the
message to the victim’s e-mail server.
Line 6 shows a unique ID number that the sending e-mail server assigned to the message. In
Figure above, it’s
20101212082330.40429. You can use this number to track the message on the originating e-
mail server in e-mail logs.
Line 7 shows the IP address of the server sending the e-mail and lists the date and time the e-
mail was sent. For example, 10.187.241.199 is the IP address of the sending server
web4009.mail0.myway.com, and Sun 12 Dec 2010 00:23:30 PST is the date the message
was sent. Line 7 might also identify the e-mail as being sent through an HTTP client.
Line 8, which usually identifies attachments. An attachment can be any type of file, from a
program to a picture. If a message includes an attachment, investigate it as a supporting piece
of evidence.
5.5.9. Examining Additional E-mail Files

On the client computer, you could save all your e-mail in a separate folder for record-keeping
purposes. For example, in Outlook, you can save sent, draft, deleted, and received e-mails in a .pst
file, or you can save offline files in an .ost file. With these client files (.pst and .ost), users can access
and read their e-mail offline (when their computers aren’t connected to the central e-mail server).
Most e-mail programs also include an electronic address book

In Web-based e-mail Messages are displayed and saved as Web pages in the browser’s
cache folders
Many Web-based e-mail providers also offer instant messaging (IM) services

5.5.10. Tracing an E-mail Message

Contact the administrator responsible for the sending server
Finding domain name’s point of contact
o www.arin.net - American Registry for Internet Numbers
o www.internic.com - you use this site to find a domain’s IP address and point of contact
o www.freeality.com - comprehensive Web site has options for searching for a suspect,
including by e-mail addresses, phone numbers, and
names. o www.google.com
Find suspect’s contact information
Verify your findings by checking network e-mail logs against e-mail addresses
5.5.11. Using Network E-mail Logs

Network administrators maintain network logs of the inbound and outbound traffic routers
handle.
Router logs
o Record all incoming and outgoing traffic
o Have rules to allow or disallow traffic
o You can resolve the path a transmitted e-mail has taken
Firewall logs
o Filter e-mail traffic
o Verify whether the e-mail passed through the
firewall You can use any text editor or specialized tools
5.5.12. Understanding E-mail Servers

An e-mail server is loaded with software that uses e-mail protocols for its services and
maintains logs you can examine and use in your investigation.
To investigate e-mail abuse, you should know how an e-mail server records and handles the
e-mail it receives.
Some e-mail servers use databases that store users’ e-mails, and others use a flat file
system.
All e-mail servers can maintain a log of e-mails that are processed.
Some e-mail servers are set up to log e-mail transactions by default; others must be
configured.

E-mail logs generally identify the e-mail messages an account received, the IP address from
which they were sent, the time and date the e-mail server received them, the time and date
the client computer accessed the e-mail, the e-mail contents, system-specific information, and
any other information the e-mail administrator wants to track.
These e-mail logs are formatted in plain text and can be read with a basic text editor, such as
Notepad or vi.
Administrators usually set e-mail servers to continuous logging mode.
In addition to logging e-mail traffic, e-mail servers maintain copies of clients’ e-mail, even if the
users have deleted messages from their inboxes.
5.5.13. Examining Microsoft E-mail Server Logs

Exchange Server, is the Microsoft e-mail server software.
Exchange uses a database and is based on the Microsoft Extensible Storage Engine (ESE),
which uses several files in different combinations to provide e-mail service.
The files most useful to an investigation are .edb and .stm database files, checkpoint files, and
temporary files.
An .edb file is responsible for messages formatted with Messaging Application
Programming Interface (MAPI), a Microsoft system that enables different e-mail applications
to work together.
The .stm database file is responsible for messages that aren’t formatted with MAPI properties.
These two files constitute the Information Store, a storage area for e-mail messages.
Exchange logs information about changes to its data, also called transactions, in a
transaction log.
To prevent loss of data from the most recent backup, a checkpoint file, or marker, is
inserted in the transaction log.
Exchange also creates .tmp (temporary) files to prevent loss when it’s busy converting binary
data to readable text.
Exchange maintains logs to track e-mails. If the Exchange log overflows, data is written to
reserve log files, such as res1.log and res2.log.
Exchange servers can also maintain a log called Tracking.log that tracks messages.
Another log used for troubleshooting and investigating the Exchange environment is the
troubleshooting log. You can read this log, also known as a diagnostic log, by using
Windows Event Viewer.

5.5.14. Using Specialized E-mail Forensics Tools

Tools like ProDiscover and Encase can be used in email investigations. Some tools which are
specifically created for e-mail recovery, including recovering deleted attachments from a hard drive
are as below:
• DataNumen for Outlook and Outlook Express
• FINALeMAIL for Outlook Express
• Sawmill-GroupWise for log
• DBXtract for Outlook Express
• Fookes Aid4Mail and MailBag Assistant for Outlook, Thunderbird, and Eudora
• Paraben E-Mail Examiner, configured to recover several e-mail
• AccessData FTK for Outlook and Outlook Express
• Ontrack Easy Recovery EmailRepair for Outlook and Outlook Express
• R-Tools R-Mail for Outlook and Outlook Express
FTK, EnCase, and other forensics tools enable you to find e-mail database files, personal e-
mail files, offline storage files, and log files.
Some tools allow you to view messages and other files with a special viewer; others require
using a text editor to compare information, such as the date and time stamp, username,
domain, and message contents, to determine whether it matches what was found on the
victim’s computer.
After you compare e-mail logs with the messages, you should verify the e-mail account,
message ID, IP address, and date and time stamp to determine whether there’s enough
evidence for a warrant.
After collecting evidence, you begin copying it to another source for the examination while
documenting everything you’re doing. If you create an image, document the procedure and
tool you use.
With a tool such as FINALeMAIL, you can scan e-mail database files on a suspect’s
Windows computer, locate any e-mails the suspect has deleted—these messages don’t have
data location information—and restore them to their original state. You can also search a
computer for other files associated with e-mail, such as databases.
Using AccessData FTK to Recover E-mail
FTK can index data on a disk image or an entire drive for faster data retrieval.
Like FINALeMAIL, FTK can filter or find files specific to e-mail clients and servers.

You can configure these filters when you enter search parameters. In this section, you learn
how to use FTK and a hexadecimal editor to recover e-mails.
To recover e-mail from Outlook and Outlook Express, AccessData integrated dtSearch into
FTK 1.x.
dtSearch builds a B*-tree index of all text data in a drive, an image file, or a group of files.
One unique feature is its capability to read .pst and .dbx files and index all text information,
including attached files.
For other e-mail applications that use the mbox format, a hexadecimal editor can be used to
carve messages manually.
This technique requires perseverance because it’s tedious and time consuming
5.6 CELL PHONE AND MOBILE DEVICES FORENSICS
Cell phone and mobile device forensics is a rapidly changing field that poses challenges in trying to
retrieve information.
Understanding Mobile Device Forensics
People store a wealth of information on cell phones, including calls, text messages, picture and music
files, address books, and more. These files can give you a lot of information when investigating
cases.
Depending on the phone’s model, the following items might be stored on it:
• Incoming, outgoing, and missed calls
• Text and Short Message Service (SMS) messages
• E-mail
• Instant messaging (IM) logs
• Web pages
• Pictures
• Personal calendars
• Address books
• Music files
• Voice recordings

Many people store more information on their cell phones than they do on their computers, and with
this variety of information, piecing together the facts of a case is possible. Cell phone data is used
increasingly in court as evidence
Challenges in investigating cellphones and mobile devices in digital forensics.
• No single standard exists for how and where cell phones store messages, although many
phones use similar storage schemes.
• New phones come out about every six months, and they’re rarely compatible with previous
models. Therefore, the cables and accessories you have might become obsolete in a short
time.
• Also, cell phones are often combined with PDAs, which can make forensics investigations
more complex.
Mobile Phone Basics

Mobile phones have gone through three generations:
• Analog,
• Digital personal communications service (PCS), and
• Third-generation (3G).
Two major digital networks are

1. Code Division Multiple Access (CDMA) and
2. Global System for Mobile Communications (GSM).
Orthogonal Frequency Division Multiplexing (OFDM) is expected to yield faster and higher quality
mobile communication.
Code Division Multiple Access (CDMA) One of the most common digital networks, it uses the full
radio frequency spectrum to define channels.
Global System for Mobile Communications (GSM)

Another common digital network, it’s used by AT&T and T-Mobile and is the standard in Europe and
Asia.
Time Division Multiple Access (TDMA) : This digital network uses the technique of dividing a radio
frequency into time slots; GSM networks use this technique
Integrated Digital Enhanced Network (iDEN).This Motorola protocol combines several services,
including data transmission, into one network.

4G networks can use the following technologies:

• Orthogonal Frequency Division Multiplexing (OFDM)
• Mobile WiMAX – 12Mbps
• Ultra Mobile Broadband (UTMS) - 100Mbps
• Multiple Input Multiple Output (MIMO) — 312 Mbps.
• Long Term Evolution (LTE) — This technology, designed for GSM and UMTS technology, is
expected to support 45 Mbps to 144 Mbps transmission speeds.
In mobile communication, geographical areas are divided into cells resembling honeycombs.
Three main components are used for communication with these cells:
• Base transceiver station (BTS) —This component is made up of radio transceiver equipment
that defines cells and communicates with mobile phones; it’s sometimes referred to as a cell
phone tower, although the tower is only one part of the BTS equipment.
• Base station controller (BSC)—This combination of hardware and software manages BTSs and
assigns channels by connecting to the mobile switching center.
• Mobile switching center (MSC)—This component connects calls by routing digital packets for the
network and relies on a database to support subscribers. This central database contains account
data, location data, and other key information needed during an investigation. If you have to
retrieve information from a carrier’s central database, you usually need a warrant or
subpoena(summon).
• Inside Mobile Devices

• Mobile devices can range from simple phones to small computers
– Also called smart phones
• Hardware components
– Microprocessor, ROM, RAM, a digital signal processor, a radio module, a microphone
and speaker, hardware interfaces, and an LCD display
• Most basic phones have a proprietary OS
– Although smart phones use the same OSs as PCs
• Phones store system data in electronically erasable programmable read-only memory
(EEPROM)
– Enables service providers to reprogram phones without having to physically access
memory chips.

• OS is stored in ROM
– Nonvolatile memory
• Subscriber identity module (SIM) cards

– Found most commonly in GSM devices
– Microprocessor and from 16 KB to 4 MB EEPROM
– GSM refers to mobile phones as “mobile stations” and divides a station into two parts:
• The SIM card and the mobile equipment (ME)
– SIM cards come in two sizes
– Portability of information makes SIM cards versatile
• Subscriber identity module (SIM) cards
– Additional SIM card purposes:
• Identifies the subscriber to the network
• Stores personal information
• Stores address books and messages
• Stores service-related information
Inside PDAs
• Personal digital assistants (PDAs)
– Can be separate devices from mobile phones
– Most users carry them instead of a laptop
• PDAs house a microprocessor, flash ROM, RAM, and various hardware components
• The amount of information on a PDA varies depending on the model
• Usually, you can retrieve a user’s calendar, address book, Web access, and other items
Understanding Acquisition Procedures for Cell Phones and Mobile Devices

• The main concerns with mobile devices are loss of power and synchronization with PCs
• All mobile devices have volatile memory
– Making sure they don’t lose power before you can retrieve RAM data is critical
• Mobile device attached to a PC via a cable or cradle/docking station should be disconnected
from the PC immediately
• Depending on the warrant or subpoena(summon), the time of seizure might be relevant
• Messages might be received on the mobile device after seizure
• Isolate the device from incoming signals with one of the following options:
– Place the device in a paint can ( for signal isolation)
– Use the Paraben Wireless StrongHold Bag
– Use eight layers of antistatic bags to block the signal

• The drawback to using these isolating options is that the mobile device is put into roaming
mode which accelerates battery drainage
• Check these areas in the forensics lab :
– Internal memory
– SIM card
– Removable or external memory cards
– System server
• Checking system servers requires a search warrant or subpoena
• Memory storage on a mobile device is usually implemented as a combination of volatile and

nonvolatile memory.
• Volatile memory requires power to maintain its contents, but nonvolatile memory does not.
• The specific locations of data vary from one phone model to the next, volatile memory usually
contains data that changes frequently, such as missed calls, text messages, and sometimes
even user files.
• Nonvolatile memory, on the other hand, contains OS files and stored user data, such as a
personal information manager (PIM) and backed-up files.
SIM Card File System

• SIM card file system is a hierarchical structure
• This file structure begins with the root of the system (MF).
• The next level consists of directory files (DF), and under them are files containing elementary
data (EF).
• The EFs under the GSM and DCS1800 DFs contain network data on different frequency
bands of operation.
• The EFs under the Telecom DF contain service-related data.
• Information that can be retrieved are:

– Service-related data, such as identifiers for the SIM card and the subscriber
– Call data, such as numbers dialed
– Message information
– Location information
• PINs or other access codes might be required to view files

Mobile Forensics Equipment

• Mobile forensics is a new science
• Biggest challenge is dealing with constantly changing models of cell phones
• When you’re acquiring evidence, generally you’re performing two tasks:
– Acting as though you’re a PC synchronizing with the device (to download data)
– Reading the SIM card
• First step is to identify the mobile device
• Make sure you have installed the mobile device software on your forensic workstation
• Attach the phone to its power supply and connect the correct cables
• After you’ve connected the device
– Start the forensics program and begin downloading the available information
SIM card readers
• A combination hardware/software device used to access the SIM card
• You need to be in a forensics lab equipped with appropriate antistatic devices
• General procedure is as follows:
o Remove the back panel of the
device o Remove the battery
o Under the battery, remove the SIM card from holder
o Insert the SIM card into the card reader
• A variety of SIM card readers are on the market
• Documenting messages that haven’t been read yet is critical
• Use a tool that takes pictures of each screen

iPhone Forensics
Hacking iPhone were unsuccessful because the device is practically
impenetrable. A more successful approach was hacking backup files.
The best method, is acquiring a forensic image, which enables you to recover deleted text
messages and similar data.
iPhone acquisition procedures are, in general, similar to procedures for other mobile devices.
To acquire a forensic image, the following tools are used
o MacLockPick II - This tool uses backup files, such as MDBackup, stored by iPhones.
So although it can recover quite a bit of data, it can’t recover deleted files.
o MDBackUp Extract - This tool, developed by Black Bag Technologies, analyzes the
iTunes mobile sync backup directory.
Mobile Forensics Equipment

• Mobile forensics tools
– Paraben Software Device Seizure Toolbox - has the Device Seizure Toolbox
containing assorted cables, a SIM card reader, and other equipment for mobile device
investigations
– BitPim - used to view data on many CDMA phones.
– MOBILedit! - is a forensics software tool containing a built-in writeblocker. It can connect
to phones directly via Bluetooth, irDA, or a cable and can read SIM cards by using a
SIM reader. It’s also notable for being very user friendly.
– SIMCon - used to image files on a GSM/3G SIM or USIM card, including stored numbers
and text messages.
– SIMCon’s features include the following:
• Reads files on SIM cards
• Analyzes file content, including text messages and stored numbers
• Recovers deleted text messages
• Manages PIN codes
• Generates reports that can be used as evidence
• Archives files with MD5 and SHA-1 hash values
• Exports data to files that can be used in spreadsheet programs
• Supports international character sets
• Software tools differ in the items they display and the level of detail

CF Full Notes PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

CF Full Notes PDF

Caricato da

Copyright:

Formati disponibili

CS6004 CYBER FORENSICS

UNIT I NETWORK LAYER SECURITY &TRANSPORT LAYER SECURITY

UNIT II E-MAIL SECURITY & FIREWALLS

UNIT III INTRODUCTION TO COMPUTER FORENSICS

Introduction to Traditional Computer Crime, Traditional problems associated with Computer

UNIT IV EVIDENCE COLLECTION AND FORENSICS TOOLS

UNIT V ANALYSIS AND VALIDATION

Validating Forensics Data – Data Hiding Techniques – Performing Remote Acquisition

1. John R.Vacca, “Computer Forensics”, Cengage Learning, 2005

UNIT I NETWORK LAYER SECURITY &TRANSPORT LAYER SECURITY

IPSec Protocol - IP Authentication Header - IP ESP - Key Management Protocol for

1.1 IPSEC PROTOCOL

PREPARED BY SANTHIYA.M/AP/CSE DEPT 1

Security Associations (SAs)

Security policy database

Security association database

• There are two types of SAs to be defined:

PREPARED BY SANTHIYA.M/AP/CSE DEPT 3

1.1.2 Hashed Message Authentication Code (HMAC)

PREPARED BY SANTHIYA.M/AP/CSE DEPT 4

• The following explains the HMAC equation:

1.2 IP AUTHENTICATION HEADER

PREPARED BY SANTHIYA.M/AP/CSE DEPT 6

ESP Packet Format

PREPARED BY SANTHIYA.M/AP/CSE DEPT 7

• Authentication data (variable): This is a variable-length field containing an ICV - Integrity

Encryption and Authentication Algorithms

PREPARED BY SANTHIYA.M/AP/CSE DEPT 8

1.4 KEY MANAGEMENT PROTOCOL FOR IPSec

OAKLEY Key Determination Protocol

PREPARED BY SANTHIYA.M/AP/CSE DEPT 9

Payload Types for ISAKMP

PREPARED BY SANTHIYA.M/AP/CSE DEPT 10

PREPARED BY SANTHIYA.M/AP/CSE DEPT 11

Payload Types for ISAKMP

1.5 TRANSPORT LAYER SECURITY: SSLv3 and TLSv1

 Secure Sockets Layer version 3 (SSLv3) was introduced by Netscape Communications

PREPARED BY SANTHIYA.M/AP/CSE DEPT 12

1.6 SSL PROTOCOL

SSL Protocol Architecture

PREPARED BY SANTHIYA.M/AP/CSE DEPT 13

Session and Connection States

PREPARED BY SANTHIYA.M/AP/CSE DEPT 14

Difference between Connection & Session

Established between two peers with same

Associated with only one session Can have many connections

Negotiation can be skipped Requires negotiation

Data can be exchanged after connection Mere session establishment is not

PREPARED BY SANTHIYA.M/AP/CSE DEPT 15

SSL Record Protocol

 Fragmentation: A higher-layer message is fragmented into blocks of 214 bytes or less.

PREPARED BY SANTHIYA.M/AP/CSE DEPT 16

SSL Change Cipher Spec Protocol

PREPARED BY SANTHIYA.M/AP/CSE DEPT 17

Fatal alerts are as follow:

The remainder of the alerts is the following:

PREPARED BY SANTHIYA.M/AP/CSE DEPT 18

All the messages can be classified as four phases:

PREPARED BY SANTHIYA.M/AP/CSE DEPT 19

PREPARED BY SANTHIYA.M/AP/CSE DEPT 20

Phase 1: Hello Messages for Logical Connection

Phase 2: Server Authentication and Key Exchange

Phase 3: Client Authentication and Key Exchange