Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
IPSec Protocol - IP Authentication Header - IP ESP - Key Management Protocol for IPSec .
Transport layer Security: SSL protocol, Cryptographic Computations – TLS Protocol.
PGP - S/MIME - Internet Firewalls for Trusted System: Roles of Firewalls – Firewall related
terminology- Types of Firewalls - Firewall designs - SET for E-Commerce Transactions.
Processing Crime and Incident Scenes – Working with Windows and DOS Systems. Current
Computer Forensics Tools: Software/ Hardware Tools.
TEXT BOOKS:
1. Man Young Rhee, “Internet Security: Cryptographic Principles”, “Algorithms and Protocols”
Wiley Publications, 2003.
2. Nelson, Phillips, Enfinger, Steuart, “Computer Forensics and Investigations”, Cengage
Learning, India Edition, 2008.
REFERENCES:
TCP/IP communication can be made secure with the help of cryptography. Cryptographic methods and
protocols have been designed for different purposes in securing communication on the Internet. These
include,
The SSL and TLS for HTTP Web traffic,
S/MIME and PGP for e-mail and
IPsec for network layer security.
IPSec is the IETF (Internet Engineering Task Force) standard for real time communication
Security.
It works with IPv4 or IPv6. IPSec can provide security between any pair of network layer entities
(eg: between hosts, routers or a host and a router).
Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP)
communications that works by authenticating and encrypting each IP packet of a
communication session.
IPsec includes protocols for establishing mutual authentication between agents at the beginning
of the session and negotiation of cryptographic keys to be used during the session.
IPsec can be used in protecting data flows between
o A pair of hosts (host-to-host),
o A pair of security gateways (network-to-network), or
o A security gateway and a host (network-to-host).
IPsec is designed to protect communication in a secure manner by using TCP/IP and it provides
privacy and authentication services at the IP layer by using modern cryptography. To protect the
contents of an IP datagram, the data is transformed using encryption algorithms. There are two main
transformation types that form the basics of IPsec,
The Authentication Header (AH) and
The Encapsulating Security Payload (ESP).
The basic components of the IPsec security architecture are explained in terms of the following
functionalities:
• Security Protocols for AH and ESP
• Security Associations for policy management and traffic processing
• Manual and automatic key management for the Internet Key Exchange (IKE),
• Oakley key determination protocol and ISAKMP.
• Algorithms for authentication and encryption
The suite of IPsec protocols and associated default algorithms is designed to provide high-quality
security for Internet traffic.
An IPsec implementation operates in a host or a security gateway environment, affording protection to
IP traffic.
The protection offered is based on requirements defined by a Security Policy Database (SPD)
established and maintained by a user or system administrator.
2
UNIT - 1 CS 6004 - CYBER FORENSICS
Transport mode SA
• A transport mode provides protection primarily for upper-layer protocols, i.e. a TCP packet or
UDP segment or an Internet Control Message Protocol (ICMP) packet, operating directly above
the IP layer. A transport mode SA is a security association between two hosts.
• When a host runs AH or ESP over IPv4, the payload is the data that normally follows the IP
header.
• AH in transport mode authenticates the IP payload and the protection is also extended to
selected portions of the IP header.
• ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP
header.
• A transport mode SA provides security services only for higher-layer protocols, not for the IP
header or any extension headers proceeding the ESP header.
Tunnel mode SA
• Tunnel mode provides protection to the entire IP packet. A tunnel mode SA is essentially an SA
applied to an IP tunnel.
• When the entire inner (original) packet travels through a tunnel from one point of the IP network
to another, routers along the path are unable to examine the inner IP header because the
original inner packet is encapsulated. As a result, the new larger packet will have totally different
source and destination addresses. When the AH and ESP fields are added to the IP packet, the
entire packet plus security field (AH or ESP) is treated as the new outer IP packet with a new
outer IP header.
• ESP in tunnel mode encrypts and optionally authenticates the entire inner IP packet, including
the inner IP header.
• AH in tunnel mode authenticates the entire inner IP packet and selected portions of the outer
IP header.
• where
ipad = 00110110(0x36) repeated 64 times (512 bits)
opad = 01011100(0x5c) repeated 64 times (512 bits)
ipad is inner padding opad is outer padding
• The IP AH is used to provide data integrity and data origin authentication for IP packets.
• It also provides protection against replays.
• The AH provides authentication for the IP header, as well as for upper-level protocol (TCP,
UDP) data.
• The current key management options required for both AH and ESP are manual keying and
automated keying via IKE.
• Authentication is based on the use of an MAC or the Integrity Check Value (ICV) computation
so that two hosts must share a secret key.
AH Format
• The IPsec AH format is shown in Figure . The following six fields comprise the AH format:
• Next header (8 bits): This field identifies the type of the next payload after the AH.The value of
this field is chosen from the set of IP numbers defined in the Internet Assigned Number
Authority (IANA).
PREPARED BY SANTHIYA.M/AP/CSE DEPT 5
UNIT - 1 CS 6004 - CYBER FORENSICS
• Payload length (8 bits): This field specifies the length of the AH in 32-bit words, minus 2. The
default length of the authentication data field is 96 bits, or three 32-bit words. With a three-word
fixed header, there are a total of six words in the header, and the payload length field has a
value of 4.
• Reserved (16 bits): This field is reserved for future use. It must be set to ‘zero’.
• SPI (32 bits): This field uniquely identifies the SA for this datagram, in combination with the
destination IP address and security protocol (AH).
• Sequence number (32 bits): This field contains the monotonic strictly increasing sequence
number (incremented by 1 for every packet sent) to prevent replay attacks.
• Authentication data (variable): This field is a variable-length field that contains the Integrity
Check Value (ICV) or MAC for this packet.
AH Location
• AH or ESP is employed in two ways: transport mode or tunnel mode.
• In the transport mode, AH is inserted after the IP header and before an upper layer protocol
(TCP, UDP or ICMP), or before any other IPsec header that may have already been inserted.
• In tunnel mode, the inner IP header carries the ultimate source and destination addresses, while
an outer IP header may contain different IP addresses (i.e. addresses of firewalls or other
security gateways).
• In tunnel mode, AH protects the entire inner IP packet, including the entire inner IP header.
• The position of AH in tunnel mode, relative to the outer IP header, is the same as for AH in
transport mode.
1.3 IP ESP
• The ESP header is designed to provide security services in IPv4 and IPv6.
ESP can be applied
Alone,
In combination with the IP AH or
Through the use of tunnel mode.
• Security services are provided between
A pair of hosts,
A pair of security gateways or
A security gateway and a host.
• ESP is used to provide confidentiality (encryption), data authentication, integrity and anti-replay
service, and limited traffic flow confidentiality.
• However, use of confidentiality without integrity/ authentication may subject traffic to certain
forms of active attacks that undermine the confidentiality service.
• Data authentication and integrity are joint services offered as an option with confidentiality.
• The anti-replay service is chosen only if data origin authentication is selected and the service is
effective only if the receiver checks the sequence number.
• The current key management options required for both AH and ESP are manual keying and
automated keying via IKE.
• Security Parameters Index (32 bits) : Arbitrary value used (together with the destination IP
address) to identify the security association of the receiving party.
• Sequence Number (32 bits) : A monotonically increasing sequence number (incremented by 1
for every packet sent) to protect against replay attacks.
• Payload data (variable) : The protected contents of the original IP packet. The type of content
that was protected is indicated by the Next Header field.
• Padding (0-255 octets) : Padding for encryption, to extend the payload data to a size that fits
the encryption's cipher block size, and to align the next field.
• Pad Length (8 bits) : Size of the padding (in octets).
• Next Header (8 bits) : Type of the next header. The value is taken from the list of IP protocol
numbers.
• In tunnel mode, ESP protects the entire inner IP packet, including the entire inner IP header.
• The position of ESP in tunnel mode, relative to the outer IP header, is the same as for ESP in
transport mode.
Encryption
• ESP is designed for use with symmetric algorithms like a triple DES in CBC (Cipher Block
Chaining) mode.
• Other algorithms for encryption are: RC5, IDEA, CAST and Blowfish.
• For encryption to be applied, the sender encrypts the fields (payload data, padding, pad length
and next header) using the key, encryption algorithm, algorithm mode indicated by the SA and
an IV (Initialization Vector).
• The encryption is performed before the authentication and does not encompass the
authentication data field.
Decryption
• The receiver decrypts the ESP payload data, padding, pad length and next header using the
key, encryption algorithm, algorithm mode and IV data.
• If explicit IV data is indicated, it is taken from the payload field and input to the decryption
algorithm.
• If implicit IV data is indicated, a local version of the IV is constructed and input to the decryption
algorithm.
• For transport mode, the receiver reconstructs the original IP datagram from the original IP
header plus the original upper-layer protocol information in the ESP payload field.
• For tunnel mode, the receiver reconstructs the tunnel IP header plus the entire IP datagram in
the ESP payload field.
Authentication
• The authentication algorithm employed for the ICV computation is specified by the SA.
• For communication between two points, suitable authentication algorithms include Keyed
Message Authentication Codes (MACs) based on symmetric encryption algorithms (i.e. DES) or
on one-way hash function (i.e. MD5 or SHA-1).
• For multicast communication, one-way hash algorithms combined with asymmetric signature
algorithms are appropriate.
• The key management mechanism of IPsec involves the determination and distribution of a
secret key.
• Key establishment is at the heart of data protection that relies on cryptography.
• A secure key distribution for the Internet is an essential part of packet protection.
• Prior to establishing a secure session, the communicating parties need to negotiate the terms
that are defined in the SA.
• An automated protocol is needed in order to establish the SAs for making the process feasible
on the Internet.
• This automated process is the IKE (Internet Key Exchange) . IKE combines ISAKMP with the
Oakley key exchange.
• The Oakley protocol is truly used to establish a shared key with an assigned identifier and
associated authenticated identities for the two parties.
• Oakley can be used directly over the IP protocol or over UDP protocol using a well-known port
number assignment available.
• Oakley uses the cookies for two purposes:
1. Anti-clogging (denial of service) and
2. Key naming.
• The construction of the cookies prevents an attacker from obtain a cookie using a real IP
address and UDP port.
• The anti-clogging tokens provide a form of source address identification for both parties.
• Oakley employs nonces to ensure against replay attacks.
• Each nonce is a pseudorandom number which is generated by the transmitting entity.
• The nonce payload contains this random data used to guarantee liveness during a key
exchange and protect against replay attacks.
• All the Oakley message fields correspond to ISAKMP message payloads.
• The relevant payload fields are the SA payload, the authentication payload, the certification
payload, and the exchange payload. Oakley is the actual instantiation of ISAKMP framework for
IPsec key and SA generation.
ISAKMP
• ISAKMP defines a framework for SA management and cryptographic key establishment for the
Internet.
• This framework consists of defined exchange, payloads and processing guidelines.
• ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete SAs.
• It also defines payloads for exchanging key generation and authentication data.
• These payload formats provide a consistent framework for transferring key and authentication
data which is independent of the key generation technique, encryption algorithm and
authentication mechanism
ISAKMP Header
• The ISAKMP header fields are fined as shown in Figure
• Initiator Cookie (64 bits) - This field is the cookie of entity that initiated SA establishment, SA
notification, or SA deletion.
• Responder Cookie (64 bits) - This field is the cookie of entity that is corresponded to an SA
establishment request, SA notification, or SA deletion.
• Next Payload (8 bits) - This field indicates the type of the first payload in the message
• Major Version (4 bits)- This field indicates the Major version of the ISAKMP protocol in use.
Set the Major version to 1 according to ISAKMP Internet-Draft.
• Minor Version (4 bits)- This field indicates the Minor version of ISAKMP protocol in use. Set
the Minor version to 0 according to implementations based on the ISAKMP Internet-Draft.
• Exchange Type (8 bits) - This field indicates the type of exchange being used. This dictates
the message and payload orderings in the ISAKMP exchanges.
• Flags (8 bits) - This field indicates specific options that are set for the ISAKMP exchange.
• Message ID (32 bits) - Message ID is used to identify protocol state during Phase 2
negotiations. This value is randomly generated by the initiator of the phase 2 negotiation. During
Phase 1 negotiation, this value must be set to 0.
• Length (32 bits) - Length of total message (header || payload) is 32 bits. Encryption can
expand the size of an ISAKMP message.
SSL is designed to make use of TCP to provide a reliable end-to-end secure service.
SSL is not a single protocol but rather two layers of protocols.
SSL is a layered protocol.
At the lower level, the SSL Record Protocol is layered on top of some reliable transport protocol
such as TCP.
The SSL Record Protocol takes the upper-layer application message to be transmitted,
fragments the data into manageable blocks, optionally compresses the data, applies an MAC,
encrypts, adds a header, and transmits the result to TCP. The received data is decrypted,
verified, decompressed, reassembled, and then delivered to higher-level clients.
SSL session
An SSL session is an association between a client and a server.
Sessions are created by the Handshake Protocol.
They define a set of cryptographic security parameters, which can be shared among multiple
connections.
Sessions are used to avoid the expensive negotiation of new security parameters for each
connection.
An SSL session coordinates the states of the client and server.
When the client or server receives a change cipher spec message, it copies the pending
read state into the current read state.
When the client or server sends a change cipher spec message, it copies the pending write
state into the current write state.
When the handshake negotiation is completed, the client and server exchange change
cipher spec messages, and they then communicate using the newly agreed-upon cipher spec.
The session state is defined by the following elements:
Session identifier : This is a value generated by a server that identifies an active or
resumable session state.
Peer certificate: This is an X.509 v3 certificate of the peer. This element of the state may be
null.
Compression method: This is the algorithm used to compress data prior to encryption.
Cipher spec: This specifies the bulk data encryption algorithm (such as null, DES, etc.) and a
hash algorithm (such as MD5 or SHA-1) used for MAC computation.
Master secret: This is a 48-byte secure secret data used for generating encryption keys,
MAC secrets and IVs.
Is resumable: This designates a flag indicating whether the session can be used to initiate
new connections.
SSL connection
A connection is a transport (in the OSI layering model definition) that provides a suitable type
of service.
For SSL, such connections are peer-to-peer relationships and are transient.
Every connection is associated with one session.
The connection state is defined by the following elements:
Server and client random: These are byte sequences that are chosen by the server and
client for each connection.
Server write MAC secret: This indicates the secret key used in MAC operations on data sent
by the server.
Client write MAC secret: This represents the secret key used in MAC operations on data
sent by the client.
Server write key: This is the conventional cipher key for data encrypted by the server and
decrypted by the client.
Client write key: This is the conventional cipher key for data encrypted by the client and
decrypted by the server.
Initialization vectors: When a block cipher in CBC mode is used, an IV is maintained for
each key.
Sequence numbers: Each party maintains separate sequence numbers for transmitted and
received messages of each connection. Sequence numbers may not exceed 264 − 1.
CONNECTION SESSION
Connection can be terminated and established When a session terminates all session
within a session also terminate
The SSL Record Protocol takes an application message to be transmitted, fragments the data
into manageable blocks, optionally compresses the data, applies an MAC, encrypts, adds a
header, and transmits the result in a TCP segment.
The received data is decrypted, verified, decompressed, reassembled and then delivered to
higher-level clients. The overall operation of the SSL Record Protocol is shown in Figure.
MAC: The MAC is computed before encryption. Using a shared secret key, the calculation is
defined as follows:
H1 = hash(MAC-write-secret || pad-1 || seq-num || SSLCompressed.type ||
SSLCompressed.length || SSLCompressed.fragment)
H = hash(MAC-write-secret || pad-2 ||H1)
The compressed message plus the MAC are encrypted using symmetric encryption.
The block ciphers being used as encryption algorithms are:
DES(56), Triple DES(168), IDEA(128),
RC5(variable) and Fortezza(80)
where the number inside the brackets indicates the key size. Fortezza is a PCMCIA card that
provides both encryption and digital signing.
Append SSL record header: The final processing of the SSL Record Protocol is to append
an SSL record header. The composed fields consist of:
–Content type (8 bits): This field is the higher-layer protocol used to process the
enclosed fragment.
–Major version (8 bits): This field indicates the major version of SSL in use. For
SSLv3, the value is 3.
–Minor version (8 bits): This field indicates the minor version of SSL in use. For
SSLv3, the value is 0.
–Compressed length (16 bits): This field indicates the length in bytes of the
plaintext fragment or compressed fragment if compression is required. The
maximum value is 214 + 2048.
The Alert Protocol is used to convey SSL-related alerts to the peer entity. As with
other applications that use SSL, alert messages are compressed and encrypted, as
specified by the current state.
Each message in this protocol consists of two bytes.
The first byte takes the value "warning" (1) or "fatal"(2) to convey the severity of
the message.
If the level is fatal, SSL immediately terminates the connection. Other connections on the same
session may continue, but no new connections on this session may be established.
The second byte contains a code that indicates the specific alert.
Handshake Protocol
The most complex part of SSL is the Handshake Protocol. The SSL handshake protocol
involves using the SSL record protocol to exchange a series of messages between an SSL-
enabled server and an SSL-enabled client when they first establish an SSL connection. This
exchange of messages is designed to facilitate the following actions:
Authenticate the server to the client.
Allow the client and server to select the cryptographic algorithms, or ciphers, that they
both support.
Optionally authenticate the client to the server.
Use public-key encryption techniques to generate shared secrets.
Establish an encrypted SSL connection.
The Handshake Protocol consists of a series of messages exchanged by client and server. All
of these have the format shown in Figure below. Each message has three fields:
Type (1 byte): Indicates one of 10 messages. Table 14.2 lists the defined message types.
Length (3 bytes): The length of the message in bytes.
Content ($ 1 byte): The parameters associated with this message; these are listed in Table
below.
SSL Handshake Protocol Message Types
The client sends a client hello message to which the server must respond with a server hello
message, or else a fatal error will occur and the connection will fail. The client hello and server
hello are used to establish security enhancement capabilities between client and server. The
client hello and server hello establish the following attributes: protocol version, random values
(ClientHello.random and ServerHello.random), session ID, cipher suite and compression
method.
Following the hello messages, the server begins this phase by sending its certificate if it needs
to be authenticated. Additionally, a server key exchange message may be sent if it is required. If
the server is authenticated, it may request a certificate from the client, if that is appropriate to
the cipher suite selected. Then the server will send the server hello done message, indicating
that the hello message phase of the handshake is complete. The server will then wait for a
client response. If the server has sent a certificate request message, the client must send the
certificate message.
If the server has sent a certificate request message, the client must send the certificate
message. The client key exchange message is then sent, and the content of that message will
depend on the public key algorithm selected between the client hello and the server hello. If the
client has sent a certificate with signing ability, a digitally signed certificate verify message is
sent to explicitly verify the certificate.
At this point, a change cipher spec message is sent by the client, and the client copies the
pending CipherSpec into the current CipherSpec. The client then immediately sends the
finished message under the new algorithms, keys and secrets. In response, the server will send
its own change cipher spec message, transfer the pending CipherSpec to the current one, and
then send its finished message under the new CipherSpec. At this point, the handshake is
complete and the client and server may begin to exchange application layer data
The key exchange, authentication, encryption and MAC algorithms are determined by the cipher
suite selected by the server and revealed in the server hello message.
The server decrypts the ciphertext (of the premaster secret) using its private key
to recover the premaseter secret.
Both parties then convert the premaster secret into the master secret
o Diffie–Hellman :
Both client and server generate a Diffie-Hellman common key.
This negotiated key is use as the premaster secret and is converted into the
master secret
master_secret = MD5(pre_master_secret||SHA(‘A’||
pre_master_secret||ClientHello.random||
ServerHello.random))||
MD5(pre_master_secret||SHA(‘BB’||
pre_master_secret||ClientHello.random||
ServerHello.random))||
MD5(pre_master_secret||SHA(‘CCC’||
pre_master_secret||ClientHello.random||
ServerHello.random))
where ClientHello.random and ServerHello.random are the two nonce values exchanged in the
initial hello messages.
The generation of the master secret from the premaster secret is shown in Figure.
To generate the key material, the following is computed until enough output has been generated.
key_block = MD5(master_secret||SHA(‘A’||master_secret||
ServerHello.random||ClientHello.random))||
MD5(master_secret||SHA(‘BB’||master_secret||
ServerHello.random||ClientHello.random))||
MD5(master_secret||SHA(‘CCC’||master_secret||
ServerHello.random||ClientHello.random))||……
• TLS is an IETF standardization initiative whose goal is to produce an Internet standard version
of SSL. TLS is defined as a Proposed Internet Standard in RFC 2246. RFC 2246 is very similar
to SSLv3, but with a number of minor differences in the areas shown, as discussed in the text.
• The TLS protocol allows client/server applications to communicate across a network in a way
designed to prevent eavesdropping and tampering.
• TLS is the successor to the Secure Sockets Layer (SSL).
• TLS is composed of two layers:
o The TLS Record Protocol and
o The TLS Handshake Protocol.
• The TLS Record Protocol provides connection security with some encryption method such as
the Data Encryption Standard (DES).
PREPARED BY SANTHIYA.M/AP/CSE DEPT 24
UNIT - 1 CS 6004 - CYBER FORENSICS
• The TLS Handshake Protocol first negotiates key exchange using an asymmetric algorithm
such as RSA or Diffie-Hellman. The TLS Record Protocol then begins opens an encrypted
channel using a symmetric algorithm such as RC4, IDEA, DES, or 3DES.
The TLS Record Protocol is also responsible for ensuring that the communications are not altered in
transit. Hashing algorithms such as MD5 and SHA are used for this purpose.
A TLS client and server negotiate a stateful connection by using a handshaking procedure. During this
handshake, the client and server agree on various parameters used to establish the connection's
security.
The handshake begins when a client connects to a TLS-enabled server requesting a secure
connection and presents a list of supported CipherSuites (ciphers and hash functions).
From this list, the server picks the strongest cipher and hash function that it also supports and
notifies the client of the decision.
The server sends back its identification in the form of a digital certificate. The certificate usually
contains the server name, the trusted certificate authority (CA) and the server's public
encryption key.
The client may contact the server that issued the certificate (the trusted CA as above) and
confirm the validity of the certificate before proceeding.
In order to generate the session keys used for the secure connection, the client encrypts a
random number with the server's public key and sends the result to the server. Only the server
should be able to decrypt it, with its private key.
From the random number, both parties generate key material for encryption and decryption.
This concludes the handshake and begins the secured connection, which is encrypted and decrypted
with the key material until the connection closes.
If any one of the above steps fails, the TLS handshake fails and the connection is not created.
Content type
Version Length
(Major) (Minor) (bits 15..8) (bits 7..0)
Protocol message(s)
MAC (optional)
Padding (block ciphers only)
Content type : This field identifies the Record Layer Protocol Type contained in this Record.
Content types
Hex Dec Type
0x14 20 ChangeCipherSpec
0x15 21 Alert
0x16 22 Handshake
0x17 23 Application
Version Number
The TLS Record Format is the same as that of the SSL Record Format , and the fields in the header
have the same meanings. The one difference is in version values. For the current draft of TLS, the
Major Version is 3 and the Minor Version is 1.
There are two differences between the SSLv3 and TLS MAC schemes: the actual algorithm and the
scope of the MAC calculation. TLS makes use of the HMAC algorithm defined in RFC 2104. HMAC is
defined as follows:
HMACK = H[(K+ Å opad) || H[(K+Å ipad) || M]]
where
K+ = secret key padded with zeros on the left so that the result is equal to the block length of
the hash code (for MD5 and SHA-1, block length = 512 bits)
SSLv3 uses the same algorithm, except that the padding bytes are concatenated with the secret key
rather than being XORed with the secret key padded to the block length. The level of security should be
about the same in both cases.
For TLS, the MAC calculation encompasses the fields indicated in the following expression:
The MAC calculation covers all of the fields covered by the SSLv3 calculation, plus the field
TLSCompressed.version, which is the version of the protocol being employed.
Pseudorandom Function
TLS makes use of a pseudorandom function referred to as PRF to expand secrets into blocks of data
for purposes of key generation or validation. The objective is to make use of a relatively small shared
secret value but to generate longer blocks of data in a way that is secure from the kinds of attacks
made on hash functions and MACs. The PRF is based on the following data expansion function
A(0) = seed
The data expansion function makes use of the HMAC algorithm, with either MD5 or SHA-1 as the
underlying hash function. As can be seen, P_hash can be iterated as many times as necessary to
produce the required quantity of data.
For example, if P_SHA-1 was used to generate 64 bytes of data, it would have to be iterated four times,
producing 80 bytes of data, of which the last 16 would be discarded. In this case, P_MD5 would also
have to be iterated four times, producing exactly 64 bytes of data. Note that each iteration involves two
executions of HMAC, each of which in turn involves two executions of the underlying hash algorithm.
To make PRF as secure as possible, it uses two hash algorithms in a way that should guarantee its
security if either algorithm remains secure. PRF is defined as
PRF takes as input a secret value, an identifying label, and a seed value and produces an output of
arbitrary length. The output is created by splitting the secret value into two halves (S1 and S2) and
performing P_hash on each half, using MD5 on one half and SHA on the other half. The two results are
exclusive-ORed to produce the output; for this purpose, P_MD5 will generally have to be iterated more
times than P_SHA to produce an equal amount of data for input to the exclusive-OR function.
Alert Codes
TLS supports all of the alert codes defined in SSLv3 with the exception of no_certificate. A number of
additional codes are defined in TLS; of these, the following are always fatal:
decryption_failed: A ciphertext decrypted in an invalid way; either it was not an even multiple
of the block length or its padding values, when checked, were incorrect.
record_overflow: A TLS record was received with a payload (ciphertext) whose length
exceeds 214 + 2048 bytes, or the ciphertext decrypted to a length of greater than 214 1 1024
bytes.
unknown_ca: A valid certificate chain or partial chain was received, but the certificate was not
accepted because the CA certificate could not be located or could not be matched with a
known, trusted CA.
access_denied: A valid certificate was received, but when access control was applied, the
sender decided not to proceed with the negotiation.
decode_error: A message could not be decoded because a field was out of its specified range
or the length of the message was incorrect.
export_restriction: A negotiation not in compliance with export restrictions on key length was
detected.
protocol_version: The protocol version the client attempted to negotiate is recognized but not
supported.
insufficient_security: Returned instead of handshake_failure when a negotiation has failed
specifically because the server requires ciphers more secure than those supported by the client.
internal_error: An internal error unrelated to the peer or the correctness of the protocol makes
it impossible to continue.
Cipher Suites
There are several small differences between the cipher suites available under SSLv3 and under TLS:
Key Exchange: TLS supports all of the key exchange techniques of SSLv3 with the exception
of Fortezza.
Symmetric Encryption Algorithms: TLS includes all of the symmetric encryption algorithms
found in SSLv3, with the exception of Fortezza.
TLS defines the following certificate types to be requested in a certificate_ request message: rsa_sign,
dss_sign, rsa_fixed_dh, and dss_fixed_dh. These are all defined in SSLv3. In addition, SSLv3 includes
rsa_ephemeral_dh, dss_ephemeral_ dh, and fortezza_kea. Ephemeral Diffie-Hellman involves signing
the Diffie-Hellman parameters with either RSA or DSS; for TLS, the rsa_sign and dss_sign types are
used for that function; a separate signing type is not needed to sign Diffie-Hellman parameters. TLS
does not include the Fortezza scheme.
In the TLS certificate_verify message, the MD5 and SHA-1 hashes are calculated only over
handshake_messages. Recall that for SSLv3, the hash calculation also included the master secret and
pads. These extra fields were felt to add no additional security.
As with the finished message in SSLv3, the finished message in TLS is a hash based on the shared
master_secret, the previous handshake messages, and a label that identifies client or server. The
calculation is somewhat different. For TLS, we have
where finished_label is the string "client finished" for the client and "server finished" for the server.
Cryptographic Computations
The pre_master_secret for TLS is calculated in the same way as in SSLv3. As in SSLv3, the
master_secret in TLS is calculated as a hash function of the pre_master_secret and the two hello
random numbers. The form of the TLS calculation is different from that of SSLv3 and is defined as
follows:
master_secret =
PRF(pre_master_secret, "master secret", ClientHello.random || ServerHello.random)
The algorithm is performed until 48 bytes of pseudorandom output are produced. The calculation of the
key block material (MAC secret keys, session encryption keys, and IVs) is defined as follows:
until enough output has been generated. As with SSLv3, the key_block is a function of the
master_secret and the client and server random numbers, but for TLS the actual algorithm is different.
Padding
In SSL, the padding added prior to encryption of user data is the minimum amount required so that
the total size of the data to be encrypted is a multiple of the cipher's block length. In TLS, the padding
can be any amount that results in a total that is a multiple of the cipher's block length, up to a
maximum of 255 bytes. For example, if the plaintext (or compressed text if compression is used) plus
MAC plus padding.length byte is 79 bytes long, then the padding length, in bytes, can be 1, 9, 17, and
so on, up to 249. A variable padding length may be used to frustrate attacks based on an analysis of
the lengths of exchanged messages.
UNIT II
E-MAIL SECURITY & FIREWALLS
[
PGP - S/MIME - Internet Firewalls for Trusted System: Roles of Firewalls – Firewall
related terminology- Types of Firewalls - Firewall designs - SET for E-Commerce
Transactions.
PGP
Pretty Good Privacy (PGP) was invented by Philip Zimmermann who released
version in 1991.
PGP uses a combination of symmetric secret-key and asymmetric public-key
encryption to provide security services for electronic mail and data files.
It also provides data integrity services for messages and data files by using digital
signature, encryption, compression (zip) and radix-64 conversion (ASCII
Armor).
The digital signature uses a hash code of the message digest algorithm, and a
public-key signature algorithm.
The sequence is as follows:
The sender creates a message.
SHA-1 is used to generate a 160-bit hash code of the message.
The hash code is encrypted with RSA using the sender’s private key and a digital
signature is produced.
The binary signature is attached to the message.
The receiver uses RSA with the sender’s public key to decrypt and recover the
hash code.
The receiver generates a new hash code for the received message and compares it
with the decrypted hash code. If the two match, the message is accepted as
authentic.
COMPRESSION
PGP compresses the message after applying the signature but before encryption.
The placement of Z for compression and Z−1 for decompression.
PGP makes use of a compression package called ZIP which is functionally
equivalent to PKZIP developed by PKWARE, Inc.
The zip algorithm is perhaps the most commonly used cross-platform compression
technique.
Two main compression schemes, named after Abraham Lempel and Jakob Ziv, were
first proposed by them in 1977 and 1978.
These two schemes for text compression (referred to as lossless compression) are
broadly used because they are easy to implement and also fast.
LZSS based on the work of Lempel and Ziv. In LZSS, the compressor maintains a
window of size N bytes and a look ahead buffer.
[
LZFG uses the standard sliding window, but stores the data in a modified tree
data structure and produces as output the position of the text in the tree.
RADIX-64 CONVERSION
PGP provides the service of converting the raw 8-bit binary octets to a stream of
printable 7-bit ASCII characters, called radix-64 encoding or ASCII Armor.
Each group of three octets of binary data is mapped into four ASCII characters.
Example :
Consider the mapping of a 24-bit input (a block of three octets) into a four-
character output consisting of the 8-bit set in the 32-bit block.
o The extracted 6-bit decimal values are 44, 38, 12, 41.
smMp
o If these characters are stored in 8-bit ASCII format with zero parity, the
hexadecimal representation is as follows:
73 6d 4d 70
When PGP encodes data into ASCII Armor, it puts specific headers around the data,
so PGP can construct the data later.
PGP informs the user about what kind of data is encoded in ASCII Armor through
the use of the headers.
Concatenating the following data creates ASCII Armor:
It consists of the appropriate header line text surrounded by five dashes (‘-’,
0x2D) on either side of the header line text.
Armor headers
It is a pairs of strings that can give the user or the receiving PGP
implementation some information about how to decode or use the message.
A blank line
ASCII-Armored data
Armor checksum
Armor tail
It is composed in the same manner as the Armor header line, except the string
‘BEGIN’ is replaced by the string ‘END’.
The encoding process represents three 8-bit input groups as output strings of four
encoded characters.
These 24 bits are then treated as four concatenated 6-bit groups, each of which is
translated into a single character in the radix-64 alphabet.
Each 6-bit group is used as an index. The character referenced by the index is placed
in the output string.
PACKET HEADERS
A PGP message is constructed from a number of packets.
A packet is a chunk of data which has a tag specifying its meaning. Each packet
consists of a packet header of variable length, followed by the packet body. The first
octet of the packet header is called the packet tag.
The packet tag denotes what type of packet the body holds. The defined tags are:
0–Reserved
1–Session key packet encrypted by public key
2–Signature packet
3–Session key packet encrypted by symmetric key
4–One-pass signature packet
5–Secret-key packet
6–Public-key packet
7–Secret-subkey packet
8–Compressed data packet
9–Symmetrically encrypted data packet
10–Marker packet
11–Literal data packet
12–Trust packet
13–User ID packet
14–Public sub key packet
60 ∼ 63–Private or experimental values
o Message packet,
o A signature packet and
o A session key packet.
Message Packet
This packet includes the actual data to be transmitted or stored as well as a header
that includes control information generated by PGP such as a filename and a
timestamp.
A timestamp specifies the time of creation. The message component consists of a
single literal data packet.
This packet describes a binding between some public key and some data. The most
common signatures are a signature of a file or a block of text, and a signature that is
a certification of a user ID.
The signature includes the following components:
A hash code represents the 160-bit SHA-1 digest, encrypted with sender a’s
private key. The hash code is calculated over the signature timestamp
concatenated with the data portion of the message component.
It includes the session key and the identifier of the receiver’s public key that was
used by the sender to encrypt the session key.
The body of this session key component consists of:
Public-key packet (tag 6): This packet starts a series of packets that forms a
PGP 5.x key.
Public sub key packet (tag 14): This packet has exactly the same format as a
public key packet, but denotes a sub key. One or more sub keys may be
associated with a top-level key. The top-level key provides signature services,
and the sub keys provide encryption services. PGP 2.6.x ignores public-sub
key packets.
Secret-key packet (tag 5): This packet contains all the information that is
found in a public-key packet, including the public-key materials, but also
includes the secret-key material after all the public-key fields.
Secret-sub key packet (tag 7): A secret-sub key packet is the sub key
analogous to the secret-key packet and has exactly the same format.
Symmetric-Key Algorithms
Compression Algorithm
Hash Algorithms
S/MIME
MIME
MIME was defined to allow transmission of non-ASCII data through e-mail.
MIME allows arbitrary data to be encoded in ASCII and then transmitted in a
standard e-mail message. It is a supplementary protocol that allows non-ASCII data
to be sent through SMTP.
The MIME standard provides a general structure for the content type of Internet
messages and allows extensions for new content-type applications.
MIME Description
MIME transforms non-ASCII data at the sender’s site to NVT ASCII data and
delivers it to the client SMTP to be sent through the Internet.
The server SMTP at the receiver’s site receives the NVT ASCII data and delivers it
to MIME to be transformed back to the original non-ASCII data.
MIME Header
MIME Version
Content Type
Content Transfer Encoding
Content Id
Content Description
MIME Version
This header defines the version of MIME used. The current version is 1.0.
Content Type
This header defines the type of data used in the message body. The content
type and the content subtype are separated by a slash.
o RFC 2822,
o Partial or
o External body.
Image: It represents a stationary image.
Application:
There are only two subtypes used currently:
o Octet-stream and
o PostScript.
This header defines the method to encode the messages into ones and zeros for
transport.
o 7 bit
Content Id
Content Description
S/MIME
S/MIME provides a way to send and receive 7-bit MIME data. S/MIME can be
used with any system that transports MIME data.
Definitions
CRL: The Certificate Revocation List that contains information about certificates
whose validity the issuer has prematurely revoked. The information consists of an
issuer name, the time of issue, the next scheduled time of issue, a list of certificate
serial numbers and their associated revocation times, and extensions. The CRL is
signed by the issuer.
Attribute certificate: An X.509 AC is a separate structure from a subject’s PKIX
certificate. A subject may have multiple X.509 ACs associated with each of its
PKIX certificates. Each X.509 AC binds one or more attributes with one of the
subject’s PKIXs.
Sending agent: Software that creates S/MIME CMS objects, MIME body parts that
contains CMS objects, or both.
Receiving agent: Software that interprets and processes S/MIME CMS objects,
MIME parts that contain CMS objects, or both.
S/MIME agent: User software that is a receiving agent, a sending agent, or both.
CMS provides additional details regarding the use of the cryptographic algorithms.
DigestAlgorithmIdentifier
o This type identifies a message digest algorithm which maps the message
to the message digest. Sending and receiving agents must support SHA-1.
Receiving agents should support MD5 for the purpose of providing
SignatureAlgorithmIdentifier
KeyEncryptionAlgorithmIdentifier
The security service of S/MIME uses the concept of triple wrapped message.
A triple wrapped message is one that has been signed, then encrypted and then
signed again. The signers of the inner and outer signatures may be different entities
or the same entity.
The steps to create a triple wrapped message :
1. Start with the original content (a message body).
2. Encapsulate the original content with the appropriate MIME content-type
headers.
3. Sign the inner MIME headers and the original content resulting from step 2.
4. Add an appropriate MIME construct to the signed message from step 3. The
resulting message is called the inside signature.
5. Encrypt the step 4 result as a single block, turning it into an application/pkcs7-
mime object.
6. Add the appropriate MIME headers: a content type of application/pkcs7- mime
with parameters, and optional MIME headers such as Content-Transfer-
Encoding and Content-Disposition.
7. Sign the step 6 result (the MIME headers and the encrypted body) as a single
block.
8. Using the same logic as in step 4, add an appropriate MIME construct to the
signed message from step 7. The resulting message is called the outside
signature, and is also the triple wrapped message.
o Packet filters,
o Circuit-level gateways and
o Application-level gateways.
ROLE OF FIREWALLS
The firewall imposes restrictions on packets entering or leaving the private
network.
o All traffic from inside to outside, and vice versa, must pass through the
firewall, but only authorized traffic will be allowed to pass.
The firewall may filter on the basis of IP source and destination addresses and TCP
port number.
The firewall also enforces logging, and provides alarm capacities. By placing
logging services at firewalls, security administrators can monitor all access to and
from the Internet.
Firewalls may block TELNET or RLOGIN connections from the Internet to the
intranet.
o They also block SMTP and FTP connections to the Internet from internal
systems not authorised to send e-mail or to move files.
The firewall provides protection from various kinds of IP spoofing and routing
attacks.
It can also serve as the platform for IPsec.
The firewall can be used to implement Virtual Private Networks (VPNs). A VPN
encapsulates all the encrypted data within an IP packet.
A firewall can limit network exposure by hiding the internal network systems and
information from the public Internet.
Drawbacks
FIREWALL-RELATED
TERMINOLOGYBastion Host
A bastion host is a publicly accessible device for the network’s security, which has
a direct connection to a public network such as the Internet.
The bastion host serves as a platform for any one of the three types of firewalls:
o Packet filter,
o Circuit-level gateway or o
Application-level gateway.
The bastion host’s role falls into the following three common types:
Proxy Server
Proxy servers are used to communicate with external servers on behalf of internal
clients.
Proxy server typically refers to an application-level gateway, although a circuit-
level gateway is also a form of proxy server.
Circuit proxies’ always forward packets containing a given port number if that
port number is permitted by the rule set.
SOCKS
The SOCKS protocol version 4 provides for unsecured firewall traversal for TCP-
based client/server applications, including HTTP, TELNET and FTP.
When a TCP-based client wishes to establish a connection to an object that is
reachable only via a firewall, it must open a TCP connection to the appropriate
SOCKS port on the SOCKS server system.
The SOCKS service is conventionally located at TCP port 1080.
If the connection request succeeds, the client enters negotiation for the
authentication method to be used, authenticates with the chosen method, and then
sends a relay request.
The SOCKS server evaluates the request, and either establishes the appropriate
connection or denies it.
CHOKE POINT
A choke point is the point at which a public internet can access the internal
network.
Once these choke points have been clearly established, the firewall devices can
monitor, filter and verify all inbound and outbound traffic.
The DMZ is a network that lies between an internal private network and the external
public network.
DMZ networks are sometimes called perimeter networks.
A DMZ is used as an additional buffer to further separate the public network from
the internal network.
Logging is usually implemented at every device in the firewall, but these individual
logs combine to become the entire record of user activity.
The audit log is an essential tool for detecting and terminating intruder attacks.
VPN
TYPES OF FIREWALLS
Firewalls are classified into three common types:
1. Packet filters,
2. Circuit-level gateways and
3. Application-level gateways
1. Packet Filters
Packet filters are firewalls that process network traffic on a packet-by-packet basis.
A packet filter’s main function is to filter traffic from a remote IP host, so a router is
needed to connect the internal network to the Internet.
A packet filter is a device which inspects or filters each packet at a screening router
for the content of IP packets.
The screening router is configured to filter packets from entering or leaving the
internal network.
The routers can easily compare each IP address to a filter or a series of filters. The
type of router used in a packet-filtering firewall is known as a screening router.
Packet filters typically set up a list of rules that are sequentially read line by line.
Packet Filtering rules can be applied based on source and destination IP addresses
or network addresses, and TCP or UDP ports.
Packet filters are read and then treated on a rule-by-rule basis.
A packet filter will provide two actions,
o Forward or
o Discard.
If the action is in the forward process, the action takes place to route the packet as
normal if all conditions within the rule are met.
The discard action will block all packets if the conditions in the rule are not met.
Packet-Filtering Rules
A packet filter applies a set of rules to each incoming IP packet and then
forwards or discards the packet.
The packet filter typically sets up a list of rules which may match fields in the IP
or TCP header.
If there is a match to one of the rules, that rule is able to determine whether to
forward or discard the packet.
If there is no match to any rule, then two default actions (forward and discard)
will be taken.
TELNET is a simple remote terminal access that allows a user to log onto a
computer across an internet.
TELNET client software allows the user to specify a remote machine either by
giving its domain name or IP address.
TELNET can be used to administer a UNIX machine.
TELNET sends all user names and passwords in plaintext. Experienced hackers
can hijack a TELNET session in progress.
TELNET runs on TCP port 23.
Example:
To disable the ability to TELNET into internal devices from the Internet, the
information listed Table tells the router to discard any packet going to or coming
from TCP port 23.
FTP is the first protocol for transferring or moving files across the Internet.
The FTP service is typically associated with using TCP ports 20 and 21.
Each FTP server has a command channel, where the requests for data and
directory listings are issued, and a data channel, over which the requested data is
delivered.
On the Internet, e-mail exchanges between mail servers are handled with SMTP.
It is the protocol that transfers e-mail from one server to another, and it provides
a basic e-mail facility for transferring messages among separate hosts.
SMTP receivers use TCP port 25; SMTP senders use a randomly selected port
above 1023.
Most e-mail messages are addressed with hostnames instead of IP addresses, and
the SMTP server uses DNS (Directory and Naming Services) to determine the
matching IP address.
If the same machines handle internal and external mail delivery, a hacker who
can spoof DNS information may be able to cause mail that was intended for
internal destinations to be delivered to an external host.
2. Circuit-Level Gateways
The circuit-level gateway represents a proxy server that defines what traffic will
be forwarded.
Circuit proxies always forward packets containing a given port number if that port
number is permitted by the rule set.
A circuit-level gateway operates at the network level of the OSI model.
This gateway acts as an IP address translator between the Internet and the internal
system.
Advantages:
o Its ability to provide Network Address Translation (NAT). NAT hides the
internal IP address from the Internet.
3. Application-Level Gateways
o The application gateway will then initiate a TCP/IP connection with the
remote server.
o The server will generate TCP/IP responses based on the request from the
proxy server.
o The responses will be sent to the proxy server (application gateway) where
the responses are again checked against the proxy server’s filters.
If the remote server’s response is permitted, the proxy server will then forward the
response to the inside host.
Advantages:
o Its ability to provide NAT for shielding the internal network from the
Internet.
FIREWALL DESIGNS
1. Screened Host Firewall (Single-Homed Bastion Host)
The first type of firewall is a screened host which uses a single-homed bastion host
plus a packet-filtering router.
The screened host firewall is designed such that all incoming and outgoing
information is passed through the bastion host.
The external screening router is configured to route all incoming traffic directly to
the bastion host.
The screening router is also configured to route outgoing traffic only if it originates
from the bastion host.
This kind of configuration prevents internal clients from bypassing the bastion host.
The bastion host is configured to restrict unacceptable traffic and proxy acceptable
traffic.
All external traffic is forwarded directly to the bastion host for processing.
o Internal users cannot access the Internet without going through the bastion
host because the routing information is contained within the network.
2. Integrity of data
o SET uses X.509 v3 digital certificates with RSA signatures for this
purpose.
4. Merchant authentication
o Cardholders also need to be able to identify merchants with whom they can
securely conduct electronic commerce.
o SET provides for the use of digital signatures and merchant certificates to
ensure authentication of the merchant.
o SET uses X.509 v3 digital certificates with RSA signatures for this
purpose.
5. Security techniques
o SET utilizes two asymmetric key pairs for the encryption/decryption process
and for the creation and verification of digital signatures.
o SET does not interfere with the use of other security mechanisms such as
IPsec and SSL/TLS.
7. Interoperability
SET SYSTEM
PARTICIPANTS Cardholder
Issuer
Merchant
Acquirer
Payment gateway
Certification Authority
Confidentiality
Integrity
Authentication
1. Encryption process
User A sends the plaintext through a hash function to produce the message digest.
A then encrypts the message digest with his or her private key to produce the digital
signature.
Next, A generates a random symmetric key and uses it to encrypt the plaintext, A’s
signature and a copy of A’s certificate, which contains A’s public key.
To decrypt the plaintext later, user B will require a secure copy of this temporary
symmetric key.
B’s certificate contains a copy of his or her public key. To ensure secure
transmission of the symmetric key, A encrypts it using B’s public key. The
encrypted key, called the digital envelope, is sent to B along with the encrypted
message itself.
A sends a message to B consisting of the DES-encrypted plaintext, signature and
A’s public key, and the RSA-encrypted digital envelope.
2. Decryption process
B receives the encrypted message from A and decrypts the digital envelope with his
or her private key to retrieve the symmetric key.
B uses the symmetric key to decrypt the encrypted message, consisting of the
plaintext, A’s signature and A’s public key retrieved from A’s certificate.
B decrypts A’s digital signature with A’s public key that is acquired from A’s
certificate. This recovers the original message digest of the plaintext.
B runs the plaintext through the same hash function used by A and produces a new
message digest of the decrypted plaintext.
Finally, B compares his or her message digest to the one obtained from A’s digital
signature. If they are exactly the same, B confirms that the message content has not
been altered during transmission and that it was signed using A’s private key. If they
are not the same, then the message either originated somewhere else or was altered
after it was signed. In that case, B discards the message.
PAYMENT PROCESSING
1. Cardholder Registration
2. Merchant Registration
3. Purchase Request
4. Payment Authorization
5. Payment Capture
1. Cardholder Registration
The cardholder must register with a CA before sending SET messages to the
merchant. The cardholder needs a public/private-key pair for use with SET.
The scenario of cardholder registration are:
o Registration request/response processes
o Registration form process
o Certificate request/response processes
2. Merchant Registration
Merchants must register with a CA before they can receive SET payment
instructions from cardholders.
In order to send SET messages to the CA, the merchant must have a copy of the
CA’s public key which is provided in the CA certificate.
The merchant also needs the registration form from the acquirer.
The merchant must identify the acquirer to the CA.
The merchant registration process consists of five steps as follows:
(1) The merchant requests the registration form;
(2) The CA processes this request and sends the registration form;
(3) The merchant requests certificates after receiving the registration certificates;
(4) The CA creates certificates;
(5) The merchant receives certificates.
3. Purchase Request
The purchase request exchange should take place after the cardholder has completed
browsing, selecting and ordering.
1. Initiate request
2. Initiate response
The cardholder receives the initiate response and verifies the certificates.
The cardholder verifies the merchant’s signature by decrypting it with the
merchant’s public key and comparing the result with a newly computed message
digest of the response.
The cardholder creates the order message (OM) using information from the
shopping phase and payment message (PM).
3. Purchase request
4. Purchase response
The merchant creates the purchase response including the merchant signature
certificate and digitally signs it by generating a message digest of the purchase
response and encrypting it with the merchant’s private key.
4. Payment Authorisation
During the processing of an order from a cardholder, the merchant authorises the
transaction.
The authorization request and the cardholder payment instructions are then
transmitted to the payment gateway.
The steps involved in it are:
o Authorisation request
o Authorization response
5. Payment Capture
After completing the processing of an order from a cardholder, the merchant will
request payment.
The merchant generates and signs a capture request, which includes the final amount
of the transaction, the transaction identifier from the OM, and other information
about the transaction.
INTRODUCTION
Computer crime—a general term that has been used to denote any criminal act which
has been facilitated by computer use. Such generalization has included both Internet
and non-Internet activity.
Examples:
Theft of components,
o Counterfeiting,
o Digital piracy or copyright infringement,
o Hacking, and
o Child pornography.
Examples:
Traditional bookmaking,
and o Theft.
Digital crime—a term used to refer to any criminal activity which involves the
unauthorized access, dissemination, manipulation, destruction, or corruption of
electronically stored data.
Cybercrime—a specific term used to refer to any criminal activity which has been
committed through or facilitated by the Internet.
Phreaking,
o Hacking,
o Computers as commodities,
o Theft of intellectual property.
PREPARED BY SANTHIYA.M/AP/CSE/REC 1
CS6004 - CYBER FORENSICS UNIT - III
PHREAKING
HACKING
PREPARED BY SANTHIYA.M/AP/CSE/REC 2
CS6004 - CYBER FORENSICS UNIT - III
Script kiddies,
o Cyberpunks,
o Hackers/crackers,
o Cybercriminal organizations, and
Hactivists.
Script Kiddies
Script kiddies, also known as skidiots, skiddie, or Victor Skill Deficiency
(VSD), are the lowest life form of cybercriminal.
These computer users are referred to as inexperienced hackers who employ
scripts or other programs authored by others to exploit security
vulnerabilities or otherwise compromise computer systems.
Script kiddies are not capable of writing their own programs and do not fully
understand the programs which they are executing. Thus, they are not
capable of targeting a specific system, but are limited to those targets which
possess the identified vulnerabilities.
Cyberpunks
Cyberpunks is an innocuous term which has been hotly contested by First
Amendment advocates but has been used by law enforcement officials to
refer to individuals’ intent on wreaking havoc via the Internet.
The term was initially used to refer to an emerging genre which marries science
fiction, information technology, and radical change in the social order.
Hackers/Crackers
PREPARED BY SANTHIYA.M/AP/CSE/REC 3
CS6004 - CYBER FORENSICS UNIT - III
Hackers are those individuals who identify and exploit system vulnerabilities
but who lack economic motivation.
Crackers are those sophisticated users who employ their knowledge for
personal gain. Originally known as criminal hackers.
COMPUTERS AS COMMODITIES
PREPARED BY SANTHIYA.M/AP/CSE/REC 4
CS6004 - CYBER FORENSICS UNIT - III
Gray market dealers are legitimate businesses with questionable, and illegal,
practices. These businesses are those which specialize in made-to-order computers
(i.e., nonstandard or knock-offs).
They represent a major customer for thieves, being a ready outlet for their
illegal wares. Buying the components at a significant discount, these
companies claim ignorance.
Data piracy refers to the reproduction, distribution, and use of software without
the permission or authorization of the owner of copyright. Making multiple copies
for personal use or distributing copies to friends or colleagues.
Most retail programs are licensed for use at just one computer site or by only one
user at any time. By buying the software, an individual becomes a licensed user
rather than an owner. While this individual user may be allowed to make copies of
the program for backup purposes, it is against the law to distribute copies to friends
and colleagues.
Many software companies tried to stop software piracy by copy-protecting their
software. A different approach to software piracy prevention was the introduction of
a new category of licensed software.
Shareware acknowledges the futility of trying to stop people from copying
software and instead relies on people’s honesty.
PREPARED BY SANTHIYA.M/AP/CSE/REC 5
CS6004 - CYBER FORENSICS UNIT - III
Film Piracy
PREPARED BY SANTHIYA.M/AP/CSE/REC 6
CS6004 - CYBER FORENSICS UNIT - III
Threatening communications
Extortion, cyber stalking, cyber harassment, cyberbullying, etc.
Fraud
Auction fraud, credit card fraud, theft of services, stock manipulation, etc.
Ancillary crimes
Money laundering, conspiracy, etc.
2. MALWARE
Back doors, o
Trojan horses, o
Viruses,
o Worms, and
o DoS attacks.
All of these entities can be, and have been, employed by terrorists, hacktivists,
corporate spies, criminals, and pleasure seekers.
The first recognized computer virus, the rabbit, appeared in the 1960s.
These programs diminished the productivity of computer systems by cloning
themselves and occupying system resources.
The first virus attached to an executable file in the 1970s on the Univax 1108
system. Pervading Animal was attached to the end of an executable file and
required the computer user to answer a series of questions regarding
animals.
PREPARED BY SANTHIYA.M/AP/CSE/REC 7
CS6004 - CYBER FORENSICS UNIT - III
In 1999, the first known DDoS attacks occurred, with tools known as Trinoo
and Tribe Flood Network (TFN). Since that time, such attacks have become
commonplace and have been employed by a variety of individuals or groups,
such as extortionists, business competitors, and terrorists.
PREPARED BY SANTHIYA.M/AP/CSE/REC 8
CS6004 - CYBER FORENSICS UNIT - III
Examples :
GPCoder
This Trojan originally surfaced in May 2005, updated versions have consistently
appeared. These updated versions of GPCoder, distributed via e-mail, employed
complex RSA encryption to predetermined file extensions. Upon execution,
victims were instructed to visit a particular site to purchase a decoder.
CryZip
Surfacing in March 2006, CryZip attached itself to all running processes in the
form of a DLL file. It was similar to GPCoder, except that it collected all affected
files into a password-protected zip file and utilized an e-gold account for
ransom collection.
PREPARED BY SANTHIYA.M/AP/CSE/REC 9
CS6004 - CYBER FORENSICS UNIT - III
The most popular, method for stealing passwords involves social engineering.
Employees who fail to follow proper security procedures for disposing of personal
correspondence and company paperwork also pose a security risk to an institution’s
digital technology.
Unwitting administrators and employees routinely dump sensitive information into
the nearest trash receptacle. Information such as old technical manuals, internal
phone lists, and organizational charts and correspondence provide a wealth of
information for the malicious hacker.
The emergence of cloud computing and removable media is increasingly
responsible for theft of information or breaches in digital security.
More sophisticated approaches to gaining unauthorized access to “secured” data
may be employed by computer hackers. One approach involves systemic
vulnerabilities created by vendors in which remote access is allowed to perform
routine maintenance, such as updating, on their systems.
Some system administrators never change the defaults in their networks once they
are installed. By utilizing lists of default passwords, readily available on the Net,
unauthorized users are able to gain root access by simply using traditional network
defaults.
Political Espionage
Technology has also escalated the potential for sophisticated attacks on a country’s
national security and public infrastructure.
Example:
Between 2004 and 2005, NASA networks were compromised six times by a
Swedish hacker Causing the agency to suffer $1 million in supercomputing
downtime.
TERRORISM
PREPARED BY SANTHIYA.M/AP/CSE/REC 10
CS6004 - CYBER FORENSICS UNIT - III
5. NEOTRADITIONAL CRIME
Child Pornography
Child Enticement/Exploitation
Online Pharmacies
Online Gambling
PREPARED BY SANTHIYA.M/AP/CSE/REC 11
CS6004 - CYBER FORENSICS UNIT - III
Auction fraud was one of the most common fraudulent activities on the
Internet.
PREPARED BY SANTHIYA.M/AP/CSE/REC 12
CS6004 - CYBER FORENSICS UNIT - III
Skimming—One way for fraudsters to steal credit card information is to install devices
on card readers located in ATMs, gas pumps, restaurants, grocery stores, retail
establishments, or any other area where magnetic strip card readers are employed. The
information contained on this card may contain account numbers, passwords, and other
information.
RFID, or Radio Frequency Identification, involves the use of radio waves to facilitate
the transfer of information between an electronic tag (or label) and a reader. It was
designed for identification and tracking purposes.
Web-cramming/ISP Jacking
Web-cramming is most often accomplished when criminals develop new Web pages
for small businesses and nonprofit groups for little or no expense. While advertising
their service as free, these criminals actually engage in unauthorized phone charges on
their victim’s accounts.
ISP-jacking involves disconnecting individual users from their selected Internet service
providers and redirecting them to illegitimate servers. The users are lured into
downloading software which surreptitiously disconnects their chosen ISP, silences their
modem, and reconnects them to a remote server.
Data diddling can be committed by anyone having access to an input device. It refers to
any method of fraud via computer manipulation.
IP spoofing involves the manipulation of packets (i.e., messages that are exchanged
between computers). These communications are indirectly routed across varying
systems.
PREPARED BY SANTHIYA.M/AP/CSE/REC 13
CS6004 - CYBER FORENSICS UNIT - III
Day trading is the process of buying and selling highly speculative stocks within one
trading day.
False information is another method in which unwitting investors are parted from
their money.
Insider Trading is also increasing due to the proliferation of day trading activity. This
scheme was predicated on the advice of one “insider” who solicited interested
individuals in chat rooms, offering them inside advice for a percentage of their profits.
E-Fencing may be defined as the sale of stolen goods through technological means.
6. ANCILLIARY CRIMES
Money laundering refers to the cleansing or cleaning of money. The process of money
laundering involves the following steps :
.
Placement—the initial point of entry for illicit funds;
PREPARED BY SANTHIYA.M/AP/CSE/REC 14
CS6004 - CYBER FORENSICS UNIT - III
Electronic crime does not require an extensive array of equipment or tools. It does not
require vehicular transportation, physical storage capability, or labor-intensive
practices, all of which increase the potential for discovery and enforcement.
The physical intangibility of computer crime involves the traditional lack of cooperation
inherent in law enforcement investigations.
Issues of funding, political platforms, and the like have traditionally reduced
communication and cooperation among jurisdictions.
A lack of knowledge coupled with general apathy toward cyber criminality has resulted
in an atmosphere of indifference.
c. PROSECUTORIAL RELUCTANCE
PREPARED BY SANTHIYA.M/AP/CSE/REC 15
CS6004 - CYBER FORENSICS UNIT - III
d. LACK OF REPORTING
Companies do not report is the perception that reporting will not result in capture or
identification of a suspect.
e. LACK OF RESOURCES
The business communities should have sufficient resources (both financial and legal)
necessary to effectively combat computer crimes.
The costs associated with training, administrators must consider three additional
areas in support of computer crime investigations:
Personnel,
Hardware
Housing.
The costs associated with staffing computer crime units far exceed the other two areas.
While traditional expenses like salary and benefits are often overlooked, they become a
very expensive component when establishing a new function.
PREPARED BY SANTHIYA.M/AP/CSE/REC 16
CS6004 - CYBER FORENSICS UNIT - III
For every officer who is assigned new areas of responsibility, additional staff must be
recruited, hired, and trained as a replacement in his or her original position.
f. JURISPRUDENTIAL INCONSISTENCY
The Supreme Court has remained resolutely averse to deciding matters of law in the
newly emerging sphere of cyberspace.
They have virtually denied cert on every computer privacy case to which individuals
have appealed and have refused to determine appropriate levels of Fourth Amendment
protections of individuals and computer equipment.
INTRODUCTION
Identity theft has been utilized to describe any use of stolen personal information.
Identity fraud, which encompasses identity theft within its purview, may be
defined as the use of a vast array of illegal activities based on fraudulent use of
identifying information of a real or fictitious person.
Identity fraud is committed when a credible identity is created by accessing others’
credit cards, financial or employment records, secure facilities, computer systems, or
such.
There are five main types of identity theft/fraud occurring in the United States :
a. Assumption of Identity
b. Theft for Employment and/or Border
Entry c. Criminal Record Identity
Theft/Fraud d. Virtual Identity Theft/Fraud
e. Credit Identity Theft/Fraud
PREPARED BY SANTHIYA.M/AP/CSE/REC 17
CS6004 - CYBER FORENSICS UNIT - III
a. Assumption of Identity
This is the rarest form of identity theft/fraud and occurs when an individual
simply assumes the identity of his or her victim, including all aspects of the
victim’s lives.
Theft for Employment and/or Border Entry
This type of identity theft is not as common or because the immediate financial
repercussions are not significant.
It has been used historically by individuals attempting to evade capture or
criminal prosecution.
Reverse criminal record identity theft occurs when a criminal uses a victim’s
identity not to engage in criminal activity but to seek gainful employment.
Virtual Identity Theft/Fraud
PREPARED BY SANTHIYA.M/AP/CSE/REC 18
CS6004 - CYBER FORENSICS UNIT - III
The most common type of identity theft/fraud, credit identity theft/fraud, is also
the most feared by the American public.
It may be defined as the use of stolen personal and financial information to
facilitate the creation of fraudulent accounts.
It does not include traditional activities like the illegal use of a stolen credit card.
Credit identity theft is limitless and not bound by the amount of cash or credit
which is immediately available. Rather, it allows criminals to create additional
sources of revenue through the establishment of multiple accounts.
Example :
In 2011, the FTC reported that more than 60 percent of all identity theft
victims reported that their personal information was used to open new
accounts, transfer funds, or commit tax/wage related fraud.
PREPARED BY SANTHIYA.M/AP/CSE/REC 19
CS6004 - CYBER FORENSICS UNIT - III
PREPARED BY SANTHIYA.M/AP/CSE/REC 20
CS6004 - CYBER FORENSICS UNIT - III
b. Future Increases
a. Mail Theft
b. Dumpster Diving
c. Theft of Computers
d. Bag Operations
e. Child Identity Theft
Insiders
Fraudulent or Fictitious Companies
Card Skimming, ATM Manipulation, and Fraudulent Machines
Physical, and
Virtual.
a. Mail Theft
The theft of information from physical mailboxes is certainly one of the most
common.
PREPARED BY SANTHIYA.M/AP/CSE/REC 21
CS6004 - CYBER FORENSICS UNIT - III
driver’s licenses,
o passports, and
o financial statements are tasked.
Some thieves randomly target mail boxes, others target those whose red flag signals
outgoing mail. This technique, known as popcorning, often scores credit card
numbers and banking information.
Ironically, credit card companies are no longer including the entire card number on
statements, but consumers are providing the number on their payment. Thus, a thief
can obtain a credit card number by checking information and other personal
information from an outgoing payment.
b. Dumpster Diving
c. Theft of Computers
PREPARED BY SANTHIYA.M/AP/CSE/REC 22
CS6004 - CYBER FORENSICS UNIT - III
d. Bag Operations
The law enforcement authorities are reporting startling numbers of parents stealing
their children’s identities.
This type of identity theft or fraud is especially difficult to recognize and prosecute.
The primary problem is the delayed identification of the victimization.
Criminals may create alternate identities for themselves for employment, evasion of
authorities, and financial gain.
f. Insiders
Corporate and government insiders pose the greatest risk to identity theft.
Some careless employees account for a large amount of the identity theft.Such
negligence has been committed by both individual employees and corporate
divisions.
In 2005, for example, Bank of America reported that the personal information
of 1.2 million U.S. government employees, including U.S. senators, had been
compromised when tapes were lost during shipment.
In the same year, CitiGroup reported that UPS had lost the personal financial
information of nearly 4 million Citigroup customers.
PREPARED BY SANTHIYA.M/AP/CSE/REC 23
CS6004 - CYBER FORENSICS UNIT - III
Phishing
Spyware and Crimeware
Keyloggers and Password Stealers
Trojans
a. Phishing
PREPARED BY SANTHIYA.M/AP/CSE/REC 24
CS6004 - CYBER FORENSICS UNIT - III
o keyloggers are devices or software programs which record the input activity of a
computer or system via keystrokes.
PREPARED BY SANTHIYA.M/AP/CSE/REC 25
CS6004 - CYBER FORENSICS UNIT - III
USB keyloggers, resembles a typical thumb drive, can be easily attached and removed.
Trojans
Insurance fraud is another area which has been characterized by an increase in scams
facilitated by identity theft/fraud. On the low end of the spectrum, some individuals
procure a victim’s personal information to obtain “free” (i.e., billed to another) medical
care. Such fraud is often practiced by illegal aliens and petty criminals.
PREPARED BY SANTHIYA.M/AP/CSE/REC 26
CS6004 - CYBER FORENSICS UNIT - III
It includes,
PREPARED BY SANTHIYA.M/AP/CSE/REC 27
CS6004 - CYBER FORENSICS UNIT - III
The CSIRT is a multidisciplined team with the appropriate legal, technical, and other
expertise necessary to resolve an incident.
Take actions to prepare the organization and the CSIRT before an incident occurs.
Perform an initial investigation, recording the basic details surrounding the incident,
assembling the incident response team, and notifying the individuals who need to know
about the incident.
Based on the results of all the known facts, determine the best response and obtain
management approval. Determine what civil, criminal, administrative, or other actions
are appropriate to take, based on the conclusions drawn from the investigation.
Perform a thorough collection of data. Review the data collected to determine what
happened, when it happened, who did it, and how it can be prevented in the future.
PREPARED BY SANTHIYA.M/AP/CSE/REC 28
CS6004 - CYBER FORENSICS UNIT - III
(6) Reporting
(7) Resolution
Employ security measures and procedural changes, record lessons learned, and develop
long-term fixes for any problems identified.
During this phase, your organization needs to prepare both the organization itself as a
whole and the CSIRT members, prior to responding to a computer security incident.
PREPARED BY SANTHIYA.M/AP/CSE/REC 29
CS6004 - CYBER FORENSICS UNIT - III
The CSIRT is defined during the pre-incident preparation phase. Your organization will
assemble a team of experts to handle any incidents that occur.
The detection of incidents phase is one of the most important aspects of incident
response.
It is also one of the most decentralized phases, in which those with incident response
expertise have the least control.
In most organizations, end users may report an incident through one of three avenues:
Their immediate supervisor,
The corporate help desk, or
An incident hotline managed by the Information Security entity.
Typically, end users report technical issues to the help desk, while employee-related
issues are reported to a supervisor or directly to the local Human Resources
department.
PREPARED BY SANTHIYA.M/AP/CSE/REC 30
CS6004 - CYBER FORENSICS UNIT - III
After completing the initial response checklist, the CSIRT should be activated and the
appropriate people contacted.
The CSIRT will use the information from the initial response checklist to begin the next
phase of the response process, the initial response.
PREPARED BY SANTHIYA.M/AP/CSE/REC 31
CS6004 - CYBER FORENSICS UNIT - III
Interviewing system administrators who might have insight into the technical
details of an incident
Interviewing business unit personnel who might have insight into business
events that may provide a context for the incident
Reviewing intrusion detection reports and network-based logs to identify data
that would support that an incident has occurred
Reviewing the network topology and access control lists to determine if any
avenues of attack can be ruled out
The goal of the response strategy formulation phase is to determine the most
appropriate response strategy, given the circumstances of the incident. The strategy
should take into consideration the political, technical, legal, and business factors that
surround the incident.
The final solution depends on the objectives of the group or individual with
responsibility for selecting the strategy.
PREPARED BY
SANTHIYA.M/AP/CSE/REC 32
CS6004 - CYBER FORENSICS UNIT - III
When the incident warrants, this action can be initiated with a criminal referral, a civil
complaint, or some administrative reprimand or privilege revocation.
It includes,
Letter of reprimand
Immediate dismissal
Mandatory leave of absence for a specific length of time (paid or unpaid)
Reassignment of job duties (diminished responsibility)
Temporary reduction in pay to account for losses/damage
Public/private apology for actions conducted
Withdrawal of certain privileges, such as network or web access
The investigation phase involves determining the who, what, when, where, how,
and why surrounding an incident.
In the forensic analysis phase, you examine all the data collected to determine the
who, what, when, where, and how information relevant to the incident.
Data Collection
Data collection is the accumulation of facts and clues that should be considered during
your forensic analysis.
PREPARED BY SANTHIYA.M/AP/CSE/REC 33
CS6004 - CYBER FORENSICS UNIT - III
The information you obtain during the data collection phase can be divided into three
fundamental areas:
Host-based information,
Network-based information, and o
Other information.
Host-based evidence includes logs, records, documents, and any other information
that is found on a system and not obtained from network-based nodes.
A live response is conducted when a computer system is still powered on and running.
This means that the information contained in these areas must be collected without
impacting the data on the compromised device.
PREPARED BY SANTHIYA.M/AP/CSE/REC 34
CS6004 - CYBER FORENSICS UNIT - III
In-depth response
The CSIRT obtains enough additional information from the target/victim
system to determine a valid response strategy. Nonvolatile information such
as log files are collected to help understand the nature of the incident.
Network-based Evidence
It includes,
IDS logs
Consensual monitoring logs o
Nonconsensual wiretaps
o Pen-register/trap and traces o
Router logs
oFirewall logs
oAuthentication servers
Other Evidence
The “other evidence” category involves testimony and other information obtained from
people.
Forensic Analysis
PREPARED BY SANTHIYA.M/AP/CSE/REC 35
CS6004 - CYBER FORENSICS UNIT - III
Forensic analysis also includes performing more low-level tasks, such as looking
through information that has been logically deleted from the system to determine if
deleted files, slack space, or free space contain data fragments or entire files that may be
useful to the investigation.
(6) REPORTING
Reporting can be the most difficult phase of the incident response process. The
challenge is to create reports that accurately describe the details of an incident, that are
understandable to decision makers, that can withstand the barrage of legal scrutiny, and
that are produced in a timely manner.
(7) RESOLUTION
Identify your organization’s top priorities. Which of the following is the most
critical to resolve: returning all systems to operational status, ensuring data integrity,
containing the impact of the incident, collecting evidence, or avoiding public disclosure?
PREPARED BY SANTHIYA.M/AP/CSE/REC 36
CS6004 - CYBER FORENSICS UNIT - III
Determine the nature of the incident in enough detail to understand how the
security occurred and what host-based and network-based remedies are required to
address it.
Determine if there are underlying or systemic causes for the incident that need to be
addressed.
Restore any affected or compromised systems. You may need to rely on a prior
version of the data, server platform software, or application software as needed to
ensure that the system performs as you expect it to perform.
Track progress on all corrections that are required, especially if they will take
significant time to complete.
Update your security policy and procedures as needed to improve your response
process.
FORENSIC DUPLICATE
A forensic duplicate is a file that contains every bit of information from the source,
in a raw bit stream format.
A 5GB hard drive would result in a 5GB forensic duplicate. No extra data is stored
within the file, except in the case where errors occurred in a read operation from the
original.
A forensic duplicate may be compressed after the duplication process.
PREPARED BY SANTHIYA.M/AP/CSE/REC 37
CS6004 - CYBER FORENSICS UNIT - III
A qualified forensic duplicate is a file that contains every bit of information from
the source, but may be stored in an altered form.
Examples :
In-band hashes and
Empty sector compression.
Two tools that create qualified forensic duplicate output files are SafeBack and
EnCase.
RESTORED IMAGE
A restored image is what you get when you restore a forensic duplicate or a
qualified forensic duplicate to another storage medium.
MIRROR IMAGE
A mirror image is created from hardware that does a bit-for-bit copy from one hard
drive to another.
The tool must create a forensic duplicate or mirror image of the original storage
medium.
The tool must handle read errors in a robust and graceful manner. If a process fails
after repeated attempts, the error is noted and the imaging process continues.
A placeholder may be put in the output file with the same dimensions as the portion
of the input with errors.
The tool must not make any changes to the source medium. The tool must have the
ability to be held up to scientific and peer review.
PREPARED BY SANTHIYA.M/AP/CSE/REC 38
CS6004 - CYBER FORENSICS UNIT - III
The dd utility is the most reliable tool for creating a true forensic duplicate image.
As long as the operating system kernel recognizes the storage medium, dd will
perform a complete, bit-for-bit copy of the original.
Creating Linux Boot Media
The preparation for duplication using Linux is likely the most difficult. The
easy route is to start with a precompiled version of Linux such as Tomsrtbt,
Trinux, or FIRE (Forensic and Incident Response Environment).
Once you have the basic package up and running, you can disassemble the
packages and add your own binaries, such as dcfldd.
The following is a bash shell script that will create a true forensic duplicate of
a hard drive and store the image on a local storage hard drive,
PREPARED BY SANTHIYA.M/AP/CSE/REC 39
CS6004 - CYBER FORENSICS UNIT - III
The Open Data Duplicator (ODD) is a new open-source tool. This tool follows a
client/ server model that allows the investigator to perform forensic duplications on
a number of computer systems simultaneously over a local LAN.
There are three portions of the ODD package:
There should be four files in the root directory of the floppy. These files contain the
code to get the computer running a minimal operating system.
Directory of A:\
05/11/2003 20:01 222,390 IO.SYS
05/11/2003 20:01 68,871 DRVSPACE.BIN
05/11/2003 20:01 93,880 COMMAND.COM
03/20/2003 17:49 9 MSDOS.SYS
The first file processed by the computer is IO.SYS. The code in IO.SYS loads the
contents of MSDOS.SYS and begins to initialize device drivers, tests and resets the
hardware, and loads the command interpreter, COMMAND.COM.
During the process of loading device drivers, if a disk or partition connected to the
machine uses compression software, such as DriveSpace or DoubleSpace, IO.SYS
loads the DRVSPACE.BIN driver file.
As the driver loads, it will mount the compressed volume and present the operating
system with an uncompressed view of the file system.
PREPARED BY SANTHIYA.M/AP/CSE/REC 40
CS6004 - CYBER FORENSICS UNIT - III
When it mounts the compressed volume, it changes the time/date stamps on the
compressed file.
When you boot from your clean boot disk, you want to ensure that the loading of the
DRVSPACE.BIN driver file fails.
The most effective way to prevent the loading of DRVSPACE.BIN is to load IO.SYS
into a hex editor and alter the strings manually.
Creating a Qualified Forensic Duplicate with SafeBack
Creating a duplicate of a computer system with SafeBack is straightforward. It offers
four modes of operation:
The Backup function produces a forensically sound image file of the source
media.
The Restore function restores forensically sound image files.
The Verify function verifies the checksum values within an image file.
The Copy function performs the Backup and Restore operations in one action.
PREPARED BY SANTHIYA.M/AP/CSE/REC 41
CS6004 - CYBER FORENSICS UNIT - III
o Hardware,
o Software, and
Documentation.
PREPARED BY SANTHIYA.M/AP/CSE/REC 42
CS6004 - CYBER FORENSICS UNIT - III
Windows 98,
Windows NT,
Windows 2000, and
Linux, all bootable via GRUB (a GNU bootloader) or on a CD-ROM “ghost”
image
Safeback, EnCase, DiskPro, or another forensics software package, used to
create exact images of computer media for forensic-processing purposes
All the drivers for all of the hardware on your forensic machine
Selection of boot disks (DOS, EnCase, Maxtor, and so on)
Quick View Plus or some other software that allows you to view nearly all
types of files
Disk-write blocking utilities
An image of the complete setup on backup media such as DVD
Hard drive size depends on the amount of traffic collected, but a 30GB
hard drive is a good start.
DOCUMENTATION
The documentation includes how the evidence is obtained, all actions taken, and where
and how the evidence is stored.
PREPARED BY SANTHIYA.M/AP/CSE/REC 43
CS6004 - CYBER FORENSICS UNIT - III
Today, there are numerous classes that provide hands-on hacking and incident
response training. Some institutions that offer computer incident response training
are Foundstone, Carnegie Mellon, and SANS.
There are several professional organizations that allow law enforcement officers to
mingle with computer security professionals:
InfraGard
PREPARED BY SANTHIYA.M/AP/CSE/REC 44
CS6004 - CYBER FORENSICS UNIT - III
An FBI program designed to address the need for private and public-sector
information sharing, at both the national and local level.
FORENSICS TECHNOLOGY
PREPARED BY SANTHIYA.M/AP/CSE/REC 46
CS6004 - CYBER FORENSICS UNIT - III
Computer forensics tools and techniques have proven to be a valuable resource for
law enforcement in the identification of leads and in the processing of computer
related evidence.
Computer forensics tools and techniques have become important resources for use
in internal investigations, civil lawsuits, and computer security risk management.
Forensic software tools and methods can be used to identify passwords, logons, and
other information that is automatically dumped from the computer memory as a
transparent operation of today’s popular personal computer operating systems.
Such computer forensic software tools can also be used to identify backdated files
and to tie a diskette to the computer that created it.
Law enforcement and military agencies have been involved in processing
computer evidence for years.
Windows XP and Windows 2003 are operating systems that are often used on
notebook and desktop computers in corporations and government agencies.
Preservation of Evidence
PREPARED BY SANTHIYA.M/AP/CSE/REC 47
CS6004 - CYBER FORENSICS UNIT - III
File Slack
Denotes the occurrence of random memory dumps in hidden storage areas. Such
data is the source of potential security leaks regarding passwords, network logons,
email, database entries, and word processing documents.
Data-Hiding Techniques
Trade secret information and other sensitive data can easily be concealed using any
of techniques. It is possible to hide diskettes within diskettes and to hide entire
computer hard disk drive partitions.
E-Commerce Investigations
Net Threat Analyzer can be used to identify past Internet browsing and email
activity done through specific computers.
PREPARED BY SANTHIYA.M/AP/CSE/REC 48
CS6004 - CYBER FORENSICS UNIT - III
Dual-Purpose Programs
Programs can be designed to perform multiple processes and tasks at the same time.
They can also be designed for delayed tasking.
Data Interception by Remote Transmission (DIRT) from Codex Data Systems (CDS),
Inc. is a powerful remote control monitoring tool that allows stealth monitoring of all
activity on one or more target computers simultaneously from a remote command
center.
No physical access is necessary. Application also allows agents to remotely seize and
secure digital evidence prior to physically entering suspect premises.
These tools identify unauthorized intruders who access, download, and view these
tagged documents.
The tools also allow security personnel to trace the chain of custody and chain of
command of all who possess the stolen electronic documents.
PREPARED BY SANTHIYA.M/AP/CSE/REC 49
CS6004 - CYBER FORENSICS UNIT - III
This allows you to track and locate your computer, thus providing the potential for its
ultimate recovery as well as apprehension of the thief.
Other types of encryption, readily available to the general public, can be configured and
used to create encrypted data that goes beyond them ability of the professional
investigator to decrypt it using software.
The most popular encryption program is called PGP, or Pretty Good Privacy, invented
by Phil Zimmerman is a dual key, algorithm-based code system that makes encrypted
data practically impossible to decipher.
PREPARED BY SANTHIYA.M/AP/CSE/REC 50
CS6004 - CYBER FORENSICS UNIT - III
The first step in defining a corporate Internet security policy is to draft a high-level
management policy statement establishing a framework and context for security within
an organization. This policy needs to define the adequate and appropriate Internet
security measures necessary to safeguard a company’s systems, networks, transactions,
and data.
PREPARED BY SANTHIYA.M/AP/CSE/REC 51
CS6004 - CYBER FORENSICS UNIT - III
Two keys exist, one public, the other private. The public key is freely distributed and is
used to encrypt the information to be sent. The private key is retained by the recipient
and is used to decrypt the received information.
To use public key encryption across the Internet, steps must be taken to ensure the
integrity of the public key and the identity of its owner. A trusted third party, called a
“certificate authority,” provides an unique “digital signature” for the public key, which
cannot be forged, and both identifies the owner of the key and certifies that the key has
not been altered.
Each party obtains the public key for the other from a certificate authority and performs
a special calculation with their own private keys.
The result of the algorithm will be the same for both parties and may be used as the new
secret shared key for secure communications between the two parties.
PREPARED BY SANTHIYA.M/AP/CSE/REC 52
CS6004 - CYBER FORENSICS UNIT - III
Purchasing online may seem to be quick and easy. For it to work correctly, merchants
must connect to a network of banks (both acquiring and issuing banks), processors, and
other financial institutions so that payment information provided by the customer can
be routed securely and reliably. The solution is a payment gateway that connects your
online store to these institutions and processors.
Because payment information is highly sensitive, trust and confidence are essential
elements of any payment transaction. This means the gateway should be provided by a
company with in-depth experience in payment processing and security.
Acquiring Bank: In the online payment processing world, an acquiring bank provides
internet merchant accounts. A merchant must open an internet merchant account with
an acquiring bank to enable online credit card authorization and payment processing.
Examples of acquiring banks include Merchant eSolutions and most major banks.
Authorization: The process by which it is verified that a customer’s credit card is active
and they have the credit available to make a transaction. In the online payment
processing world, an authorization also verifies that the billing information the
customer has provided matches up with the information on record with their credit
card company.
Credit Card Association: A financial institution that provides credit card services that
are branded and distributed by customer issuing banks. Examples include Visa® and
MasterCard®.
Customer: The holder of the payment instrument—such as credit card, debit card, or
electronic check.
Customer Issuing Bank: A financial institution that provides a customer with a credit
card or other payment instrument. Examples include Citibank and Suntrust.
Internet Merchant Account: A special account with an acquiring bank that allows the
merchant to accept credit cards over the Internet. The merchant typically pays a
processing fee for each transaction processed, also known as the discount rate.
PREPARED BY SANTHIYA.M/AP/CSE/REC 53
CS6004 - CYBER FORENSICS UNIT - III
Processor: A large data center that processes credit card transactions and settles funds
to merchants. The processor is connected to a merchant’s site on behalf of an acquiring
bank via a payment gateway.
Settlement: The process by which transactions with authorization codes are sent to the
processor for payment to the merchant.
Settlement is a sort of electronic bookkeeping procedure that causes all funds from
captured transactions to be routed to the merchant’s acquiring bank for deposit.
One aspect of implementing a security policy is being able to control which users have
access to particular systems and the data that they can access.
Within a company, card keys and security personnel can ensure that only employees are
accessing its systems, but for remote users, there is a much higher perceived security
risk. Many companies provide each of their remote users with a digital token card
(also called hard tokens) to increase their assurance of the identity of each remote
user.
Verisign is a commercial
certification authority that
issues digital certificates
providing assurance of the
identify of an individual.
PREPARED BY SANTHIYA.M/AP/CSE/REC 54
CS6004 - CYBER FORENSICS UNIT - III
Many corporate networks used for electronic data interchange (EDI) and funds transfer
have been implemented using either private networks or costly services from
specialized telecommunications network providers. Significant reduction in internal
corporate networking costs can be achieved by using secure, encrypted, Internet
protocol (IP)-level network communications over less expensive public networks, called
secure virtual private networks (SVPN).
Smart cards can be read using conventional contact readers or interrogated remotely by
microwave or infrared signals.
Intrusion detection systems help computer systems prepare for and deal with attacks.
They accomplish this goal by collecting information from a variety of system and
network sources and then analyzing the information for symptoms of security
problems.
PREPARED BY SANTHIYA.M/AP/CSE/REC 55
CS6004 - CYBER FORENSICS UNIT - III
A firewall is a network security product that acts as a barrier between two or more
network segments.
The firewall is a system (which consists of one or more components) that provides an
access control mechanism between your network and the network(s) on the other
side(s) of the firewall. A firewall can also provide audit and alarm mechanisms that will
allow you to keep a record of all access attempts to and from your network, as well as a
real-time notification of things that you determine to be important.
SANs are a relatively new methodology for attaching storage, whereby a separate
network (separate from the traditional LAN) connects all storage and servers.
SANs promise the ability to make any-to-any connections among multiple servers and
storage devices. They can create a shared “pool” of storage that can be accessed by
multiple servers through multiple paths, resulting in higher availability— especially
during a network disaster recovery (NDR).
PREPARED BY SANTHIYA.M/AP/CSE/REC 56
CS6004 - CYBER FORENSICS UNIT - III
Benefits:
A SAN provides a perfect environment for clustering that can extend to dozens of
servers and storage devices—all the while having redundant links in a fibre channel
fabric. Servers will continue to function because their data is still available through the
SAN, even if storage devices fail during an NDR.
Centralized Management
Scalability
Reliability
Performance
NETWORK DISASTER RECOVERY SYSTEMS
Staff training is clearly the greatest missing link in disaster recovery preparations. The
next most important issue is backing up corporate data more frequently.
The person most frequently cited as being responsible for the management of an NDR
plan is the company’s chief information officer (CIO) or another IT manager.
PREPARED BY SANTHIYA.M/AP/CSE/REC 57
CS6004 - CYBER FORENSICS UNIT - III
A majority of companies indicate they review their NDR plans every quarter, but some
companies haven’t reviewed their plans at all.
The purpose of PKI is to provide an environment that addresses today’s business, legal,
network, and security demands for trust and confidentiality in data transmission and
storage.
PKI is a system for supporting digital signatures and document encryption for an
organization.
The banking services are the most popular usage of this technology, which is quickly
spreading over all the applications that need security to be fully operational.
A PKI enables users of an insecure public network such as the Internet to securely and
privately exchange data through the use of a public and a private cryptographic key pair
that is obtained and shared through a trusted authority. The PKI provides for digital
certificates that can identify individuals or organizations and directory services that can
store and, when necessary, revoke them. PKI is the underlying technology that provides
security for the secure sockets layer (SSL) and hyper text transfer protocol secure
sockets (HTTPS) protocols, which are used extensively to conduct secure e-business
over the Internet.
To date, most wireless attacks have happened outside the U.S., in markets where
wireless devices are more widely used. Nevertheless, one virus that did hit U.S.
handhelds was known as the liberty virus.
Some PDA users received what they thought was a program that would allow
them to play a certain game for free, but when they double-clicked on the link, it
launched a virus that erased all the data on the devices.
PREPARED BY SANTHIYA.M/AP/CSE/REC 58
CS6004 - CYBER FORENSICS UNIT - III
New types of malicious code have been written that force wireless devices to make
phone calls, because many of them also have telephony capabilities.
One incident in Japan caught the attention of wireless operators and software
companies around the globe. Users of NTT DoCoMo’s
(http://www.nttdocomo.com/) popular I-mode service received an email with
what looked like an embedded Web site link.
When customers clicked on the link, their phones automatically dialed Japan’s
emergency response number. Luckily, they could stop it before it got too bad, but
such code could shut down a 911 system and have serious consequences.
The more capabilities supported by devices, the greater the potential for viruses to
spread between PCs and mobile devices, which could enable viruses to spread very
quickly.
For the sake of public trust in the Internet, an infrastructure must be designed to
support the safe use of land-based communication links or ground stations.
PREPARED BY SANTHIYA.M/AP/CSE/REC 59
CS6004 - CYBER FORENSICS UNIT - III
One-way encounter,
Two-way counter
A two-way transaction first involves some sort of a logon function, in which a user
connects to a service, and then an exchange of information between the user and the
service occurs.
First, the service wants assurance that the user is not an impostor but actually the
person claimed (authenticity). Then, once the service has accepted a user as legitimate
and authorized, both the user and the service may wish to ensure that all information
exchange between them is safe from eavesdropping (confidentiality).
With the public IM networks, the individual employee registers for service. If the
employee leaves a company, the firm has no (technology-based) way to prevent him
from continuing to use the account, or from continuing to represent himself as still
working for the company. Furthermore, without additional tools, the company has no
way of archiving IM messages for legal or regulatory purposes, or of monitoring and
controlling the content of messages to filter for inappropriate communications.
IM management and security systems act as proxies for IM traffic going into the
network, which imposes policies before letting traffic through. Besides addressing
security, this architecture puts the IM management and security vendors in a position to
deal with the pesky problem of the lack of interoperability among networks.
PREPARED BY SANTHIYA.M/AP/CSE/REC 60
CS6004 - CYBER FORENSICS UNIT - III
All types of organizations need to develop privacy policies that maximize the benefit of
reusing information in as many ways as possible while minimizing the risks associated
with potential privacy violations.
Business managers must develop and implement an enterprise-wide privacy plan. This
is important because organizations are becoming more dependent on information
systems to manage critical financial data as well as customer records and product data.
It is also important because of increasing regulatory and social pressures concerning the
protection of individual privacy and proprietary corporate information.
The goal here is to provide you with a process to manage privacy in your enterprise.
This is done by giving you basic building blocks to understand the process of
developing, implementing, and monitoring privacy plans, policies, and procedures.
Identity management will help organizations do business and get things done. By
authenticating and authorizing digital identities, an identity management system will
improve administrative productivity while keeping enterprise resources secure, as well
as streamline e-business transactions.
Users will enjoy a more convenient experience, and organizations will benefit from
more efficient processes and expanded business opportunities.
PREPARED BY SANTHIYA.M/AP/CSE/REC 61
CS6004 - CYBER FORENSICS UNIT - III
Silo
Closed Community
Federated
In a silo model, each business creates a unique relationship with its customers,
employees, and partners through Internet, intranet, and extranet sites, respectively.
A closed community is one in which a central business unit defines and brokers trust
to all member organizations in the community. An example would be any group of
companies, government agencies, or educational institutions that have banded together
to serve a common user group or to establish an online B2B exchange. From any
member Web site, a user can gain access to the Web sites of other partners.
Identity theft can still be done by such low-tech means as knowing someone else’s basic
identifying information and initiating personal transactions in that person’s name, but
today, identities can also be stolen using highly technical and sophisticated means of
obtaining the personal data of a stranger.
An identity thief who has enough information about you can open a new credit card
account in your name.
PREPARED BY SANTHIYA.M/AP/CSE/REC 62
CS6004 - CYBER FORENSICS UNIT - III
Law enforcement officers often find computers, smartphones, and other devices as
they are investigating crimes, gathering other evidence, or making arrests.
These devices can contain information that helps law enforcement officers
determine the chain of events leading to a crime or information providing evidence
that’s more likely to lead to a conviction.
An example case in which computers were involved in a crime:
The police raided a suspected drug dealer’s home and found a desktop computer,
several USB drives (also called “flash drives” or “thumb drives”), a tablet computer,
and a cell phone in a bedroom.
The computer was “bagged and tagged,” meaning it was placed in evidence bags
along with the storage media and then labeled with tags as part of the search and
seizure.
The lead detective on the case wants you to examine the computer and cell phone to
find and organize data that could be evidence of a crime, such as files containing
names of the drug dealer’s contacts, text messages, and photos.
PREPARED BY SANTHIYA.M/AP/CSE/REC 63
CS6004 - CYBER FORENSICS UNIT - III
The acquisitions officer gives you documentation of items the investigating officers
collected with the computer, including a list of other storage media, such as
removable disks and flash drives.
The acquisitions officer also notes that the computer is a Windows 8 system, and the
machine was running when it was discovered.
Before shutting down the computer, the acquisitions officer photographs all open
windows on the Windows desktop, including one showing File Explorer, and gives
you the photos. Before shutting down the computer, a live acquisition should be
done to capture RAM, too.
When preparing a case, the standard systems analysis steps are to be applied.
Make an initial assessment about the type of case under investigation —To
assess the type of case , talk to others involved in the case and ask questions about
the incident
Determine the resources you need - Based on the OS of the computer you’re
investigating, list the software you plan to use for the investigation, noting any other
software, tools, or expert assistance you might need.
Obtain and copy an evidence drive—In some cases, you might be seizing multiple
computers along with CDs, DVDs, USB drives, mobile devices, and other removable
media. Make a forensic copy of the disk.
PREPARED BY SANTHIYA.M/AP/CSE/REC 64
CS6004 - CYBER FORENSICS UNIT - III
Identify the risks—List the problems that are normally expected in the case. This
list is known as a standard risk assessment.
Mitigate or minimize the risks — Identify how you can minimize the risks. Make
multiple copies of the original media before starting. Then if you destroy a copy
during the process of retrieving information from the disk, you have additional
copies.
Test the design—Review the decisions made and the steps that are completed.
Compare hash values to ensure that the data has been copied from the original
media correctly.
Analyze and recover the digital evidence—Using the software tools and other
resources examine the disk to find digital evidence.
Investigate the data you recover—View the information recovered from the disk,
including existing files, deleted files, e-mail, and Web history, and organize the files
to help find information relevant to the case.
Complete the case report—Write a complete report detailing what was done and
what was found.
Identifying case requirements involves determining the type of case that is being
investigated.
It requires outlining the case details systematically, including the nature of the case,
the type of evidence available, and the location of evidence.
PREPARED BY SANTHIYA.M/AP/CSE/REC 65
CS6004 - CYBER FORENSICS UNIT - III
Example :
Once the requirements of the case have been identified, plan the investigation.
A basic investigation plan should include the following activities:
Acquire the evidence
Complete an evidence form and establish a chain of custody
Transport the evidence to a computer forensics lab
Secure evidence in an approved secure container
Identify the specific steps to gather the evidence, establish a chain of custody, and
perform the forensic analysis.
Use an evidence custody form, also called a chain-of-evidence form, to document
evidences.
An evidence custody form usually contains the following information: ( REFER
PAGE:
Case number—The number your organization assigns when an
investigation is initiated.
Investigating organization—The name of your organization. In large
corporations with global facilities, several organizations might be conducting
investigations in different geographic areas.
PREPARED BY SANTHIYA.M/AP/CSE/REC 66
CS6004 - CYBER FORENSICS UNIT - III
Some evidence is small enough to fit into an evidence bag. Other items, such as CPU
cabinets, monitors, keyboards, and printers, are too large.
To secure and catalog the evidence contained in large computer components, use
large evidence bags, tape, tags, labels, and other products available from police
supply vendors or office supply stores.
When gathering products to secure your computer evidence, make sure they are
safe and effective to use on computer components.
Use computer safe products
Antistatic bags
Antistatic pads
PREPARED BY SANTHIYA.M/AP/CSE/REC 67
CS6004 - CYBER FORENSICS UNIT - III
Avoid damaging the component or coming into contact with static electricity, which
can destroy digital data.
Securing evidence often requires building secure containers.
Computer components require specific temperature and humidity ranges.
When collecting computer evidence, make sure you have a safe environment for
transporting and storing it until a secure evidence container is available.
PREPARED BY SANTHIYA.M/AP/CSE/REC 68
CS6004 - CYBER FORENSICS UNIT - III
Recommended steps
Use the standard forensic analysis techniques
Obtain an electronic copy of the suspect’s and victim’s e-mail
folder or data
For Web-based e-mail investigations, use tools such as FTK’s
Internet Keyword Search option to extract all related e-mail
address information
Examine header data of all messages of interest to the investigation
PREPARED BY SANTHIYA.M/AP/CSE/REC 69
CS6004 - CYBER FORENSICS UNIT - III
Staff needed
Computing investigator who is responsible for disk forensic examinations
Technology specialist who is knowledgeable of the suspected compromised
technical data
Network specialist who can perform log analysis and set up network
sniffers Threat assessment specialist (typically an attorney)
Guidelines
Determine whether this investigation involves a possible industrial
espionage incident
Consult with corporate attorneys and upper management
PREPARED BY SANTHIYA.M/AP/CSE/REC 70
CS6004 - CYBER FORENSICS UNIT - III
Interview
Interrogation
PREPARED BY SANTHIYA.M/AP/CSE/REC 71
CS6004 - CYBER FORENSICS UNIT - III
Conducting an Investigation
PREPARED BY SANTHIYA.M/AP/CSE/REC 72
CS6004 - CYBER FORENSICS UNIT - III
Bit-stream copy
– Bit-by-bit copy of the original storage medium
– Exact copy of the original disk
– Different from a simple backup copy
Backup software only copy known files
Backup software cannot copy deleted files, e-mail messages or
recover file fragments
Bit-stream image
– File containing the bit-stream copy of all data on a disk or partition
– Also known as forensic copy
Copy image file to a target disk that matches the original disk’s manufacturer, size
and model
PREPARED BY SANTHIYA.M/AP/CSE/REC 73
CS6004 - CYBER FORENSICS UNIT - III
Click the Source Drive drop-down list, and select the thumb drive
Click the >> button next to the Destination text box
Type your name in the Technician Name text box
ProDiscover Basic then acquires an image of the USB thumb drive
Click OK in the completion message box
Steps
– Start ProDiscover Basic
– Create a new case
– Type the project number
– Add an Image File
PREPARED BY SANTHIYA.M/AP/CSE/REC 74
CS6004 - CYBER FORENSICS UNIT - III
DATA ACQUISITION
Digital acquisition is the process of copying data. For computer forensics, it is the task
of collecting digital evidence from electronic media.
Static Acquisitions,
Live Acquisitions.
The process of acquiring data from a USB drive and storing it in a data file. The
acquisition tool used, ProDiscover Basic, performed a bit-by-bit (or sector-by-sector)
copy of the USB drive and wrote it to an image file, which was an exact duplicate of the
source device (the USB drive). The data a forensics acquisition tool collects is stored as
an image file, typically in an opensource or proprietary format.
Raw format,
Proprietary formats, and
Advanced Forensic Format
1. Raw Format
This copy technique creates simple sequential flat files of a suspect drive or data
set. The output of these flat files is referred to as a raw format.
Advantages
– Fast data transfers
– Can ignore minor data read errors on source drive
– Most computer forensics tools can read raw format
PREPARED BY SANTHIYA.M/AP/CSE/REC 75
CS6004 - CYBER FORENSICS UNIT - III
Disadvantages
– Requires as much storage as original disk or data
– Tools might not collect marginal (bad) sectors
– Validation check must be stored in a separate file
Message Digest 5 ( MD5)
Secure Hash Algorithm ( SHA-1 or newer)
Cyclic Redundancy Check ( CRC-32)
Proprietary formats
Features:
– The option to compress or not compress image files of a suspect drive, thus saving
space on the target drive
– The capability to split an image into smaller segmented files for archiving purposes,
such as to CDs or DVDs, with data integrity checks integrated into each segment
– The capability to integrate metadata into the image file, such as date and time of the
acquisition, hash value (for self-authentication) of the original disk or medium,
investigator or examiner name, and comments or case details
Disadvantages
PREPARED BY SANTHIYA.M/AP/CSE/REC 76
CS6004 - CYBER FORENSICS UNIT - III
To determine which acquisition method to use for an investigation, consider the size of
the source (suspect) disk, whether you can retain the source disk as evidence or must
return it to the owner, how much time you have to perform the acquisition, and where
the evidence is located.
PREPARED BY SANTHIYA.M/AP/CSE/REC 77
CS6004 - CYBER FORENSICS UNIT - III
The Linux OS has many features that are applicable to digital forensics, especially data
acquisitions.
One unique feature is that Linux can access a drive that isn’t mounted. Physical access
for the purpose of reading data can be done on a connected media device, such as a disk
drive, a USB drive, or other storage devices.
PREPARED BY SANTHIYA.M/AP/CSE/REC 78
CS6004 - CYBER FORENSICS UNIT - III
In Windows OSs and newer Linux kernels, when you connect a drive via USB, FireWire,
external SATA, or even internal PATA or SATA controllers, both OSs automatically
mount and access the drive.
On Windows drives, an acquisition workstation can access and alter data in the Recycle
Bin; on Linux drives, the workstation most likely alters metadata, such as mount point
configurations for an Ext3 or Ext4 drive.
If you need to acquire a USB drive that doesn’t have a write-lock switch, use one of the
forensic Linux Live CDs to access the device.
Several Linux distributions, such as Ubuntu, openSUSE, Arch Linux, Fedora, and
Slackware, provide ISO images that can be burned to a CD or DVD. They’re called “Linux
Live CDs.” Most of these Linux distributions are for Linux OS recovery, not for digital
forensics acquisition and analysis.
The following are some well-designed Linux Live CDs for digital forensics:
Penguin Sleuth (www.linux-forensics.com)
F.I.R.E (http://fire.dmzs.com)
CAINE (www.caine-live.net)
Deft (www.deftlinux.net)
Kali Linux (www.kali.org), previously known as BackTrack
Knoppix (www.knopper.net/knoppix/index-en.html)
SANS Investigate Forensic Toolkit
Linux can read data from a physical device without having to mount it.
You can download these ISO images to any computer, including a Windows system,
and then burn them to CD/DVD with burner software, such as Roxio or Nero.
Creating a bootable image from an ISO file. After creating a Linux Live CD, test it
on your workstation.
To test the Live CD, simply place it in the CD or DVD drive and reboot your system. If
successful, Linux loads into your computer’s memory, and a common GUI for
Linux is displayed. If you have problems with the video display on your
workstation, try another computer with a different video card. No one Live CD
distribution has all video drivers. Linux Live CDs load the OS into a computer’s
RAM, so performance can be affected when you’re using GUI tools.
PREPARED BY SANTHIYA.M/AP/CSE/REC 79
CS6004 - CYBER FORENSICS UNIT - III
The dd command, available on all UNIX and Linux distributions, means “data
dump.”
This command, which has many functions and switches, can be used to read and
write data from a media device and a data file.
The dd command isn’t bound by a logical file system’s data structures, meaning the
drive doesn’t have to be mounted for dd to access it.
Example, if you list a physical device name, the dd command copies the entire
device—all data files, slack space, and free space (unallocated data) on the
device.
The dd command creates a raw format file that most forensics analysis tools can
read, which makes it useful for data acquisitions.
The dd command is intended as a data management tool; it’s not designed for
forensics acquisitions.
Nicholas Harbour of the Defense Computer Forensics Laboratory (DCFL) developed
a tool that can be added to most UNIX/Linux OSs.
This tool, the dcfldd command, works similarly to the dd command but has many
features designed for forensics acquisitions.
The following are important functions dcfldd:
Specify hexadecimal patterns or text for clearing disk space.
o Log errors to an output file for analysis and review.
o Use the hashing options MD5, SHA-1, SHA-256, SHA-384, and SHA-512 with
logging and the option of specifying the number of bytes to hash, such as
specific blocks or sectors.
o Refer to a status display indicating the acquisition’s progress in bytes.
o Split data acquisitions into segmented volumes with numeric extensions
(unlike dd’s
o limit of 99).
o Verify the acquired data with the original disk or media data.
PREPARED BY SANTHIYA.M/AP/CSE/REC 80
CS6004 - CYBER FORENSICS UNIT - III
The steps to perform the first task of connecting the suspect’s drive to your workstation:
Document the chain of evidence for the drive you plan to acquire.
Remove the drive from the suspect’s computer.
For IDE drives, configure the suspect drive’s jumpers as needed.
Connect the suspect drive to the USB or FireWire write-blocker device.
Create a storage folder on the target drive. For this activity, you use your work folder
ProDiscover can produce raw format acquisitions that many other forensics tools can
read.
To perform a raw format acquisition, the steps are :
In the Capture Image dialog box select the “UNIX style dd” format in the Image
Format list box.
When you select this option, the input fields at the bottom of the Capture Image
dialog box are grayed out.
To segment the image acquisition, click the Split button.
To initiate the raw acquisition, click OK, and then click Proceed in the warning box.
PREPARED BY SANTHIYA.M/AP/CSE/REC 81
CS6004 - CYBER FORENSICS UNIT - III
The raw format creates a log file (.pds extension) and segmented volume files, just like
the proprietary format acquisition.
Connect the target drive to a USB external drive, if you’re using a write-blocker.
Start FTK Imager Lite. If prompted by the User Account Control message box, click
Yes.
In the FTK Imager main window, click File, Create Disk Image from the menu.
In the Select Source dialog box, click the Physical Drive option button, if necessary,
and then click Next.
In the Select Drive dialog box, click the Source Drive Selection list arrow , click the
suspect drive, and then click Finish.
In the Create Image dialog box, click to select the Verify images after they are created
check box, if necessary, and then click Add. In the Select Image Type dialog box that
opens , click the Raw (dd) option button, if necessary, and then click Next.
In the Evidence Item Information dialog box, complete the case information and then
click Next.
In the Select Image Destination dialog box, click Browse, navigate to the location for
the image file (your work folder), and click to clear the Use AD Encryption check box, if
necessary.
In the Image Filename (Excluding Extension) text box, type InChp03-ftk, and then
click Finish.
Next, in the Create Image dialog box, click Start to initiate the acquisition.
When FTK Imager finishes the acquisition, review the information in the
Drive/Image Verify Results dialog box, and then click Close. Click Close again in the
Creating Image dialog box .
Exit FTK Imager Lite by clicking File, Exit from the menu.
PREPARED BY SANTHIYA.M/AP/CSE/REC 82
CS6004 - CYBER FORENSICS UNIT - III
Validation techniques
CRC-32, MD5, and SHA-1 to SHA-512
Raid 0
RAID 0 provides rapid access and increased data storage.
In RAID 0, two or more disk drives become one large volume, so the computer
views the disks as a single disk.
The tracks of data on this mode of storage cross over to each disk.
Advantage:
o Increased speed and data storage capability spread over two or more disks that
can be one large disk partition.
PREPARED BY SANTHIYA.M/AP/CSE/REC 83
CS6004 - CYBER FORENSICS UNIT - III
Disadvantage:
Lack of redundancy; if a disk fails, data isn’t continuously available.
Raid 1
It is made up of two disks for each volume and is designed for data recovery in the
event of a disk failure.
The contents of the two disks in RAID 1 are identical.
When data is written to a volume, the OS writes the data twice—once to each
disk at the same time.
If one drive fails, the OS switches to the other disk.
Advantages:
Data isn’t lost and helps prevent computer downtime.
Disadvantage:
It takes two disks for each volume, which doubles the cost of disk storage.
PREPARED BY SANTHIYA.M/AP/CSE/REC 84
CS6004 - CYBER FORENSICS UNIT - III
Raid 2
It provides rapid access and increased storage by configuring two or more disks
as one large volume.
The difference with RAID 2 is that data is written to disks on a bit level.
An error-correcting code (ECC) is used to verify whether the write is successful. o
RAID 2 has better data integrity checking than RAID 0.
o Because of the bit-level writes and the ECC, however, RAID 2 is slower than RAID
0.
Raid 3
RAID 3 uses data striping and dedicated parity and requires at least three disks. o
RAID 3 stripes tracks across all disks that make up one volume.
o RAID 3 also implements dedicated parity of data to ensure recovery if data is
corrupted.
o Dedicated parity is stored on one disk in the RAID 3 array.
Raid 4
RAID 4 uses data striping and dedicated
parity (block writing), except data is written in blocks rather than bytes.
Raid 5
RAID 5 is similar to RAID 0 and RAID 3 in that it uses distributed data and
distributed parity and stripes data tracks across all disks in the RAID array.
RAID 5 places parity data on each disk.
If a disk in a RAID array has a data failure, the parity on other disks rebuilds the
corrupt data automatically when the failed drive is replaced.
PREPARED BY SANTHIYA.M/AP/CSE/REC 85
CS6004 - CYBER FORENSICS UNIT - III
Raid 6
In RAID 6, distributed data and distributed parity (double parity) function the
same way as RAID 5, except each disk in the RAID array has redundant parity.
Advantage :
It recovers any two disks that fail because of the additional parity stored on each
disk.
Raid 10
RAID 10, or mirrored striping, also known as RAID 1 + 0, is a combination of RAID 1
and RAID 0.
It provides fast access and redundancy of data storage.
Raid 15
RAID 15, or mirrored striping with parity, also known as RAID 1+5, is a
combination of RAID 1 and RAID 5.
It offers the most robust data recovery capability and speed of access of all RAID
configurations and is also more costly.
Concerns
o How much data storage is needed?
o What type of RAID is used?
o Do you have the right acquisition tool?
o Can the tool read a forensically copied RAID image?
o Can the tool read split data saves of each RAID disk?
o Older hardware-firmware RAID systems can be a challenge when you’re making
an image
Vendors offering RAID acquisition functions o
Technologies Pathways ProDiscover
o Guidance Software EnCase
o X-Ways Forensics
o Runtime Software
o R-Tools Technologies
Occasionally, a RAID system is too large for a static acquisition
– Retrieve only the data relevant to the investigation with the sparse or logical
acquisition method
PREPARED BY SANTHIYA.M/AP/CSE/REC 86
CS6004 - CYBER FORENSICS UNIT - III
PREPARED BY SANTHIYA.M/AP/CSE/REC 87
CS6004 - CYBER FORENSICS UNIT - III
Password Protection
Encrypted communications
Secure Communication Protocol
Write Protected Trusted Binaries
Digital Signatures
Remote Acquisition with EnCase Enterprise
R-Tools R-Studio
WetStone LiveWire
F-Response
SnapBack DatArrest
NTI SafeBack
ASRData SMART
Linux forensics analysis tool that can make image files of a suspect drive
Capabilities
Robust data reading of bad sectors on drives
Mounting suspect drives in write-protected mode
o Mounting target drives in read/write mode
o Optional compression schemes
PREPARED BY SANTHIYA.M/AP/CSE/REC 89
CS6004 CYBER FORENSICS UNIT IV
Processing Crime and Incident Scenes – Working with Windows and DOS Systems.
Current Computer Forensics Tools: Software/ Hardware Tools.
Digital evidence can be any information stored or transmitted in digital form. All
digital evidence be printed out to be presented in court.
Groups such as the Scientific Working Group on Digital Evidence (SWGDE) and the
International Organization on Computer Evidence (IOCE) set standards for
recovering, preserving, and examining digital evidence.
The general tasks investigators perform when working with digital evidence:
Identify digital information or artifacts that can be used as evidence.
Collect, preserve, and document evidence.
Analyze, identify, and organize evidence.
Rebuild evidence or repeat a situation to verify that the results can be
reproduced reliably.
Collecting computers and processing a criminal or incident scene must be done
systematically.
To minimize confusion, reduce the risk of losing evidence, and avoid damaging
evidence, only one person should collect and catalog digital evidence at a crime
scene or lab, if practical.
If there’s too much evidence or too many systems to make it practical for one
person to perform these tasks, all examiners must follow the same established
operating procedures, and a lead or managing examiner should control collecting
and cataloging evidence.
You should also use standardized forms for tracking evidence to ensure that you
consistently handle evidence in a safe, secure manner.
o An important challenge investigators face today is establishing recognized
standards for digital evidence.
To process a crime scene properly, you must be familiar with criminal rules of
search and seizure.
You should also understand how a search warrant works and what to do when
you process one.
A law enforcement officer can search for and seize criminal evidence only with
probable cause.
A police officer can obtain a search warrant from a judge that authorizes a search
and the seizure of specific evidence related to the criminal complaint.
Without specific evidence and the description of a particular location, a warrant
might be weak and create problems later during prosecution.
Understanding Concepts and Terms Used in Warrants
Limiting Phrase - When you find commingled evidence, judges often issue a
limiting phrase to the warrant, which allows the police to separate innocent
information from evidence. The warrant must list which items can be seized.
The plain view doctrine states that objects falling in the direct sight of an
officer who has the right to be in a location are subject to seizure without a
warrant and can be introduced into evidence.
Preparing for a computer search and seizure is the most important step in
computing investigations.
When the data acquisition is completed, power down the computer and
then cut the IDE and power cables from the target drive.
The temperature in the contaminated room is higher than 80 degrees,
measures should be taken to avoid damage to the drive from overheating. In
a dry desert region, cooling the target drive is done by using sealed ice packs
or double-wrapped bags of ice so that moisture doesn’t leak out and
damage the drive.
After you collect evidence data, determine whether you need specialized help to
process the incident or crime scene.
When working at high-end computing facilities, identify the applications the
suspect uses, such as Oracle databases.
Recruit an Oracle specialist or site support staff to help extract data for the
investigation.
Develop a training program to educate the specialist in proper investigative
techniques.
An untrained specialist can easily and unintentionally destroy evidence.
Number
Tools
needed
1 Small computer toolkit
1 1 Large-capacity drive
1 IDE ribbon cable (ATA-33 or ATA-100)
1 SATA cable
1 Forensic boot media containing your preferred acquisition utility
1 Laptop IDE 40- to 44-pin adapter, other adapter cables
1 Laptop computer
1 FireWire or USB dual write-protect external bay
1 Flashlight
1 Digital or 35mm camera with film and flash
10 Evidence log forms
1 Notebook or dictation recorder
10 Computer evidence bags (antistatic bags)
20 Evidence labels, tape, and tags
1 Permanent ink marker
10 External USB devices or a portable hard drive
Tools in an initial-response toolkit
An extensive-response field kit should include all the tools you can afford to take
to the field.
Number
Tools
needed
1 Initial-response field kit
1 Portable PC with SCSI card for DLT tape drive or suspect’s SCSI drive
2 Electrical power strips
1 Additional hand tools, including bolt cutters, pry bar, and hacksaw
1 Leather gloves and disposable latex gloves (assorted sizes)
1 Hand truck and luggage cart
10 Large garbage bags and large cardboard boxes with packaging tape
1 Rubber bands of assorted sizes
1 Magnifying glass
1 Ream of printer paper
1 Small brush for cleaning dust from suspect’s interior CPU cabinet
10 USB drives of varying sizes
2 External hard drives (200 GB or larger) with power cables
Assorted Converter cables
5 Additional assorted hard drives for data acquisition
Tools in an extensive - response toolkit
Develop the skills to assess the facts quickly, make your plan, gather the needed
resources, and collect data from the incident or crime scene.
For incidents primarily involving computers, the computers can be a crime scene
within a crime scene, containing evidence to be processed.
The evidence is in the computer, but the courts consider it physical evidence.
Computers can also contain actual physical evidence, such as DNA evidence or
fingerprints on keyboards.
Crime labs can use special vacuums to extract DNA residue from a keyboard to
compare with other DNA samples. In a major crime scene, law enforcement
usually retains the keyboard.
Evidence is commonly lost or corrupted because of professional curiosity, which
involves police officers and other professionals who aren’t part of the crime scene
processing team.
Professional curiosity can destroy or corrupt evidence, including digital evidence.
When working at an incident or crime scene, be aware of what you’re doing and
what you have touched, physically or virtually.
When seizing computer evidence in criminal investigations, follow the U.S. DOJ
standards for seizing digital data.
For civil investigations, follow the same rules of evidence as for criminal
investigation.
In a criminal matter, investigators seize entire drives to preserve as much
information as possible and ensure that no evidence is overlooked. If you have any
questions, doubts, or concerns, consult with your attorney for additional guidance.
It involves:
Preparing to Acquire Digital Evidence
Processing an Incident or Crime Scene
Processing Data Centers with RAID Systems
Using a Technical Advisor Documenting
Evidence in the Lab Processing and
Handling Digital Evidence
Before you collect digital evidence, ask your supervisor or senior forensics
examiner in the organization the following questions:
Do you need to take the entire computer and all peripherals and media in
the immediate area? How are you going to protect the computer and media
while transporting them to your lab?
Is the computer powered on when you arrive?
Is the suspect you’re investigating in the immediate area of the computer? Is
it possible the suspect damaged or destroyed the computer, peripherals, or
media? Will you have to separate the suspect from the computer?
Keep a journal o
Secure the scene
o Be professional and courteous with onlookers
o Remove people who are not part of the investigation
o Video record the computer area
o Pay attention to details
o Sketch the incident or crime scene o
Check computers as soon as possible
o Save data from current applications as safe as possible
o Make notes of everything you do when copying data from a live suspect computer
The technique for extracting evidence from large systems is called sparse
acquisition.
This technique extracts only data related to evidence for your case from
allocated files and minimizes how much data you need to analyze.
Drawback: It doesn’t recover data in free or slack space.
Recruit a technical advisor who can help you list the tools you need to process
the incident or crime scene.
At large data centers, the technical advisor is the person guiding you about where
to locate data and helping you extract log records or other evidence from large
RAID servers.
In law enforcement cases, the technical advisor can help create the search
warrant by itemizing what you need for the warrant.
If you use a technical advisor for this purpose, you should list his or her name in the
warrant.
At the scene, a technical advisor can help direct other investigators to collect
evidence correctly.
Technical advisors have the following responsibilities:
Know all aspects of the system being seized and searched.
Direct investigators on how to handle sensitive media and systems to
prevent damage.
Help ensure security of the scene.
Help document the planning strategy for the search and seizure.
Conduct ad hoc training for investigators on the technologies and
components being seized and searched.
Document activities during the search and seizure.
Help conduct the search and seizure.
After you collect digital evidence at the scene, you transport it to a forensics lab,
which should be a controlled environment that ensures the security and integrity
of digital evidence.
In any investigative work, be sure to record your activities and findings as you
work.
Maintain a journal to record the steps you take as you process evidence.
PREPARED BY SANTHIYA.M/AP/REC-CSE DEPT 12
CS6004 CYBER FORENSICS UNIT IV
With digital evidence, you need to consider how and on what type of media to
save it and what type of storage device is recommended to secure it.
The media you use to store digital evidence usually depends on how long you need
to keep it.
The ideal media on which to store digital data are CDRs or DVDs.
o You can also use magnetic tape to preserve evidence data.
The 4-mm DAT magnetic tapes store between 40 to 72 GB or more of data.
DLT systems have been used with mainframe computers for several decades and
are reliable data-archiving systems.
Evidence Retention and Media Storage Needs
To help maintain the chain of custody for digital evidence, restrict access to your
lab and evidence storage area.
When the lab is open for operations, authorized personnel must keep these areas
under constant supervision.
When the lab is closed, at least two security workers should guard evidence
storage cabinets and lab facilities.
The lab should have a sign-in roster for all visitors.
Most labs use a manual log system that an authorized technician maintains when
an evidence storage container is opened and closed.
These logs should be maintained for a period based on legal requirements,
including the statute of limitations, the maximum sentence, and expiration of
appeal periods.
The evidence custody form should contain an entry for every person who handles
the evidence.
Documenting Evidence
An evidence custody form serves the following functions:
Identifies the evidence
Identifies who has handled the evidence
Lists dates and times the evidence was handled
To verify data integrity, different methods of obtaining a unique identity for file
data have been developed.
Methods:
Steps to use the MD5 function in FTK Imager to obtain the digital signature of a
file or an entire drive.
Power on your forensic workstation, booting it to Windows.
Insert a blank, formatted USB drive into your computer.
Next, start Notepad. In a new text file, type This is a test to see how an
MD5 digital hash works.
Click File, Save As from the menu.
Exit Notepad.
Steps to use a FTK Imager to determine the MD5 and SHA-1 hash values:
Start FTK Imager.
Click File, Add Evidence Item from the menu. In the Select Source dialog
box, click the Logical Drive option button, and then click Next.
In the Select Drive dialog box, click the Drive Selection list arrow, click your
USB drive in the drop-down list, and then click Finish.
Right-click the USB drive at the upper left and click Verify Drive/Image. Copy
the MD5 and SHA-1 hash values for this file to a text file in Notepad, and
then click Close. Save the text file and then exit Notepad.
In FTK Imager, click File, Remove Evidence Item from the menu.
REVIEWING A CASE
The following are the general tasks you perform in any computer forensics case:
Identify the case requirements.
Plan your investigation.
Conduct the investigation.
Start FTK
In the AccessData FTK Startup dialog box, click the Start a new case option
button, and then click OK.
In the New Case dialog box, enter your name as the investigator, case number,
and a suitable case name, and then click Next.
Fill out the information in the Forensic Examiner Information dialog box as you
want it to appear in your final report, and then click Next until you reach the
Evidence Processing Options dialog box.
In the Refine Case - Default dialog box, click the Include All Items button and then
click Next.
In the Refine Index - Default dialog box, accept the default settings, and then click
Next.
In the main Add Evidence to Case dialog box, click the Add Evidence button.
In the second Add Evidence to Case dialog box, click the Acquired Image of Drive
option button, and then click Continue.
In the Open dialog box, navigate to your work folder, click to select the file, and
then click Open.
In the Evidence Information dialog box, enter the additional information. Click the
Local Evidence Time Zone list arrow at the bottom, click the suspect’s time zone in
the drop-down list, and then click OK.
In the main Add Evidence to Case dialog box accept the default settings, and then
click Next.
12. In the Case Summary dialog box, click Finish to initiate the analysis.
When FTK finishes cataloging and indexing, the FTK window opens to the Overview
tab. To analyze an image with FTK, click the Explore tab.
After you have selected all files of interest, click Tools, Create Bookmark from the
menu.
After you have bookmarked key files containing possible evidence, click File, Report
Wizard from the menu.
A file system gives an OS a road map to data on a disk. The type of file system an
OS uses determines how data is stored on the disk. A file system is usually directly
related to an OS.
Understanding the Boot Sequence
To ensure that you don’t contaminate or alter data on a suspect’s Windows or DOS
PC, you must know how to access and modify a PC’s Complementary Metal Oxide
Semiconductor (CMOS) and Basic Input/output System (BIOS) settings.
A computer stores system configuration and date and time information in the
CMOS when power to the system is off.
The system BIOS contains programs that perform input and output at the hardware
level.
When a subject’s computer starts, you must make sure it boots to a forensic floppy
disk or CD because booting to the hard disk overwrites and changes evidentiary
data.
To do this, you access the CMOS setup by monitoring the subject’s computer
during the initial bootstrap process to identify the correct key or keys to use.
The bootstrap process is contained in ROM and tells the computer how to
proceed.
As the computer starts, the screen usually displays the key or keys, such as the
Delete key, you press to open the CMOS setup screen.
In Microsoft file structures, sectors are grouped to form clusters, which are
storage allocation units of one or more sectors.
Clusters are typically 512, 1024, 2048, 4096, or more bytes each. Combining sectors
minimizes the overhead of writing or reading files to a disk.
The OS groups one or more sectors into a cluster. The number of sectors in a
cluster varies according to the disk size.
Clusters are numbered sequentially starting at 2 because the first sector of all disks
contains a system area, the boot record, and a file structure database. The
OS assigns these cluster numbers, which are referred to as logical addresses.
Sector numbers are referred to as physical addresses because they reside at the
hardware or firmware level and go from address 0 (the first sector on the disk) to
the last sector on the disk.
Disk Partitions
A partition is a logical drive.
FAT16 does not recognize disks larger than 2 MB, so these disks have to be
partitioned into smaller sections for FAT to recognize the additional space.
Someone who wants to hide data on a hard disk can create hidden partitions or
voids—large unused gaps between partitions on a disk drive. For example,
partitions containing unused space (voids) can be created between the primary
partition and the first logical partition. This unused space between partitions is
called the partition gap.
If data is hidden in a partition gap, a disk editor utility is used to alter information
in the disk’s partition table.
Steps to identify file headers to identify file types with or without an extension using
Hex Workshop:
To open a bitmap file on your computer, click File, Open from the HexWorkshop
menu.
Navigate to a folder containing a bitmap (.bmp) file, and then double-click the
.bmp file. For .bmp files, it shows “BM6,” “BM,” or “BMF.”
To open a Word document, click File, Open from the menu. Navigate to a folder
containing a Word document (.doc) file, and then double-click the .doc file.
Exit Hex Workshop.
FAT32 file systems, cluster sizes are determined by the OS. Clusters can range from
1 sector consisting of 512 bytes to 128 sectors of 64 KB.
Microsoft OSs allocates disk space for files by clusters. This practice results in drive
slack, composed of the unused space in a cluster between the end of an active file
and the end of the cluster.
When you run out of room for an allocated cluster, the OS allocates another
cluster for your file, which creates more slack space on the disk.
As files grow and require more disk space, assigned clusters are chained together.
The chain can be broken or fragmented.
When the OS stores data in a FAT file system, it assigns a starting cluster position
to a file
Data for the file is written to the first sector of the first assigned cluster
o When this first assigned cluster is filled and runs out of room
FAT assigns the next available cluster to the file
If the next available cluster isn’t contiguous to the current cluster
File becomes fragmented
When a file is deleted in Windows Explorer or with the MS-DOS Delete command,
the OS inserts a HEX E5 (0xE5), which many hex-editing programs reflect as the
lowercase Greek letter sigma ( ) in the filename’s first letter position in the FAT
database.
The sigma symbol tells the OS that the file is no longer available and a new file can
be written to the same cluster location.
PREPARED BY SANTHIYA.M/AP/REC-CSE DEPT 25
CS6004 CYBER FORENSICS UNIT IV
New Technology File System (NTFS) was introduced when Microsoft created
Windows NT and is the primary file system for Windows Vista.
Features :
NTFS provides more information about a file, including security features, file
ownership, and other file attributes.
NTFS uses journaling file system. The journaling feature is records a
transaction before the system carries it out. That way, in a power failure or
other interruption, the system can complete the transaction or go back to
the last good setting.
In NTFS, everything written to the disk is considered a file. On an NTFS disk,
the first data set is the Partition Boot Sector, which starts at sector
of the disk and can expand to 16 sectors.
After the Partition Boot Sector is the Master File Table (MFT). The MFT is
the first file on the disk.
An MFT file is created at the same time a disk partition is formatted
as an NTFS volume and usually consumes about 12.5% of the disk
when it’s created. As data is added, the MFT can expand to take up
50 % of the disk.
Advantages:
In NTFS disk is a file, the first file, the MFT, contains information about all files on
the disk, including the system files the OS uses.
In the MFT, the first 15 records are reserved for system files. Records in the MFT
are referred to as metadata.
In the NTFS MFT, all files and folders are stored in separate records of 1024 bytes
each.
Each record contains file or folder information. This information is divided into
record fields containing metadata about the file or folder and the file’s data or links
to the file’s data.
A record field is referred to as an attribute ID.
File or folder information is typically stored in one of two ways in an MFT record:
resident and nonresident.
For very small files, about 512 bytes or less, all file metadata and data are stored
in the MFT record. These types of records are called resident files because all their
information is stored in the MFT record.
Files larger than 512 bytes are stored outside the MFT. The file or folder’s MFT
record provides cluster addresses where the file is stored on the drive’s partition.
These cluster addresses are referred to as data runs. This type of MFT record is
called nonresident because the file’s data is stored in its own separate file outside
the MFT.
When a disk is created as an NTFS file structure, the OS assigns logical clusters to
the entire disk partition. These assigned clusters, called logical cluster numbers
(LCNs), are sequentially numbered from the beginning of the disk partition, starting
with the value 0.
When data is initially written to nonresident files, an LCN address is assigned to
the MFT (attribute 0x80 field); it’s the first data run for a nonresident file. If the
file can’t be stored contiguously on the disk, another data run is added.
The second and all other data runs have a virtual cluster number (VCN) assigned. o
A VCN is the offset position from the previous LCN value in the data run.
From a Windows NT and later command prompt, you can create a data stream
with this MS-DOS command:
C:\echo text_string > myfile.txt:stream_name
In the command, the data stream is defined in the MFT by the colon between
the file extension and the data stream label.
To display a data stream’s content as a simple text string, use this command:
C:\more < myfile.txt:stream1
NTFS Compressed Files
The current whole disk encryption tools offer the following features:
Preboot authentication
Full or partial disk encryption with secure hibernation
Advanced encryption algorithms
Key management function
A Trusted Platform Module (TPM) microchip to generate encryption keys
and authenticate logins
The whole disk encryption tools encrypt each sector of a drive separately.
o Many of these tools encrypt the drive’s boot sector.
To prevent any efforts to bypass the secured drive’s partition
o To examine an encrypted drive, decrypt it first
Run a vendor-specific program to decrypt the drive
Microsoft’s utility for protecting drive data is called BitLocker, available only with
Vista Enterprise and Ultimate editions.
It can be used on PCs, laptops, and removable media to secure an entire disk
volume. This tool works in Windows 2000, XP Professional (SP1 and SP2),
and Mac OS X 10.4 and can also encrypt FAT volumes.
Voltage SecureDisk
It is designed for an enterprise computing environment.
Utimaco SafeGuard Easy
Provides whole disk encryption for NTFS and FAT file systems.
Jetico BestCrypt Volume Encryption
Provides whole disk encryption for older MS-DOS and Windows NTFS
systems.
SoftWinter Sentry 2020 for Windows XP
It doesn’t encrypt the entire drive. To secure data, it creates a virtual drive
saved to a large data file.
Registry
A database that stores hardware and software configuration information,
network connections, user preferences, and setup information
Registry Terminologies
text box, type system.dat and user.dat. Under Select the Disk(s)/Image(s) you
want to search in, click the image file and then click OK.
In the search results, click the check box next to the SYSTEM.DAT file. When the
Add Comment dialog box opens, type Registry files to extract, click the Apply
to all items check box, and then click OK .
Click the check box next to the USER.DAT file, and then click Tools, Copy
Selected Files from the menu. In the Choose Destination dialog box, click
Browse. In the Browse for Folder dialog box, navigate to and click your work
folder, and then click OK. Click OK again in the Choose Destination dialog box.
Exit ProDiscover Basic.
All NTFS computers perform the following steps when the computer is turned on:
Power-on self test (POST)
Initial startup
Boot loader
Hardware detection and configuration
Kernel loading
User logon
The startup files for Windows XP are located in the root folder of the system
partition.
The NT Loader (Ntldr) file loads the OS.
When the system is powered on, Ntldr reads the Boot.ini file, which displays a
boot menu.
After you select the mode to boot to, Boot.ini runs Ntoskrnl.exe and reads
Bootvid.dll, Hal.dll, and startup device drivers.
Boot.ini specifies the Windows XP path installation and contains options for
selecting the Windows version.
If a system has multiple boot OSs, including older ones such as Windows 9x or
DOS, Ntldr reads BootSect.dos (a hidden file), which contains the address (boot
sector location) of each OS.
When the boot selection is made, Ntldr runs NTDetect.com, a 16-bit real-mode
program that queries the system for device and configuration data, and then
passes its findings to Ntldr.
This program identifies components and values on the computer system, such as
the following:
CMOS time and date value
Buses attached to the motherboard, such as Industry Standard Architecture
(ISA) or
Peripheral Component Interconnect (PCI)
Disk drives connected to the system
Mouse input devices connected to the system
Parallel ports connected to the system
NTBootdd.sys is the device driver that allows the OS to communicate with SCSI or
ATA drives that aren’t related to the BIOS.
Hal.dll is the Hardware Abstraction Layer (HAL) dynamic link library, located in the
%system-root%\Windows\System32 folder. The HAL allows the OS kernel to
communicate with the computer’s hardware.
Device drivers contain instructions for the OS for hardware devices, such as the
keyboard, mouse, and video card, and are stored in the %system-
root%\Windows\System32\Drivers folder.
Acquisition
Validation and discrimination
Extraction
Reconstruction
Reporting
Acquisition
1. Acquisition
Acquisition is the first task in computer forensics investigations which is making a
copy of the original drive.
It preserves the original drive to make sure it doesn’t become corrupt and damage
the digital evidence.
Sub functions :
– Physical data copy
– Logical data copy
– Data acquisition format
– Command-line acquisition
– GUI acquisition
– Remote acquisition
– Verification
Two types of data-copying methods are used in software acquisitions:
– Physical copying of the entire drive and
– Logical copying of a disk partition.
PREPARED BY SANTHIYA.M/AP/REC-CSE DEPT 39
CS6004 CYBER FORENSICS UNIT IV
Most software acquisition tools include the option of imaging an entire physical
drive or just a logical partition. Reason to choose a logical acquisition is drive
encryption.
All computer forensics acquisition tools have a method for verification of the data-
copying process that compares the original drive with the image.
Software computer forensics acquiring tools:
– AccessData FTK and
– EnCase
3. Extraction
4. Reconstruction
To re-create a suspect drive to show what happened during a crime or an incident.
Sub functions :
– Disk-to-disk copy
– Image-to-disk copy
– Partition-to-partition copy
– Image-to-partition copy
Disk-to-disk copy
– The simplest method of duplicating a drive is using a tool that makes a direct
disk-to-disk copy from the suspect drive to the target drive.
Example : UNIX/Linux dd command
– Disadvantage : The target drive being written to must be identical to the
original (suspect) drive, with the same cylinder, sector, and track count.
– For a disk-to-disk copy, both hardware and software duplicators are used.
– Hardware duplicators are the fastest way to copy data from one disk to
another.
Example :
Logicube Talon,
Logicube Forensic MD5, and
ImageMASSter Solo III Forensics Hard Drive Duplicator
– Software duplicators are slower than hardware duplicators.
Example :
SnapBack,
SafeBack,
EnCase, and
X-Ways Forensics.
Image-to-disk and Image-to-partition copies
– The following are some tools that perform an image-to-disk copy:
SafeBack
SnapBack
EnCase
FTK Imager
ProDiscover
X-Ways Forensics
5. Reporting
To complete a forensics disk analysis and examination, you need to create a report.
Sub functions:
– Log reports
– Report generator
The following tools offer report generators displaying bookmarked evidence:
– EnCase
PREPARED BY SANTHIYA.M/AP/REC-CSE DEPT 42
CS6004 CYBER FORENSICS UNIT IV
– FTK
– ILook
– X-Ways Forensics
– ProDiscover
The log report can be added to your final report as additional documentation of the
steps you took during the examination, which can be useful if repeating the
examination is necessary.
For a case that requires peer review, log reports confirm what activities were
performed and what results were found in the original analysis and examination.
The first tools that analyzed and extracted data from floppy disks and hard disks
were MS-DOS tools for IBM PC file systems.
Example:
SMART,
BackTrack,
Autopsy with Sleuth Kit, and
Knoppix-STD.
SMART
SMART is designed to be installed on numerous Linux versions, including
Gentoo, Fedora, SUSE, Debian, Knoppix, Ubuntu, Slackware, and more.
You can analyze a variety of file systems with SMART.
PREPARED BY SANTHIYA.M/AP/REC-CSE DEPT 43
CS6004 CYBER FORENSICS UNIT IV
BackTrack
It includes a variety of tools and has an easy-to-use KDE interface.
Forensic Workstations
Using a Write-Blocker
Hardware write-blockers,
You can connect the evidence drive to your workstation and start the OS as
usual.
Hardware write-blockers are ideal for GUI forensics tools.
They prevent Windows or Linux from writing data to the blocked drive.
Hardware write-blockers act as a bridge between the suspect drive and the
forensic workstation.
NIST has created criteria for testing computer forensics tools, which are included in
the article “General Test Methodology for Computer Forensic Tools”.
The criteria’s are :
Establish categories for computer forensics tools—Group computer
forensics software according to categories, such as forensics tools
designed to retrieve and trace e-mail.
Identify computer forensics category requirements—For each
category, describe the technical features or functions a forensics tool
must have.
Develop test assertions—Based on the requirements, create tests
that prove or disprove the tool’s capability to meet the requirements.
Identify test cases—Find or create types of cases to investigate with
the forensics tool, and identify information to retrieve from a sample
drive or other media.
Establish a test method—Considering the tool’s purpose and design,
specify how to test it.
Report test results—Describe the test results in a report that
complies with ISO 17025, which requires accurate, clear,
unambiguous, and objective test reports.
To satisfy the need for verification, you need at least two tools to validate software
or hardware upgrades. The tool you use to validate the results should be well
tested and documented.
First, conduct your investigation of the digital evidence with one GUI tool.
Then perform the same investigation with a disk editor to verify that the GUI tool is
seeing the same digital evidence in the same places on the test or suspect drive’s
image.
If a file is recovered, obtain the hash value with the GUI tool and the disk editor,
and then compare the results to verify whether the file has the same value in both
tools.
PREPARED BY SANTHIYA.M/AP/REC-CSE DEPT 46
CS6004 CYBER FORENSICS UNIT IV
You should test all new releases and OS patches and upgrades to make sure they ’ re
reliable and don’t corrupt evidence data.
New releases and OS upgrades and patches can affect the way your forensics tools
perform.
If you determine that a patch or upgrade isn’t reliable, don’t use it on your forensic
workstation until the problem has been fixed.
If you have a problem, such as not being able to read old image files with the new
release or the disk editor generating errors after you apply the latest service pack, you
can file an error report with the vendor.
One of the best ways to test patches and upgrades is to build a test hard disk to store
data in unused space allocated for a file, also known as file slack.
You can then use a forensics tool to retrieve it. If you can retrieve the data with that
tool and verify your findings with a second tool, you know the tool is reliable.
files In criminal cyber stalking cases contact the ISP and email service
• Steps:
• Use recently wiped target disks that has been reformatted and inspected for computer
virus
• Remove the original disk and check date and time on CMOS
• ProDiscover’s .eve files contain metadata that includes the hash value
• When an image file is loaded in Prodiscover, it is hashed and then compared to the hash
value stored in the meta data.
• If the hashes don’t match, the acquisition cannot be considered as a reliable evidence.
• Raw format image files (.dd extension ) don’t contain meta data , so validate them
manually to ensure integrity
• Hash values can also be used to check if the image file has been corrupted.
• In AccessData FTK Imager , when .e01 or .s01 format files are selected additional options for
validation are available.
• When the image file is loaded using any tool such as FTK,SMART or X-ways Forensics the
MD5 value is compared and verified.
• Partition gap in Windows is created automatically but a gap of larger size indicates a cause for
investigation
Example:
• Partition gap in Windows 2000/XP is 63 sectors so 109.8 MB is too large to be a standard
partition gap , In Vista the gap is 128 sectors
• Hidden partitions are shown as Unknown Partitions
• The drive letters are non consecutive , which is another clue for hidden partition
• In ProDiscover hidden partition appears as the highest available drive letter set in the BIOS
3. Bit-shifting
• Old technique, uses Assembly language to create a low level encryption program that
changes the order of binary data
• Shift bit patterns to alter byte values of data
• Make files look like binary executable code
• Tool
– Hex Workshop
Bit-shifting changes data from readable code to data that looks like binary executable code. Hex
Workshop includes a feature for shifting bits and altering byte patterns of entire files or specified data.
4. Using Steganography
• Greek for “hidden writing”
• Steganography tools were created to protect copyrighted material
– By inserting digital watermarks into a file
• Suspect can hide information on image or text document files
– Most steganography programs can insert only small amounts of data into a file
• Very hard to spot without prior knowledge
• Tools: S-Tools, DPEnvelope, jpgx, and tte
• To help identify steganography files, use the following list as a guideline:
1. Locate the last modified date by checking the steganography tool’s timestamp.
2. Look for files that appear as both a .bmp and a .jpg file, which might indicate files that
started out in one format and then were modified (perhaps by a steganography tool) and
saved in another format.
3. Generate a list of all files with a date and time equal to or after the last modified date of
the steganography tool, and then examine each file in the generated listing.
5. Recovering Passwords
• Password recovery is a fairly easy task in computer forensics analysis.
• Several password cracking tools are available, such
as AccessData PRTK,
NTI Advanced Password Recovery Software Toolkit, and
John the Ripper
• Techniques used are
– Dictionary attack
– Brute-force attack
– Password guessing based on suspect’s profile
• Using AccessData tools with passworded and encrypted files
– AccessData offers a tool called Password Recovery Toolkit (PRTK)
• Can create possible password lists from many sources
• Can create your own custom dictionary based on facts in the case
• Can create a suspect profile and use biographical information to generate
likely passwords
Remote acquisitions are useful for making an image of a drive when the computer is far away from
your location or when you don’t want a suspect to be aware of an ongoing investigation.
• In the Remote dialog box, type the suspect computer’s IP address in the IP of host text
box and then click the Connect button.
The Runtime tools don’t generate a hash for acquisitions; therefore, you need to use another tool,
such as Hex Workshop or FTK, to calculate a hash value for the validation.
1. Securing a Network
Steps must be taken to harden networks before a security breach occurs. Hardening includes a
range of tasks such as
Applying the latest patches
Using layered network defense strategy
Defense in depth(DID)
Patches - A patch is a piece of software designed to update a computer program or its
supporting data, to fix or improve it. This includes fixing security vulnerabilities.
Layered Network defense strategy sets up layers of protection to hide most valuable data at
the innermost part of the network.
Defense in Depth strategy approach was developed by NSA (National Security Agency) and
has three modes of protection.
1.People
2.Technology
3.Operations
If one mode fails, others can be used to thwart (prevent) the attack.
People : Organizations must hire well-qualified people and treat them well. Employees should be
trained adequately in security procedures and be familiar with organizations security policy.
Technology: It includes choosing strong network architecture and using tested tools such as
Intrusion Detection Systems
Firewalls
Operations: addresses day to day operations
Updating security patches
Antivirus software & OS
Assessment & Monitoring procedures
Disaster Recovery Plans
Order of Volatility (OOV) -indicates how long a piece of information lasts on a system.
Data on RAM or running process lasts only few
milliseconds. Data on files on the hard drive lasts for years.
Tcpdump: Program can be used to examine network traffic. The sample output is as below.
TCP log from 2016-08-20 15:06:33 to 2016-08-29-16:15:06:33
Sat Aug 20 15:06:33 2016, TCP, eth 0, 1296 bytes from 132.147.179.10:1916 to 132.149.83.16:126
The first line of the output is the header.
The remaining lines follow the format time, protocol, interface, size, source, and destination.
The output shows that data was transmitted on Aug 20th 2016, at 15:06:33. It was a TCP
packet sent via Ethernet 0 interface of 1296 bytes. The packet was sent from
132:147:179:10:1916 to the destination with IP Address 132.149.183.16:126. Where the
number after colon represents the port number.
Port Numbers above 1024 should raise a flag.
Using Network analysis tool such as Ethereal, a list of top 10 users or top ten Websites could
be listed, along with the bytes transferred.
These network logs can show patterns such as an employee transmitting data to or from a particular
IP address frequently. Further investigation of the IP Address could show that the employee is the
accessing an online shopping site during company time.
• The Auditor
– Robust security tool whose logo is a Trojan warrior
– Based on Knoppix and contains more than 300 tools for network scanning, brute-force
attacks, Bluetooth and wireless networks, and more
– Includes forensics tools, such as Autopsy and Sleuth
– Easy to use and frequently updated
Other Tools:
Tcpslice is a good tool for extracting information from large Libpcap files; you simply specify
the time frame you want to examine. It’s also capable of combining files.
Tcpreplay is a suite of tools called Tcpreplay is used to replay network traffic recorded in
Libpcap format; this information can be used to test network devices, such as IDSs, switches,
and routers.
Tcpdstat works close to real time to generate Libpcap statistics and break packets down by
protocol so that you can get a quick overall view of network traffic, including average and
maximum transfer rates
Ngrep can be used to examine e-mail headers or IRC logs. It collects and hashes data for
verification.
Ethereal can be used in a real-time environment to open saved trace files from packet
captures and to rebuild sessions
To use this feature, right click a frame in the upper pane and click Follow TCP
stream. Ethereal then traces the packets associated with an exploit.
5. After the trace has been loaded, scroll through the upper pane until you see a TCP frame.
6. Right-click the frame and click Follow TCP stream.
o Awareness - make people and organizations aware that threats exist and they might
be targets
Distributed denial-of-service (DDoS) attacks : A type of DoS attack in which other online
machines are used, without the owners’ knowledge, to launch an attack. In DDoS attacks,
hundreds or even thousands of machines can be used. These machines are known as
zombies because they have accidentally become part of the attack.
Zero day attacks - Attacks launched in the network or OS before vendors or network
administrators have discovered vulnerabilities and patches for them have been released.
A honeypot is a computer set up to look like any other machine on your network; its purpose
is to attract attackers to your network, but the computer contains no information of real value.
In this way, you can take the honeypot offline and not affect the running of your network.
Honeywalls are computers set up to monitor what’s happening to honeypots on your network
and record what attackers are doing.
The Manuka Project used the Honeynet Project’s principles to create a usable database for
students to examine compromised honeypots and determine what happened to them.
A software package retrieves a compromised drive’s image remotely over the network and
stores it on the server.
The original machine is loaded with the standard software, a forensic image of it is
created. If the machine is compromised, it’s taken offline and another image of it is made.
The software then compares the two images to determine what method of attack was used
and what files were altered or added.
Email has become the primary means of communication and most computers have email
programs to receive , send and manage email. These programs differ in the way they store and track
email.
5.5.1. Exploring the role of email investigations
Email evidence has become an important part of many computing investigations.
With the increase in email scams and fraud attempts with phishing or spoofing, investigator
need to know how to examine and interpret the content of email messages.
Phishing emails are in HTML format, which allows creating links to web pages. Using this
technique a phishing message could redirect to a different web site.
Check whether redirection has been used in the HTML source code.
One of the most noteworthy e-mail scams was 419, or the Nigerian Scam
Spoofing e-mail can be used to commit fraud
5.5.2. Exploring the Roles of the Client and Server in E-mail
• Sending and receiving e-mail can be in two environments
– Internet
– Intranet : Controlled LAN, MAN, or WAN (private use)
• Messages are distributed in a central server to many connected client computers. (Client
Server architecture)
• Server OS and e-mail software differs from those on the client side. The Server runs an email
server program such as Microsoft Exchange Server, Novell Groupwise or UNIX Sendmail to
provide email services.
• Client computers use email programs such as Novell Evolution or Microsoft Outlook.
• Users access their email based on the permissions the email server administrator grants -
Require usernames and passwords
• Name conventions
– Corporate: john.smith@somecompany.com
– Public: whatever@hotmail.com
– Everything after @ belongs to the domain name
• Tracing corporate e-mails is easier
– Because accounts use standard names the administrator establishes
5.5.3. Investigating E-mail Crimes and Violations
• Investigating crimes or policy violations involving e-mail is similar to investigating other types
of computer abuse and crimes.
• The goal is to
– Find who is behind the crime
– Collect the evidence
– Present your findings
– Build a case
• Email crimes and violations depend on the city, state, or country
• Example: In Washington State sending unsolicited email is illegal, in other states, it isn’t
considered a crime
• Always consult with an attorney
• Committing crime using email has become a commonplace
• Examples of crimes involving e-mails
– Narcotics trafficking
– Extortion
– Sexual harassment
– Child abductions and pornography
5.5.4. Examining E-mail Messages
• Access victim’s computer to recover the evidence
• Using the victim’s e-mail client
• Find and copy evidence in the e-mail
• Access protected or encrypted material
• Print e-mails
• Guide victim on the phone
• Open and copy e-mail including headers. The header contains unique identifying numbers,
such as the IP address of the server that sent the message. This information helps you trace
the e-mail to the suspect.
• Sometimes deleted e-mails have to be recovered.
Novell Evolution
o Click View, All Message Headers
o Copy and paste the e-mail header
Pine (UNIX – command line email program)
o Type S->Type c->Check enable-full-headers
AOL headers
o Mail Tab, Settings, Click Action, View Message Source
o Copy and paste headers
Hotmail
o Click Options, and then click the Mail Display Settings
o Click the Advanced option button under Message Headers
o Copy and paste headers
Apple Mail
o Click View from the menu, point to Message, and then click Long Header
o Copy and paste headers
Yahoo
o Click Mail Options
o Click General Preferences and Show All headers on incoming
messages o Copy and paste headers
Line 3 indicates the type of e-mail service that sent the e-mail, such as qmail (UNIX e-mail),
and includes an ID number, such as 12780 in Figure.
With these ID numbers, you can examine logs from the transmitting e-mail server to determine
whether the message was actually sent from it.
If the transmitting e-mail server doesn’t list this unique ID number, there’s a good chance the
message was spoofed.
Line 4 lists the IP address of the e-mail server that sent the message—192.152.64.20, in this
example. It also identifies the name of the server sending the message: in this case,
smtp.superiorbicycles.biz.
Line 5 contains the name of the e-mail server (or list of e-mail servers) that sent or passed the
message to the victim’s e-mail server.
Line 6 shows a unique ID number that the sending e-mail server assigned to the message. In
Figure above, it’s
20101212082330.40429. You can use this number to track the message on the originating e-
mail server in e-mail logs.
Line 7 shows the IP address of the server sending the e-mail and lists the date and time the e-
mail was sent. For example, 10.187.241.199 is the IP address of the sending server
web4009.mail0.myway.com, and Sun 12 Dec 2010 00:23:30 PST is the date the message
was sent. Line 7 might also identify the e-mail as being sent through an HTTP client.
Line 8, which usually identifies attachments. An attachment can be any type of file, from a
program to a picture. If a message includes an attachment, investigate it as a supporting piece
of evidence.
E-mail logs generally identify the e-mail messages an account received, the IP address from
which they were sent, the time and date the e-mail server received them, the time and date
the client computer accessed the e-mail, the e-mail contents, system-specific information, and
any other information the e-mail administrator wants to track.
These e-mail logs are formatted in plain text and can be read with a basic text editor, such as
Notepad or vi.
Administrators usually set e-mail servers to continuous logging mode.
In addition to logging e-mail traffic, e-mail servers maintain copies of clients’ e-mail, even if the
users have deleted messages from their inboxes.
FTK can index data on a disk image or an entire drive for faster data retrieval.
Like FINALeMAIL, FTK can filter or find files specific to e-mail clients and servers.
You can configure these filters when you enter search parameters. In this section, you learn
how to use FTK and a hexadecimal editor to recover e-mails.
To recover e-mail from Outlook and Outlook Express, AccessData integrated dtSearch into
FTK 1.x.
dtSearch builds a B*-tree index of all text data in a drive, an image file, or a group of files.
One unique feature is its capability to read .pst and .dbx files and index all text information,
including attached files.
For other e-mail applications that use the mbox format, a hexadecimal editor can be used to
carve messages manually.
This technique requires perseverance because it’s tedious and time consuming
Cell phone and mobile device forensics is a rapidly changing field that poses challenges in trying to
retrieve information.
People store a wealth of information on cell phones, including calls, text messages, picture and music
files, address books, and more. These files can give you a lot of information when investigating
cases.
Depending on the phone’s model, the following items might be stored on it:
• Incoming, outgoing, and missed calls
• Text and Short Message Service (SMS) messages
• E-mail
• Instant messaging (IM) logs
• Web pages
• Pictures
• Personal calendars
• Address books
• Music files
• Voice recordings
Many people store more information on their cell phones than they do on their computers, and with
this variety of information, piecing together the facts of a case is possible. Cell phone data is used
increasingly in court as evidence
Challenges in investigating cellphones and mobile devices in digital forensics.
• No single standard exists for how and where cell phones store messages, although many
phones use similar storage schemes.
• New phones come out about every six months, and they’re rarely compatible with previous
models. Therefore, the cables and accessories you have might become obsolete in a short
time.
• Also, cell phones are often combined with PDAs, which can make forensics investigations
more complex.
Orthogonal Frequency Division Multiplexing (OFDM) is expected to yield faster and higher quality
mobile communication.
Code Division Multiple Access (CDMA) One of the most common digital networks, it uses the full
radio frequency spectrum to define channels.
Time Division Multiple Access (TDMA) : This digital network uses the technique of dividing a radio
frequency into time slots; GSM networks use this technique
Integrated Digital Enhanced Network (iDEN).This Motorola protocol combines several services,
including data transmission, into one network.
In mobile communication, geographical areas are divided into cells resembling honeycombs.
Three main components are used for communication with these cells:
• Base transceiver station (BTS) —This component is made up of radio transceiver equipment
that defines cells and communicates with mobile phones; it’s sometimes referred to as a cell
phone tower, although the tower is only one part of the BTS equipment.
• Base station controller (BSC)—This combination of hardware and software manages BTSs and
assigns channels by connecting to the mobile switching center.
• Mobile switching center (MSC)—This component connects calls by routing digital packets for the
network and relies on a database to support subscribers. This central database contains account
data, location data, and other key information needed during an investigation. If you have to
retrieve information from a carrier’s central database, you usually need a warrant or
subpoena(summon).
• OS is stored in ROM
– Nonvolatile memory
• The drawback to using these isolating options is that the mobile device is put into roaming
mode which accelerates battery drainage
– Internal memory
– SIM card
– System server
• Volatile memory requires power to maintain its contents, but nonvolatile memory does not.
• The specific locations of data vary from one phone model to the next, volatile memory usually
contains data that changes frequently, such as missed calls, text messages, and sometimes
even user files.
• Nonvolatile memory, on the other hand, contains OS files and stored user data, such as a
personal information manager (PIM) and backed-up files.
iPhone Forensics
Hacking iPhone were unsuccessful because the device is practically
impenetrable. A more successful approach was hacking backup files.
The best method, is acquiring a forensic image, which enables you to recover deleted text
messages and similar data.
iPhone acquisition procedures are, in general, similar to procedures for other mobile devices.
To acquire a forensic image, the following tools are used
o MacLockPick II - This tool uses backup files, such as MDBackup, stored by iPhones.
So although it can recover quite a bit of data, it can’t recover deleted files.
o MDBackUp Extract - This tool, developed by Black Bag Technologies, analyzes the
iTunes mobile sync backup directory.
• Software tools differ in the items they display and the level of detail