Our Group

Mastering Core Essentials Book series is part of the Defence Cyber School
that is an Online training school based in the UK. Our mission is knowledge
sharing and our objectives are to empower those who seek deep IT
knowledge and expertise and are professionals who hail from the global IT
and Cyber security professional communities.

Book Structure
The Mastering Core Essentials books are an IT series of concise books where
the books are written in a unique detailed summarised format covering all the
essential elements of the relevant domain. Our books will provide you with
fast track knowledge and information about the relevant topics and are highly
suitable for experienced IT professionals, IT Contractors and IT Consultants
that perform in a project environment. Many of our books also support our
Consultancy Level and Professional Training online learning courses that are
available from: https://defencecyberschool.thinkific.com/

Our Professional Reader

Our books are designed for the fast track readers who want to sponge a lot of
information in the shortest time possible about the relevant topics. You could
be a Consultant or a Contractor or a highly experienced Business
Transformation professional who has secured a new project role or
consultancy assignment where you want to grasp the fundamentals and
essentials of the relevant domain areas of the subject on the fly and hit the
ground running.

UK Series Founder
The Mastering Core Essentials series was established in 2016 and most of our
books are written by the Author: Mohsin Baig, who is a Self-Book Publisher
based in the United Kingdom and also hails from an IT Professional Project
Consultancy and Cyber Security Training Background.

Author Background
Mohsin Baig was born and raised in Glasgow - Scotland and currently resides
in England. Mohsin is also the start-up founder of the UK Defence Cyber
School that started in 2019: https://www.defencecyberschool.com

Global Book Distribution

Our Kindle and paperback books are available from Amazon and within the
following Amazon based countries: UK, USA, France, India, Canada, Japan,
Australia, Mexico, Spain, Netherlands, Italy

Digital Training Courses

Our Books support Individual and Corporate Online Training courses that are
delivered by the Defence Cyber School in the UK.
Currently we offer the following Professional Consulting global online
training programmes to IT professionals:

1. Professional Consulting Certificate in Cyber Security

and Digital Financial Services Transformation
2. Digital Transformation Consulting Certificate in
Software System Architecture with Cyber Security
3. Digital Transformation Consulting Certificate in
Enterprise Architecture Strategy with Cyber Security
 4. Professional Consulting Certificate in Cyber Security
Architecture with IT System Consultancy
5. Professional Consulting Certificate in Cyber Security
Strategy with Cloud Architecture

For more information on Individual and Corporate Training visit us on:

https://defencecyberschool.thinkific.com/

Global Dawah Project

The mission of the Mastering Core Essentials Book series is to spread and
share professional knowledge equally amongst all global professional
communities and empower IT professionals from all global backgrounds.

"My Lord! Enrich me with knowledge." (Quran, 20:114)

Objectives
The scope of this book is to empower delegates the following:
1. Develop an understanding of computer Forensics and how to
analyse the nature of evidence and it’s characteristics

2. Learn about the role of the Forensic Investigator

3. Learn how to analyse investigate processes and the Evidence

Management

4. Develop skills in how to analyse criminal investigations, civil

investigations, administrative investigations,

5. Forensic response to Security incidents, Electronic discovery,

and intellectual property investigations

6. Develop an understanding of the fundamental principles of

Forensic Science with regards to Forensic Methods, Report Writing
and quality assurance control management and accreditation
procedures

7. Develop an understanding of Digital Forensics with regards to

analysing media and file system forensics, computer and operating
system Forensics, network forensics, mobile device Forensics, device
forensics, and virtual system forensics

8. Learn about Forensic and anti-forensic techniques and tools

9. Learn how to apply software Forensics, analyse Web, email and

message forensics, and develop Malware forensics

10. Develop an understanding of Cloud forensics, Social Networks,

Big Data Paradigm, Control systems, Critical Infrastructures, and
online gaming
 Contents Page
Chapter 1: Introduction to Cyber Forensics
Chapter 2: Cyber Forensics Investigation Process
Chapter 3: Fundamentals of Evidence Management
Chapter 4: Forensic Science Principles and Methods
Chapter 5: Performing Forensic Analysis
Chapter 6: Hardware Forensic Analysis
Chapter 7: Hidden Files and Anti forensics
Chapter 8: Fundamentals of Network Forensics
Chapter 9: Virtual Systems
Chapter 10: Fundamentals of Mobile Forensics
Chapter 11: Fundamentals of Application Forensics
Chapter 12: Essentials of Malware Forensics
Chapter 13: Digital Forensics Technologies

Introduction -
Cyber Forensics
Chapter 1
 Cyber Forensics -Definition
• Cyber Forensics is defined by the CERT (Computer Emergency Response
Team) as:
“If you manage or administer information systems and networks, you should
understand cyber forensics. Forensics is the process of using scientific
knowledge for collecting, analyzing, and presenting evidence to the courts.
(The word forensics means “to bring to the court.”) Forensics deals primarily
with the recovery and analysis of latent evidence. Latent evidence can take
many forms, from fingerprints left on a window to DNA evidence recovered
from blood stains to the files on a hard drive”.

Objectives of Cyber Forensics

• Objective 1: to identify the scope and details of what has happened
which entails identifying data impacted, files impacted and the type of
attack which has occurred. The initial intent here is to collate information
that are facts and understand the root cause of the events which have
taken place.

• Objective 2: the scope of this objective entails collating data where the
approach and manner of collating data is plausible and acceptable by
large by the legal institutions such as the Court.

Scientific Process of Forensics

• Forensics by large is considered a Science and there are comprehensively
well-defined scientific principles which must be adopted by the cyber
forensic experts
 • Scientific principles must be incorporated in a scientific investigation.
The process of scientific investigation comprises of the following: A
hypothesis must be established, and tests must be performed on that
hypothesis and the results must be documented.

Testing the Hypothesis

• Performed by plausible tools and techniques of computer
science and engineering

Essential Characteristics of Crime

In order for crime to have occurred the following elements should occur:

• Law must have been broken

• Must be full intent to commit the crime
• Burden of Proof as a principle must be incorporated
• Exculpatory evidence where the accused is proven innocent

Knowledge Requirements for Cyber

Forensics
Cyber forensics should have knowledge about the following domains:

• Hardware
• Operating Systems
• Networks
Hardware & Software Knowledge
Cyber Forensic Investigators must have knowledge about the following:

• Motherboards
• Hard Drives: SCSI, IDE, SATA, Solid State
• RAM: EDO RAM, BEDO, DRAM, ADRAM, SGRAM, PSRAM,
RLDRAM
• Operating Systems: Windows, Linux, Macintosh, iOS, Android

Files and File System Knowledge

Cyber Forensic Investigators must have knowledge about the
following:

• File Headers
• Executable and Linkable Format
• Portable Executable (PE) for Windows
• Dynamic Linked Libraries (DLL) for Windows
• Globally Unique Identifier for Windows
• Windows File Systems: FAT, FAT16, FAT32, NTFS, EXT,
Reiser File
• Linux File Systems: Reiser
• Unix File Systems: Berkeley
Networks Knowledge
Cyber Forensic Investigators must have knowledge about the following
domains:

• Network Connection Types: Physical connection, WiFi,

• Network Components: Hub, Switch, Router,
• IP Addresses: IPv4, IPv6, MAC addresses,
• Network Utilities: IP-Config, Ping, Tracert, Netstat,

Fundamental Principles of Cyber

Forensics
Principle 1:
Secure the Crime Scene: this entails ensuring that the system is not accessible
by anyone, and to document current connections, running software, processes
etc.

Principle 2:
Minimising intervention with the Evidence: this entails ensuring that the
evidence is touched as little as possible in order to prevent any
contamination.
Principle 3:
Maintaining Chain of Custody: this entails ensuring that the forensic
investigator maintains a audit and document trail with regards to the
condition of the equipment, and how the evidence is stored. Note: - Best
practice recommends, to take as much as photographs as possible.
Cyber Forensic Laws
• US Federal laws supersede state laws of computer crime
• Computer Crime encompasses interstate commerce, financial institutions
• Law comprises of two main branches: Civil and Criminal
• Scope of Civil law addresses actions that may or may not be intentional
and the penalties don’t involve incarceration. Civil wrong is referred to as
a tort
• Cyber Forensics cases can impact Civil or Criminal Laws

Legal Warrants
• Issues by the court can be used to seize property, computers, cell phones
and other electronic devices

Cyber Forensics FBI Investigators

Guidelines
FBI Computer Forensics Guidelines stipulate that the forensic evidence
comes in the following forms:

• Hard Drives
• System Logs
• Portable Storage
• Router Logs
• E-mails
• Chat Room Logs

• Cell Phones
• SIM Cards for cell phones
 • Logs from Security devices- Firewalls /IDS
• Database and Database Logs

Cyber Forensics Secret Service

Investigators Guidelines
Secret Service provides the following guidelines:

• Ensure evidence is secure and safe,

• Investigator safety
• Question yourself about the the legal basis of securing the computer or
items
• In the event computer is switched off, leave it off
• Do not access any computer files if the computer is off
• Shut down the computer from the main power cord if you suspect that the
computer is eliminating evidence
• Take screenshots or pictures of the computer screen
• Evaluate and see if any unique legal considerations are applicable

Additional References
1.American Heritage Dictionary.
http://education.yahoo.com/reference/dictionary/entry/forensics.
2. CERT Forensics Definition. http://www.us-
cert.gov/reading_room/forensics.pdf.
3. Cornell Law School Daubert Standard.
http://www.law.cornell.edu/wex/daubert_standard
4. http://www.law.cornell.edu/wex/tort.
5. FBI Cybercrime website. http://www.fbi.gov/about-
us/investigate/cyber/cyber.
6. Secret Service, Cyber forensics. http://www.ncfi.usss.gov/.
7. First Responders Guide.
http://www.forwardedge2.com/pdf/bestPractices.pdf

Forensic Investigation Process

Chapter 2

Chain of Custody
• Refers to detailed documentation that captures and maintains all forensic
evidence
• Scientific Working Group on Digital Evidence Model Standard Operation
Procedures for Computer Forensics “The chain of custody must include a
description of the evidence and a documented history of each evidence
transfer”
• All transfers of the evidence via from person to person or from location to
location must be maintained failure to do so makes the evidence
inadmissible.
• All evidence accessed by different people must be maintained
• Evidence must be maintained in a secure location at all times
• Evidence must have the time date stamp every time it is accessed and when
it is taken to the court

Securing the Scene

• All crime scenes areas must be blocked to prevent contaminating of the
crime scene
• Computer, network, or the target area must be secured
• All access must be blocked to the system and the network disconnected
• Hard drives must be maintained in secure locations
• All Analysis should be performed in a secure location with
authorised access only.

Forensic Documentation
• Rule of thumb: to document everything in detail
• Documentation process kickstarts when cyber forensic investigator enters
the crime scene
• All events must be documented that has taken place
• All devices installed or attached to the computer must be documented
• All network connections, internet connections and the operating system
must be documented
• Process undertaken to collate the evidence must be documented
• Method of transporting the evidence to the forensic lab must be
documented
• All tools that have been utilised and all tests that have been performed
must documented
 • Examiner performs the role of documenting and reporting all the results
of the evidence

Examiner Report Structure

Forensic Report must comprise of the following when requested:

• Case Identifier or Submission Number

• Identity of the Submitter
• Date of Receipt
• Date of Report
• Descriptive list of items submitted for examination
• Identity and signature of the examiner
• Description of examination
• Results/Conclusions/Items

Authority and Objectives

• Forensic Investigator must have allocated authority in order to pursue
investigation of given evidence.
• In criminal cases jurisdiction is one of the main concerns, is the case a
federal? State? Local?
• In Civil Cases, legal rules of a specific court (federal or state) must be
implemented

Examination
SWDGE Model Standard Operation Procedures for Computer Forensics
(www.swgde.org) stipulate the following requirements for an examination
 • Visual Inspection: entails physical verification of the evidence, and the
condition of the environment in order to perform the examination
• Forensic Duplication: prior to the examination entails creating a
duplicate copy. Best practice is to work with the duplicated media copy
and not the actual original one.
• Media Examination: involves forensic testing the application including
any device which can contain digital data such as the RAM, SIM Card
• Evidence Return: involves sending back to the evidence which then is
stored in a secure location

ISC Ethics
ISC Guidelines are the following:

• Perform and ensure the protection of the common good, public trust,
confidence and infrastructure
• Perform actions which are honourable, honest, just, responsible, and legal
• Engage in providing diligent and competent service to principals
• Advance and Protect the profession
American Academy of Forensic Ethics
(AAFS)
Guidelines from the AAFS are the following:

• Every member and affiliate of the Academy shall refrain from exercising
professional or personal conduct adverse to the best interests and
objectives of the Academy. The objectives stated in the Preamble to these
bylaws include promoting education for and research in the forensic
sciences, encouraging the study, improving the practice, elevating the
standards and advancing the cause of the forensic sciences.
• No member or affiliate of the Academy shall materially misrepresent his
or her education, training, experience, area of expertise, or membership
 status within the Academy.
• No member or affiliate of the Academy shall issue public statements that
appear to represent the position of the Academy without specific
authority first obtained from the Board of Directors.

Additional Information
1. Evidence E-Zine.http://www.evidencemagazine.com/ index.php?
option=com_content&task=view&id=18
2. http://revealmedia.com/wp-content/uploads/2013/09/storage.pdf.
3. http://www.accessdata.com/products/digital-forensics/ftk.
4.http://www.guidancesoftware.com/products/Pages/encase-
forensic/ overview.aspx.
5. FBI Evidence Preservation. http://www.fbi.gov/stats-
services/publications/ law-enforcement-bulletin/august-
2011/digital-evidence.
6.http://www.tableau.com/index.php?pageid=products.
7. http://www.cru-inc.com/products/wiebetech/.

8. https://www.forensicsoft.com/.

9. http://www.kanguru.com/storage-accessories/kanguru-ss3.shtml.
10. https://support.imation.com/app/answers/detail/a_id/1583.
11. http://www.faradaybag.com/.
12. http://www.amazon.com/Black-Hole-Faraday-Bag-
Isolation/dp/B0091WILY0.
13. http://revealmedia.com/wp-
content/uploads/2013/09/storage.pdf.
14. http://inece.org/conference/8/proceedings/44_Lubieniecki.pdf.
15. UL Labs.
http://www.ul.com/global/eng/pages/offerings/services/
architectural/faq/.
16. http://www.apd.army.mil/pdffiles/r195_5.pdf

Evidence Management
Chapter 3

Evidence Collection
• Forensic investigator must vigorously collate and document all the details
about the crime scene, including the location and the environment.

Evidence Documentation
• Forensic investigators can use video recording to document the scene
• Documentation should entail the following items: Person name, If the
person had access to the suspect equipment, time of arrival, time of
departure.

Evidence Preservation
• Evidence must be preserved at all times
• Investigator must protect its integrity
• Investigator must ensure no evidence has been added or destroyed by any
means.

Access Data Forensic Toolkit

• Forensic Toolkit is Access Data which comes with free disk imager utility
• Forensic investigator can utilise the toolkit by install it on the forensic pc.
• Toolkit can be used by attaching the suspect drive and creating an Image
from within the disk imager
• Forensic investigator should follow the Wizard within the Toolkit

Guidance Software EnCase

• Encase provides disk imaging capabilities
 Write Protected Storage Devices
• Forensic investigator must use write protected storage devices as part of
evidence preservation
• Suspect drive should immediately be write protected before being
imaged
• Media should comprise of the following details : 1) Investigator Name,
2) Data of the image created 3) Case name and number
• Write Blockers most prominent way to secure a drive for forensic
purposes
• Write blockers devices can be hard drive disk controller or the hardware
write blocker
• Devices such as The Kanguru USB drive or the Imation USB drive have
write protection features on the drives itself.

Evidence Transport
• All evidence must be sent to the forensic lab
• All evidence must be kept in a secure container
• Custody of evidence should be maintained when evidence is checked in
and checked out

Evidence Tracking
• Log: Log of evidence should be maintained, which could be in the form
of a spreadsheet or word document.
• Software Tracking: Evidence tracker, ASAP Systems, Fusion RMS
• Barcode: this involves barcode tracking and scanning every time
the evidence is accessed
• RIFD: Radio Frequency ID (RFID) chips can be incorporated to track
evidence
Evidence Storage
• Evidence must be in kept in secure location
• Evidence must be kept free from environmental hazards
• Evidence must only be access by approved authorisation
• Evidence must be secured from electromagnetic interference

Environmental Hazards
Typically comprise of the foll0wing:

• Fire and Smoke

• Extreme Cold or Heat
• Utility Loss
• Water Damage

US Army Digital Evidence Storage

US Army has the following specific guidelines with regards to maintain
digital evidence:

• A person with digital media evidence should store such evidence in a

dust-free, temperature- and humidity-controlled environment, whenever
possible.
• A person with digital media evidence will not store it near batteries,
generators, electro-magnets, magnets, induction coils, unshielded
microwave sources, or any material that generates static. NOTE: Vacuum
cleaner motors generate small electromagnetic fields that may alter, erase,
and/or destroy digital media such as tapes.
• A person with digital media evidence should not store such evidence in
the same container with electronic devices. Some electronic devices
 contain batteries with sufficient strength to erase digital data over
extended periods.

• The evidence custodian should make periodic checks of digital media evidence in the evidence
room to determine battery life of the item(s). There is a very high risk that all evidence contained
in digital storage could be lost. So you must connect the evidence with appropriate chargers that
can remain connected to uninterrupted power.
• Where possible, the evidence custodian should store digital media evidence in a fire safe designed
to safeguard items in heat in excess of 120 degrees Fahrenheit.
• Where possible, the evidence custodian should not store digital media or devices in areas with
sprinkler fire protection systems. If this is not possible, the evidence custodian should cover the
media with waterproof material. The media should not be completely wrapped in waterproof
material, because condensation can build and destroy the evidence.

• The evidence custodian should not store digital media and devices in the
same confined area with caustic chemicals (for example, acids, solvents,
industrial strength cleaners, flammables). Exposure to fumes from such
materials may cause surface erosion of media and loss of data.
• A person with items of evidence that are classified or that contain
classified information or material will store such evidence in accordance
with AR 380−5.

Evidence Access Control

• All access to the evidence must be controlled and when it is accessed
• All users accessing evidence must be documented
• All users wanting access to evidence must prove they have need to access
the evidence

Evidence Disposition
• Evidence must never be destroyed for purposes of appeal cases
• Archival storage must have the same security, environmental security,
 and personal access requirements as the normal evidence storage

Forensic Science: Principles and

Methods
Chapter 4

Scientific Approach To Forensics

• Forensics is a scientific process
• Comprehensively established scientific principles have been implemented
in cyber forensics

Scientific Method
• An established hypothesis is essential
• Hypothesis must be testable and once it is tested a fact is created
• Questions that cannot be tested are not Scientific
• Multiple facts collated from a hypothesis must be explained using
rationale.
• Explaining these facts is known as "theory" based on the plausible facts.
• The process of establishing a hypothesis, testing the hypothesis and
defining the facts into a cogent theory is known as the Scientific Method
Philosophy of Science
• Forensic examiners must have sufficient awareness with the philosophy
of science
• Philosophy of Science based on two principles: Verification and
falsifiability
• Verification is largely performed by testing
• Falsifiability established by Karl Popper (philosopher of science)
maintained the notion that it is possible disapprove something
• Philosophy of Science should be applied to Cyber Forensic by firstly
establishing a scientific mindset, establish a testable hypothesis and
conduct that test.

Peer Review
• Peers review an essential issue within the scientific community
• Scope of peer review entails other professionals reviewing and validating
and approving the work
• Peer review subjected to multiple stages of review: 1) review by
reviewers to evaluate if quality is sufficient 2) reviewed by professionals
within the field to validate the quality.

Locard’s Principle of Transference

• Dr Edmond Locard was a forensic scientist who established the Locard
Exchange Principle or Locard's Principle of Transference
• Principle initially applied to Physical Forensics which depicts the notion
that one cannot enter into any environment without leaving something
behind.
• Locard Principle is of significance importance for the following reasons
• Locard Principle is applied to pursue trace of evidence
• Trace evidence is known to occur when two objects contact each other
• Locard principle helps us understand if the suspect interacted with the
computer system or device there should be some trace of evidence
• Locard principle also reinforces the need to work with the copy of the
storage media and why all media should be write- protected

Inman-Rudin Paradigm
• In the paper "Origin of Evidence" the authors Inman and Rudin depicted
the Inman Rudin Paradigm that outlined concepts that are applicable to
applied forensic analysis: 1) Transfer, 2) identification, 3
individualization, 4) association between source and target, and 5)
reconstruction

• Transfer: this depicts the principle of Locard Exchange Principle

• Identification: this entails collating the type of evidence that has been
traced
• Individualization: this entails elevating the identification step to the next
level
• Association: this entails linking the evidence with the person
• Reconstruction: this entails reconstructing the entire scenario to identify
what exactly happened

Identify and Classify Evidence

• Evidence has got to be categorised out in terms of what is actual evidence
and what isn’t evidence
• Digital evidence can be classified into the following categories: Database,
Computer, Network and Mobile
 • Database: this will comprise of database evidence which could relate to a
relational database management system such as Microsoft SQL server or
Oracle, or file storage such as XML
• Computer: typically comprises of evidence on a computer such as
browser history, deleted files, windows registry, settings, computer logs
etc
• Network: Comprises of Network Traffic Evidence, which can be elicited
using a network protocol analyser or packer sniffer as Wireshark
• Mobile: Consists of evidence from a mobile device
The following factors can be adopted when evaluating to identify where
evidence data has come from

• Source: this would consist of computer, network and mobile device

classifications
• Format: the format of the data held on the storage device, archived data,
deleted data,
• Type: typically encompasses video, pictures, cookies, bookmarks, trace
evidence etc

Evidence Location
Evidence can be found in the following locations:
1. Hard Drives such as the following:

• IDE (Integrated Drive Electronics)

• EIDE (Extended Integrated Drive Electronics)
• PATA (Parallel Advanced Technology Attachment)
• SATA (Serial Advanced Technology Attachment)
• SCSI (Small Computer System Interface)

2. Magnetic and Solid-State Drives such as the following:

 • Master boot record
• Unallocated space
• File slack
• Host-protected area
3.Hardware Interfaces
4. USB
5. Serial Ports
6. Parallel Ports
7. Video
8. HDMI
9.Digital Visual Interface (DVI)
10. HDMI
11.SCSI peripheral devices
12. File Systems: FAT, EXT, Unix File System, Resier File system,
13. File Formats: File headers, Graphic File Formats, Executable and
Linkable Format, Portable Executive, Area Density, Windows Office Files,
14. File Types: JPEG , GIF ,TIFF, EXIF, PNG, The Advanced Forensic
Format, EnCase format, GfZIP, Compressed files , ISO, DLL , EXE, Data
files,
15. Header Analysis,

Common Procedures
• All data should be documented from the hard drive in scope this includes,
model, size, type etc
• Digital photos should be an option to pursue if the drive has any visible
damages
• Create an image of the drive and work with the drive

Recovering Data
• Data recovery takes place in two scenarios: when the media is physically
damaged and when there is a logical damage such as a corrupt file.

Physical Damage -Guidelines

• In order to recover data from a damaged physical hard drive the following
measures should be implemented:
• Remove the drive from the current system and connect it as a secondary
drive to a functioning test system
• Test system should be booted to the primary drive or in the form of as a
boot disk
• Evaluate and see if the failed drive can be plugged in as a secondary drive
on the test system. Should the drive be installed, copy all the relevant
directories and files onto the test system

Logical Damage
• Occurs due to corrupt files and improper shutdown
• Errors in hardware controllers and drivers lead to Logical damage
• Microsoft Windows has the chkdsk utility, Mac OS X provides disk
utility, Linux has the fsck utility that can be used to repair logical
damage.
• Mac OS X provides disk utility, Linux has the fsck utility
• Third party product such as the Sleuth Kit (www.sleuthkit.org), TestDisk
is (www.cgsecurity.org/wiki/TestDisk) can repair logical damage
File and Metadata Carving
• Process of extracting unique data from a larger set of data
• Used to recover data from a disk where the file is damaged or corrupt
• Carver recovery contains several utilities that can help recover files
• Scalepel –command line tool can also be used for file carving

Metadata
• Meta refers to data about data
• Sleuth Kit and Autopsy can help perform analysis about meta data

Known File Filtering

• Process of filtering files that are known

Media File Forensic Steps

The following steps can be adopted as best practice before shutting down a
computer in order to prevent loss of evidence:
1. In Windows press CTRL + ALT + DEL at the same time and select the
"Task Manager". Take Screenshot of all the processes which are running.
2.NetState Command can be used to check all network connections and
network statistics.
3. Net Sessions depicts established Network communication sessions
4. Open file depicts all currently open shared files.

Additional Information
• https://www.ncjrs.gov/pdffiles1/nij/199408.pdf.
• http://digital-forensics.sans.org/blog/2010/08/25/intro-report-
writing-digital-forensics/.
• http://www.rcfl.gov/.
• http://www.rcfl.gov/DSP_T_CoursesLE.cfm.
• http://www.rcfl.gov/Downloads/Documents/Benefits_of_Participation.pdf
• http://www.evidencemagazine.com/index.php?
option=com_content&task=view&id=1159&Itemid=217.
• http://www.ascld-lab.org/training/.
• http://www.ascld-lab.org/preparation-course-for-testing-labs/.
• http://www.umuc.edu/academic-programs/masters-
degrees/digital-forensics-and-cyber-investigations.cfm.
• http://www.amu.apus.edu/academic/programs/degree/1409/graduate-
certificate-in-digital-forensics.
• http://www.shsu.edu/programs/master-of-science-in-digital-
forensics/. http://www.mssu.edu/academics/programs/computer-
forensics.php.
http://www.state.gov/m/ds/clearances/c10977.htm#14.

Performing
Forensic Analysis
Chapter 5
 Planning Cyber Forensics
Investigation
• Planning and Quality Control are essential for any forensic investigation
• Forensic Analysts must have the proper documentation and reporting
skills which are essential to conduct forensic investigations
• Cyber Investigations should be planned which address how the evidence
will be collected, protect the integrity of the evidence, analyse the
evidence.

Analysis of Evidence
• What types of techniques will be implemented to analyze the evidence?

Validation of Findings
How should the evidence be validated?
Has error occurred in the evidence?
What tools will be used to test the validation?

Proper Evidence Handling

Completeness of Investigation
• All relevant evidence to the investigation must be collated
• All facts must be completed and gathered to depict a full picture of the
scenario

Case notes and Reports

• Case notes are informal documents in comparison to reports
• Are notes of the forensic investigator
• Are subject to quality review by other forensic analysts
• Not formal report findings
• Case notes can be subpoenaed for court

Guidelines for Case Notes

• File all conversations that have taken place
• Preserve copies of all relevant documents encompassing warrants,
requests to investigate, etc
• Documentation should be all-inclusive and entail method, tool, date, time,
results and all discrepancies

The Forensic Report

• Formal document which depicts the types of tests that have been carried
out
• Forensic labs require Forensic Investigators to create a report of your
Forensic process.
• Case notes can be incorporated into the Forensic report
• Forensic report can be depicted as a summary of the Case notes
• SANS institute recommends the following structure within the report:
1) Overview/Case Summary
2) Forensic Acquisition and Exam
3) Findings and Report

• Forensic tool EnCase contains forensic report templates that can be

utilised to build an effective forensic report
• Free Forensic Tool Autospy also generates reports

Quality Control
• Quality control is critical in forensic investigations especially for the
forensic lab itself
• FBI Regional Computer Forensics Laboratory is a “one stop, full-service
forensics laboratory and training center devoted entirely to the
examination of digital evidence in support of criminal investigations.
• American Society of Crime Laboratory Directors (ASCLD) provides
guidelines for forensic labs
• The standard ISO/IEC 17025:2005 covers “requirements for the
competence of testing and calibration laboratories.” This standard is
common to all forensics labs, not just cyber forensics
• Quality tools which have been accepted within the Cyber Forensic
Community should be used

Fundamentals of Hardware
Forensics
Chapter 6

Hard Drive Specifications

• Forensic investigators must understand how hard drives function in order
to effectively perform a forensic analysis
• Hard drives are platters which are stacked up like plates on a spindle. A
read/write head is used to read the data from the platters or to write data
to the platters.
• Platters are made from ferromagnetic material
• Dust on the platters can cause issues and problems with reading data
• Each platters contains a typical data size of 512 bytes
Hard Drive Partitions
Hard drives can consist of the following types of partitions:

• Primary Partition: contains the operating system and is bootable

• Active Partition: is the primary partition which is booted up if a hard
drive has two primary partitions. A machine can only have the one
primary partition.
• Extended Partition: only one per physical disk. This is the space which
the user has chosen selected to divide into subspaces for usage.
• Logical Partition: these are the subspaces

Non-Standard Partitions
The following are the non-standard partition types:
Encrypted Partitions: Tools such as Truecrypt allow hard drives to be fully
encrypted
Hidden Partitions: In the process of creating partitions some partition can be
hidden that would enable data to be hidden. These are of particular interests
to forensic investigations. Tools such as Raw Disk Viewer can be utilised to
identify hidden partitions

The following are the non-standard partition types:

Unallocated Space: Space which hasn’t been allocated yet often known as
"free space"
Slack Space: Space between the data and the cluster size. Tools such as
Autopsy from the Sleuth kit can be used to identify the data in the slack
space.

Redundant Array of Independent

Disks
( RAID) Levels
The following are the types of RAID levels which can be implemented in the
event that the main drive fails:
Raid 0: known as disk striping, permits distribution of data across multiple
disks which enhances the speed rates of retrieving data access levels.
Raid 1: Mirrors the contents of the disks to establish an identical hard disk
copy.

Raid 3 or 4: Combined 3 or 4 disks in order to protect data against loss of

any one disk. Fault tolerance is achieved via adding extra disk to the array
and dedicating it to storing parity information. Storage capacity of the array
reduced by one disk, parity disk.
Raid 5: Similar to Raid 3 combines three or more risks to protect data against
loss of any one risk. Parity is not stored on one dedicated drive.

Raid 6: Combines four or more disks to protect data against loss of any two
disks
Raid 1+0: mirrored data set (RAID 1) which then is striped (RAID 0)
• Forensic Toolkit (FTK)6 and EnCase provide built-in tools for acquiring
RAID arrays.

Encase –Acquiring RAID Arrays

RAIDS can be acquired using the Encase toolkit based on the implementation
of the steps:

• Step 1: Document the RAID Setup by opening the cover of the suspect
PC
 • Step 2: Download and create a network boot disk
• Step 3: For every hard drive unplug the power and data connectors
• Step 4: Boot the suspect computer and Configure BIOS to boot floppy
only
• Step 5: Save Settings
• Step 6: Shut down the computer
• Step 7: Reconnect the Hard drive
• Step 8: If performing DOS drive to drive acquisition connect your
partitioned and FAT-32 formatted storage drive to a spare hard drive
connector on the suspect computer
• Step 9: Insert boot floppy and boot the computer
• Step 10: If you are working with a SCSI RAID array, choose the options
to Auto Detect and load the SCSI drivers using the network boot disk.
• Step 11: If you intend to perform a network crossover acquisition, allow
the computer to detect and load drivers for the network card.
• Step 12: Launch EnCase for DOS. Remember, the BIOS sees the RAID
as one drive, so you will only see one large physical drive in EnCase.
• Step 13: Acquire the RAID array as you would acquire a single IDE hard
drive.
• Step 14: When the acquisition is finished, the RAID array will appear as
one physical disk in EnCase

Recovering From Damaged Media

Forensic investigators should implement the following steps when recovering
data from damaged media:

• Step 1: Remove the drive from the system

• Step 2: Connect the drive to a test system
• Step 3: Configure damaged drive as secondary drive
• Step 4: Connect to the secondary drive
• Step 5: If system recognise the drive, then image the drive
• Step 6: In the scenario test system is unable read from the drive but has
the capacity to recognise the drive, utilise open-source tools such as
DCFLdd to establish an image of it
• Step 7: If the drive is not identified, validate and ensure hard drive is
spinning
• Step 8: If not spinning then send the drive to a specialist

CMOS /BIOS

• Basic Input Output System (BIOS), known as the firmware, gives the
computer instructions between the time power is switched on until the
operating system is loaded.
• Complementary Metal Oxide Semiconductor (CMOS) stores the system
time and date and the system hardware settings for the computer during
start-up.
SWAP File
• Swap files contain remnants of the programs user had been working on
• Swap files are not erased when computer shuts down
• Data held within the Swap files are not erased
• Size of Swap file is 1.5 times of the RAM
• Swap file contents can be scrutinised using a hex editor or Scalpel
• On Windows machines after XP, SWAP file named as pagefile.sys.

Operating System Specifics

• Operating system responsible for core computer functionality
• Perform tasks such as processing input from the keyboard or mouse,
managing memory, sending output to the display screen, maintaining and
accessing files, and controlling external devices such as printers and
scanners.
• Operating systems can be classified into four categories: Multiuser,
Multiprocessing, Multitasking and Multi reading
• Kernel is the core of all operating systems
• Two types of kernels: monolithic and micro-kernel.
• Important functions of the kernel is memory management

Extracting Deleted Files

• All deleted files are recoverable in the Windows Operating System
• Older Windows use FAT16 or FAT 32 and after Windows 2000 NTFS is
 primarily used
• Window Tools that can be used to recover deleted files: Disk-Digger,
WinUndelete, NTFS Undelete,

Hidden Files
and
Anti-Forensics
Chapter 7

Cryptography
• Study of methods for encrypting and decrypting a message
• Cryptanalysis is the study of methods to break cryptography
• Cryptology includes both cryptography and cryptanalysis.
 • Algorithm can be defined as a cohort of steps or unique processes which
are required in order to achieve a certain technical task.
• In cryptography, another term for a cryptographic algorithm is a cipher.
• The text you intent to encrypt is referred to as plain text; and the numeric
input which is required to make the cipher work is called the key
• The output of a cryptographic algorithm is called cipher text

Caeser Cipher
• Oldest record ciphers is Caeser Cipher
• Based on the method: You choose some number by which to shift each
letter of a text.
• Caesar ciphers belong to a class of ciphers known as substitution ciphers.
• single-alphabet substitution cipher

Caeser Cipher-Example
For example, if the text is
A cat
And you choose to shift by three letters, then the
message becomes
D gdw
Or, if you choose to shift by one letter to the left, it becomes
Z bzs
ROT 13
• Single-alphabet substitution cipher
• It is very much like the Caesar cipher, except it has a fixed shift
• All characters are rotated 13 characters through the alphabet.

Example of ROT 13
The phrase
:A CAT
:Becomes
:N PNG
:ROT 13 is a single-substitution cipher.

Atbash Cipher
• Used by ancient Hebrew scholars
• Entails substituting the first letter of the alphabet for the last and the
second letter for the second to the last, etc
• Reverses the alphabet.
• A becomes Z, B becomes Y, C becomes X, etc.
• Single-substitution cipher

Multialphabet Substitution
• You select multiple numbers by which to shift letters (i.e., multiple
substitution alphabets).
• For example, if you select three substitution alphabets (+1, –1, +2), this
means you shift the first letter right one, the second letter left one, then
the third letter right two, and then repeat. The fourth letter is shifted right
one, the fifth left one, and the sixth shifted right by two.

Vigenere Cipher
• Most widely known multialphabet ciphers was the Vigenere cipher
• Invented in 1553 by Giovan Battista Bellaso.
• Method of encrypting text by using a series of different monoalphabet
ciphers selected based on the letters of a keyword

Modern Cryptography
• Modern cryptography is split into two main branches: symmetric
and asymmetric.
• Symmetric cryptography means that the same key is used to decrypt a
message as was used to encrypt it
• asymmetric cryptography, the key used to encrypt a message cannot
decrypt it; you need a second key.
• Symmetric cryptography can be further broken down into two subgroups
block ciphers and stream ciphers.
• Block ciphers, the plain text is divided into blocks (usually 64 or 128 bits)
and each block is encrypted.
• Stream ciphers, the plain text is encrypted in a stream, one bit at a time
• All modern block ciphers include binary operations.

Symmetric Encryption
• Refers to those methods where the same key is used to encrypt
 and decrypt the plain text.

Data Encryption Standard (DES)

• Developed by IBM in the early 1970s
• Uses a symmetric key system
• Uses short keys and relies on complex procedures to protect its
information
DES Algorithm implements the following sequence:
1. Data divided into 64-bit blocks
2. Blocks are Transposed
3. Transposed data manipulated by 16 separate steps of encryption,
4. Data is scrambled with a swapping algorithm.
5. Data is transposed

Feistel Ciphers
• DES is part of a class of ciphers called Feistel ciphers
• Central to block ciphers is a Feistel function

Blowfish
• Symmetric block cipher
• Implements a single key to both encrypt and decrypt the message
• Implements "blocks" of messages at a time
• Uses a variable-length key ranging from 32 to 448 bits

Advanced Encryption Standard

• Standard uses the Rijndael algorithm
• Specifies three key sizes: 128, 192, and 256 bits
• Implements a Block Cipher
• Algorithm is widely used and is considered very secure

IDEA Encryption
• Block cipher
• IDEA stands for International Data Encryption Algorithm.
• Algorithm works with 64-bit blocks of data
• Utilizes a 128-bit key
• The encryption scheme uses a total of 52 16-bit subkeys

GOST
• DES-like algorithm developed by the Soviets in the 1970
• Uses a 64-bit block and a key of 256 bits
• 32-round Feistel cipher.

Serpent
• Block size of 128 bits
• Key size of 128, 192, or 256 bits
• Algorithm is also a substitution-permutation network like AES
• Uses 32 rounds working with a block of four 32-bit words

Skipjack
• Algorithm developed by the National Security Agency (NSA)
• Designed for the clipper chip
• Clipper chip has built-in encryption
• Uses an 80-bit key to encrypt or decrypt 64-bit data blocks.

RC 4
• RC stands for Ron’s Cipher
• Widely used software stream cipher
• Algorithm is used identically for encryption and decryption,
• Uses a variable-length key, from 1 to 256 bytes

Asymmetric Cryptography
• Also known as Public Key Cryptography
• Essentially opposite of single-key encryption
• In conjunction with public key encryption algorithm, one key (called the
public key) is used to encrypt a message and another (called the private
key) is used to decrypt the message
• You can freely distribute your public key so that anyone can encrypt a
message to send to you
• Only you have the private key and only you can decrypt the message

• Following is an example of how Asymmetric Cryptography is performed:

RSA
• Widely known asymmetric algorithm
• Algorithm is based on prime numbers
• Public key method developed in 1977 by three mathematicians: Ron
Rivest, Adi Shamir, and Len Adleman.

Digital Signature Algorithm (DSA)

• Invented by David W. Kravitz.
• Used for digital signatures
• Cryptographic algorithms are about protecting confidentiality, Digital
signatures take asymmetric cryptography and reverse it so that they can
protect integrity

Cryptographic Hash
• Characterizes three properties:
• First-it’s one way thus cannot be "unhashed"
• Second: variable-length input produces a fixed-length output thus no
matter what size of input you have, you will get the same size output
• Third: No Collisions- thus if you hash two different inputs, you should
not get the same output

Secure Hash Algorithm (SHA)

• Widely used hash algorithm today and comprises of several versions
• SHA-1: 160-bit hash function designed by the NSA
• SHA-2: two similar hash functions, with different block sizes, known as
SHA-256 and SHA-512.
• SHA-3: latest version

RipeMD
• RACE Integrity Primitives Evaluation Message Digest (RipeMD)
• 160-bit hash algorithm developed by Hans Dobbertin, Antoon Bosselaers,
and Bart Preneel.
• There exist 128-, 256- and 320-bit versions of this algorithm, called
RIPEMD-128, RIPEMD-256, and RIPEMD-320,

GOST
• Hash algorithm was initially defined in the Russian national standard
GOST R 34.11-94 Information Technology–Cryptographic Information
Security–Hash Function.
• Produces a fixed-length output of 256 bits.
• Input message is broken up into chunks of 256-bit blocks
• based on the GOST block cipher.

Windows Passwords
• Hashing is how Windows stores passwords
• Passwords are stored in the Security Accounts Manager (SAM) file

Steganography
• Entails writing hidden messages
• Message is hidden in some other file, such as a digital picture or audio
file, so as to defy detection.
• Advantage of steganography over cryptography alone is that messages do
not attract attention to themselves

Basic Steganography Terms

• Payload: consists of the message you intend to hide
• The carrier: signal, stream, or data file into which the payload is hidden
• The channel: medium used such as photo, video and files

Methods and Tools

• Steganophony is a term for hiding messages in sound files
• Following tools can be used to implement Steganophony:

Tools Features

Invisible Secrets More robust

Mainly used to hide payload Mp3 files

 MP3Stego
Stealth Files 4 Works with Sound, Video and image
files

Steganalysis
• Study of detecting messages hidden using steganography
• Goal of steganalysis is to identify suspected packages, determine whether
they have a payload encoded into them

Types of Attacks-Steganalyst
• Stego-only attack: Only the stego-object is available for analysis. For
example, only the stego-carrier and hidden information are available.

• Known cover attack: The original cover-object is compared with the

stegoobject and pattern differences are detected. For example, the original
image and the image containing the hidden information are available and
can be compared.

• Known message attack: A known message attack is the analysis of

known patterns that correspond to hidden information, which may help
against attacks in the future. Even with the message, this may be very
difficult and may be considered the same as a stego-only attack.

• Chosen stego attack: The steganography tool (algorithm) and stego-

object are known. For example, the software and the stego-carrier and
hidden information are known.
 • Chosen message attack: The steganalyst generates a stego-object from
some steganography tool or algorithm of a chosen message. The goal in
this attack is to determine corresponding patterns in the stego-object that
may point to the use of specific steganography tools or algorithms.

• Known stego attack: The stegonography tool (algorithm) is known and

both the original and stego-object are available.

Cryptanalaysis
• Involves using any method to decrypt the message that is more efficient
• Study of analyzing information systems in order to study the hidden
aspects of the systems
• Used to breach cryptographic security systems and gain access to the
contents of encrypted messages, even if the cryptographic key is
unknown.

Cryptanalysis Success Criteria

• Identifying any form of information about the target cipher is viewed as a
success.
Cryptanalysis success categories are considered the following:

• Total Break: the secret key is captured by the attacker

• Global Deduction: Algorithm by attacker is identified for encryption and
decryption
• Instance (local) deduction: Shannon information is gained by the
attacker
• Distinguishing Algorithm: attacker has capability to differentiate the
cipher from a random permutation
Cryptanalysis Methods
• Brute force attack:
As an old technique, brute force means exhausting every
possibility until a match is found. Even in classic
cryptography, brute force attack is considered time
consuming. In modern cryptography, the length of a
brute force attack depends exponentially on the length
of the key. Since modern cryptography uses very long
keys, brute force attack is considered inefficient for all
practical purposes.

• Chosen plain text attack

The attacker, in this case, inputs a plaintext and observes the output
ciphertext obtained. By examining the plaintext – ciphertext pair, he can
easily guess the encryption key. The differential analysis done on RSA
algorithm is an example of such attack.

• Man in the middle attack

In this type of attack, Eve fools both Alice and Bob. Alice, who
wants to communicate with Bob, relays her public key. Eve impersonates
Bob and sends her public key. Alice transmits her plaintext P
alongwithKa&Ke. Now, Eve has Alice’s key as well as the plaintext.
She now impersonates Alice and sends her key as Alice’s key to Bob.
Bob transmits his public key Kb to Eve. To keep Bob from suspecting
anything, Eve transmits P along with Kb &Ke to Bob. Now, Eve has
both the public keys of Alice and Bob, as well as the message i.e. the real
information she needed.

Web-based cryptanalysis tools

• CrypTol
 CrypTool aims at making people understand network security threats
and working of cryptology. It includes asymmetric ciphers like RSA,
elliptic curve cryptography. CrypTool1 (CT1) experiments with different
algorithms and runs on Windows. It was developed in C++ language

• EverCrack
An open source GPL software, EverCrack deals chiefly with mono –
alphabetic substitution and transposition ciphers. The overall design goal
is to break down complex ciphers systematically into their simplex
components for cryptanalysis (by the kernel)
Cryptol
Cryptol is designed to allow the cryptographer to watch how stream
processing functions in the program manipulate the ciphers or encryption
algorithms.

• AlphaPeeler
AlphaPeeler is a freeware / non-commercial software product for
educational and personal use.

• Crypto Bench
Crypto Bench is a software that performs various cryptanalytic
functions. It can generate 14 cryptographic hashes and two checksums. It
can encrypt with 29 different secret key or symmetric schemes. It can
Encrypt, Decrypt, Sign, and Verify with six different public key or
asymmetric schemes

• Elcomsoft Distributed Password Recovery

Elcomsoft Distributed Password Recovery (EPDR) installs “agents” on
as many computers as possible. These agents use brute force attack to
recover the lost password. EPDR is useful for recovering Office
 passwords (Office 97/2000/2003/XP) for Word and Excel documents.

• Jipher
Cryptanalysis tool that can be used to attack old ciphers. Additional can be used to analyze
cookies.

Advanced Archive Password Recovery

Advanced Archive Password Recovery supports the dictionary-based attacks,
plaintext attacks and the brute – force attacks. It has a multilingual interface
and strong AES encryption support. Passwords for .zip, .arj , .rar & .ace
extensions can be cracked.

Kismet
Kismet is an 802.11b network sniffer and network dissector. It is capable of
sniffing using most wireless cards, automatic network IP block detection via
UDP, ARP, and DHCP packets, Cisco equipment lists via Cisco Discovery
Protocol, weak cryptographic packet logging, and Ethereal and TCP dump
compatible packet dump files. It also includes the ability to plot detected
networks and estimated network ranges on downloaded maps or user
supplied image files.

Differential Cryptanalysis
• Form of cryptanalysis applicable to symmetric key algorithms
• It is the examination of differences in an input and how that affects the
resultant difference in the output

Log Tampering
Technical skilled attackers could exercise the following types of methods to
hide evidence and there tracks:
• Log Deletion: this involves deleting the log in Windows or Linux
• Auditpol: Windows auditing tool which entails attacker switching it off
• Winzapper: Most prominent tool empowers attacker to delete unique log
entries

Onion Routing
• The scope of this technique entails every unique packet being encrypted
and a unique header is incorporated. This header comprises of the
destination address which is intended for the next onion router within the
network and the source address of the next onion router within the realms
of that network. For every unique router, when the packet passes the
packet is decrypted, however it only depicts the next “hop” for the
destination. The packet is only fully decrypted when the destination is
reached. Consequently, this highlights the fact should a packet be
intercepted en route, the origin or destination of the packet cannot be fully
identified.

• The following figure depicts this:

Other Techniques
• Spoofing: In order to prevent the location being known criminals can do
this in the following ways: 1) Spoofing the IP address which incorporates
utilizing a different IP address 2) MAC Spoofing where the machine is
tricked into broadcasting a different MAC address from the network card.
• Wiping: Criminals can wipe data using the Linux Command “dd” or
export the hard drive to strong magnetic force which can delete data.
• Tunneling: this basically involves encrypting network traffic such as
through a Virtual Private Network (VPN) which hinders the traffic from
being analyzed by packet sniffers, intrusion detection systems etc.
Additional Reading References
• 1. http://en.wikipedia.org/wiki/RSA_(cryptosystem).
• 2. http://technet.microsoft.com/en-us/library/cc731451.aspx.
• 3. http://ntsecurity.nu/toolbox/winzapper/.

Fundamentals of Network
Forensics
Chapter 8
 Network Packet Analysis
• Data sent over wires is depicted in 1's and 0's
• Data divided into chunks and called packets
• Packets must contain the following information 1) information that
defines the destination path of the packet 2) Defined boundaries outlining
the start and end 3) capabilities of identifying errors in the transmission
duration
• Packets categorized into the following: Header, Data and Footer

Packet Header
• Header contains details of the address and destination path of the packet
• Data Section contains the data which is intended to be sent to the
destination
• Footer section provides error detection and the end of the packet
destination
• Packets come in different sizes some are fixed known as Cells or Frames
and some are not.
• Packets directed over at layer 2 of the Open Systems Interconnection
(OSI) model is called a Frame.
• Packets sent over at layer 4 is called a Segment or Datagram.
• Datagrams are sent using connectionless or unreliable protocols
• Packets sent over using connection oriented protocols confirm packets
have been received
• Very effective to collate information for forensic investigation
• Header provides insight from where the packet comes from and its
intended destination
• Headers can be categorized into three types: Ethernet header, a TCP
header, and an IP header.
• TCP Header: contains information related to the transport layer of the
 OSI model and the source and destination port for communications.
• TCP Header: contains packet number, and control bits which are utilized
to reset, establish and terminate communications.
TCP Header: Contains the following control bits:

• URG (1 bit) Packet is depicted as urgent.

• ACK (1 bit) Acknowledges all modes of efforts implemented to
synchronize communications.
• RST (1 bit) Highlights connection must be reset when errors are
experienced.
• SYN (1 bit) performs the role of Synchronizing sequence numbers
• FIN (1 bit) : Communication is completed and the connection is dropped

Diagram of the TCP Header

IP Header
• Contains the Source and Destination addresses
• Contains the Source IP Address and Destination IP Address
• Contains the Time to live (TTL) and Protocol fields
• TTL Protocols depicts the maximum hoping a packet should do before
abandoning the destination
Diagram of the IP Header

Basic Communications
• Packet from source application is sent via Network with SYN enabled
• Destination application responds with enabled SYN and ACK
• Original sender ends communication by sending a packet with FIN
enabled
• Network attacks can happen by sending misinformed packets
• Ethernet headers contain source and destination MAC addresses

Network Terminology
• Payload: Refers to the actual data which is being transmitted
• Trailer: depicts the end of the packet and contains error checking such as
Cyclic Redundancy Check (CRC).

Common Ports
• 20 and 21 - FTP (File Transfer Protocol): this port is used for
transferring, uploading or downloading files from computers.
• 22 - SSH and Secure FTP: this port is used for encrypted FTP or other
encrypted protocol named Secure Shell (SSH)
• 23 – Telnet: this port is used to log in remotely
• SMTP (Simple Mail Transfer Protocol): this port is used to send e-
mails.
• 43 – WhoIS: utilized to command queries regarding target IP address
• 53 - DNS (Domain Name Service) : this port is used for Translating
URLs into IP addresses,
• 80 - HTTP (Hypertext Transfer Protocol): this port is used to
communicate with a web server and to display websites.
• 110 - POP3 (Post Office Protocol Version 3) : used to retrieve e-mails

Network Traffic Analysis

• Network traffic analysis is critical
• Packet Sniffer software should be used to examine network traffic
• Wireshark most prominent network real time sniffer software can be
downloaded free from: - www.wireshark.org

Wire-Shark Tutorials
• http://www.wireshark.org/docs/wsug_html_chunked/
• https://www.youtube.com/watch?v=Lu05owzpSb8
• http://cs.gmu.edu/~astavrou/courses/ISA_674_F12/Wireshark-
Tutorial.pdf
Popular Network Tools
The following are some other popular tools for network analysis:

• NetIntercept (http://www.sandstorm.net/products/netintercept/)
• CommView (http://www.tamos.com/products/commview/)
• Softperfect Network Protocol Analyzer (http://www.softperfect.com)
• HTTP Sniffer (http://www.effetech.com/sniffer/)
• ngrep (http://sourceforge.net/projects/ngrep/)

Log Files
• Wireshark and similar tools only capture information in real time
• Forensic investigations materialize after the outbreak so therefore
incapable to collate information using Wireshark and other similar tools.
Forensic investigators utilize logs to elicit evidence.
• Evidence can be elicited from Routers, Virtual Private Networks (VPN)
and any other devices that produces logs
• Network Security Devices, such as Intrusion Detection System (IDS),
Firewalls etc. also generate logs
• Device log files contain records of person or system activities ie
authentication logs , date/timestamps, application identifier etc.
• Operating system log encompasses events on device types, errors, boots
etc.
• Network Device logs contain firewall, router logs

Web Traffic
• Attacks based on Websites
• Attacks comprise of the following types: SQL Injection, Parameter
Tampering, Cross Site Scripting.
• SQL Injection: comprises of attacks using the SQL Statement into the
Username and Password text fields to communicate with a database
• Parameter Tampering: comprises of web-based hacking where the URL
is modified in order to modify the behaviour of the web application.
• Cross Scripting: this attack comprises of the attacker implanting a Java
script into a piece of the website somewhere users can interact with each
other such as the product review section of a website.
• Tools like HTTP Sniffer can be employed to capture web traffic
• Web Traffic contains of HTTP
• Web Traffic functions on Port 80

• Common messages are GET, HEAD, PUT and POST

• Web page can typically send the following types of HTTP Messages:

• Following are the types of response codes and error messages associated
with a Web page which are critical part for forensics
• Nmap most prominent port scanner largely used by Network
Administrators, Hackers to perform scanning of networks
• Snort: Used as packet sniffer for network analysis and works in the
following types of modes: sniffer, packet logger and network intrusion
detection.
• Snort Sniffer: Useful for Network administrator used to classify the root
of network problems
• Snort Packer Logger: Useful for Network administrators when
scanning large number of packets for a unique item
• Network Intrusion Detection: Rules based as Heuristic approach used
to trace inconsistent traffic. Operates largely from the command line

Wireless Network Standards

• Many crimes involve Hacking of Wireless Networks
• Forensic investigators ought to be aware about the following types of
WIFI standards:
• 802.11a: This standard was the first widely used WiFi standard, very
slow and operated at 5 GHZ
• 802.11b: This standard operated at 2.4 GHz with indoor range of 125 ft
and a bandwidth of 11 Mbps (megabits per second).
• 802.11g This standard includes backward compatibility with 802.11b.
802.11g has an indoor range of 125 ft feet and a bandwidth of 54 Mbps.
• 802.11n This standard has achieved significant improvement it can reach
a bandwidth of 100 to 140 Mbps and largely operates at frequencies of
2.4 or 5.0 GHz with a indoor range of up to 230 ft.

Wireless Network Standards

• IEEE 802.11n-2009. This standard exercises speeds of up and about to
600 Mbps. Implements multiple-input multiple-output (MIMO), using
numerous antennas to consistently resolve additional information than is
possible by means of a single antenna.

Wireless Network Attacking

Methods
Cybercriminals look for networks to attack via the following ways:
War driving and War flying
War driving this entails the attacker surfing around proactively
seeking to attack wireless networks with weak security
War flying: this entails using drone surveillance to discover wireless
networks, the following types of tools can be utilized:

1. NetStumbler (www.NetStumbler.com)
2. MacStumbler (www.MacStumbler.com)
3. iStumbler (www.iStumber.net)
 Hackers can also use websites to discover router passwords such as
the following: www.routerpasswords.com

Network –Cyber Crimes

• Denial of Service: in this crime a given server is attacked and results in a
large increase in target network. Attackers typically pursue the following
within a DoS attack: Inflict logical damage to the routers technical ability
to perform or impose overloading of connections simultaneously. DoS
attacks also comprise of flooding the network with malicious packets,
blocking legitimate traffic from the network.
DoS Attacks
The following are types of DoS attacks that can be pursued by cyber
criminals:

• Ping of Death Attack: Attacks sends an Internet Control

Message Protocol (ICMP) echo packet of a larger size than the IP
protocol can accept. This attack has the potential to crash the operating
systems.
• Teardrop Attack: the scope of this attack entails the attacker sending out
fragments of data packets which contain negative values which results in
the system crashing.
• SYN Flood Attacks: the scope of this attack entails the hacker sending
out unlimited SYN packets to the target host system which consequently
overwhelms the target system when sending out the ACK packets
• Smurf Attacks: the scope of this type of attack entails sending out
unlimited number of ICMP echo requests based on a single request.
Consequently, this causes a traffic jam on the network

Router Forensics
 • Router forensics can help identify the form of attack which is being
launched
• Helps identify the source of the attack
• Routers can be in the form of hardware or software

Router Basics
Basic Networking devices are the following types:

• Network Interface card: these are used to connect to other networks

and can enable signal encoding and decoding, Data buffering and
transmission, Media Access Control and Data Encapsulation
• Hub: permits connectivity of computers on a network via ethernet card.
Sends out data packets to the relevant destination ports.
• Switch: Ensures data jams don’t occur on the LAN network, maintains
memory of every MAC address in a packet.
• Router: like a Switch and has the functional capability of connecting
data packets onto different logical networks or subnets. Utilise the IP
Address to determine destination and perform at the network layer of the
OSI Model.

Additional Information on Routers

• http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-
os/unicast/configuration/guide/l3_cli_nxos/l3_overview.html.

Router Attacks
• Router Table Poisoning: most common attack the scope of this attack
entails the hacker modifying the routing date update packets which
impacts in incorrect entries being incorporated to the routing table.
Consequently, resulting artificial congestion and in chaos and enabling
the attacker to gain access to the data
Collecting Evidence from Routers
The following steps outline a high-level description of how evidence can be
collected from routers:

• Establish connection with router to perform certain commands

• HyperTerminal is a free tool that can be used to connect to and interact
with your routers.

Additional Useful Router Commands

• show clock detail
• show version
• show running-config
• show startup-config
• show reload
• show ip route
• show ip arp
• show users
• show logging
• show ip interface
• show interfaces
• show tcp brief all
• show ip sockets
• show ip nat translations verbose
• show ip cache flow
• show ip cef
• show snmp user
 • show snmp group

Firewall Forensics
• Firewalls act as the main barrier between networks and the external world
• Types of Firewalls: Packet Filter, Stateful Packet Inspection
• Packet firewall: basic, performs filtering of incoming packets based on
defined rules and configurations. This type of firewall can also filter
packets based on size, protocol, source IP address
• Stateful Packet Inspection: Examines every packet and blocks packets
based on context of previous packets that have been sent over. These
firewalls have greater defence against ping floods, SYN floods.

Logs to Examine
• Logs are maintained within Operating Systems, IDS, Servers etc
• Logs can be used for forensic evidence

Windows Logs
The following are the types of logs that can be checked by forensics
investigators within the Windows versions:
Security Log: Maintains all the successful and unsuccessful login events
Application Log: Maintains all events logged by applications or programs
System Log: Maintains events logged by Window system components
Forwarded Events Log: Maintains all events captured from remote
computers
Application and Services Log: Maintains events from a single application
or component in contrary to events which bear system wide impact
Linux Logs
• Forensic investigators can utilise the following logs to elicit information:
• /var/log/faillog: This log file contains failed user logins.
• /var/log/kern.log: This log file is used for messages from the operating
system’s kernel.
• /var/log/lpr.log: This is the printer log, and it can give you a record of
any items that have been printed from this machine
• /var/log/mail. This is the mail server log, and it can be very useful in any
computer crime investigation.
• /var/log/mysql.: This log records activities related to the MySQL
database server
• /var/log/apache2/: f this machine is running the Apache web server, then
this log will show related activity. This can be very useful in tracking
attempts to hack into the web server.
• /var/log/lighttpd/: If this machine is running the Lighttpd web server,
then this log will show related activity. This can be very useful in
tracking attempts to hack into the web server.
• /var/log/apport.log: This records application crashes. Sometimes, these
can reveal attempts to compromise the system or indicate the presence of
a virus or spyware.
• var/log/user.log : These contain user activity logs and can be very
important to a criminal investigation.

Operating System Utilities

• Operating system comprise of utilities that can be utilised to elicit
forensic data
• The following commands are highly effective when operating a live
system to detect attacks that are being progressed
NETSTAT Command
• Utilised to identify ongoing attacks.
• Maintains details of all live network connections

NET SESSIONS Command

Depicts all active sessions that are being connected to the computer
Essential command if attack is live and ongoing
OPENFILES Command
• Highly effective for detecting live ongoing attacks
• Depicts shared files which are open
Network Structure
Networks can be constructed into the following types:

• Peer to Peer: this type of network lacks a dedicated server, and the role
of a client and server is both performed by the computer. Less security is
maintained
• Client/Server: constructed to provision a large number of users and
largely depends on dedicated servers. Stronger levels of security. In this
model the client actively logs into the server to perform applications or
obtain files.
• Centralized: similar to a client /server model and largely maintained in
mainframe environments.
• Mixed Mode: Combination network of Centralised and Client Server and
Peer to Peer.

Network Topology
• Network Topology typically depicts how the network is constructed
physically or logically
• Consists of the following types of models: Bus, Star, Mesh, and Point to
Point, Point to Multipoint, Tree,
• Bus: computers connected in parallel

• Star: Based on twisted pair (10baseT or 100baseT) where all devices are
connected to a hub:
• Mesh: comprises of every node having a connection to another node as
depicted in the following diagram:
• Point to Point: typically comprises of one point being remotely
connected to another

• Point to Multipoint: in this network type, a single central location is

connected to branches, such as a company Head office being remotely
connected to branches
• Trees: this type of topology consists of connecting the networks in a tree
like model.
Social Networks
• Forensic investigators can capture wealth of data
• Evidence can be elicited from social networks such as Facebook, Twitter,
YouTube, Linkedin etc

VIRTUAL SYSTEMS
Chapter 9
Virtual Systems
• Virtual systems comprise of a wide array of disparate technologies
• Virtual systems can comprise from virtual machines to the clouds that are
implemented by large scale global enterprises.

Virtual Machines
• Core feature of virtual machines is they functionally allocate a unique
portion of the Computer Hard and RAM to perform in isolation from the
rest of the Operating system.
• Perform as an Independent Virtual Computer with the exception of
sharing host resources.
• Multiple operating systems can be maintained on a single computer
• Categories of Virtual Machines: System Virtual and Process Virtual
Machine
• Role of a System Virtual machine is to perform end to end emulation of
the whole functioning system with a complete operating system
• Role of a Process Virtual Machine is to perform a single application in
order to isolate the application from the rest of the operating system
• Physical Machines that maintain Virtual Machines are known as "Host
Machines"
• Operating System within the Host Machines are known as the "Host
Operating System"
• Virtual Machine also known as the "Guest Machine"
• Hypervisor software performs the role of provisioning the "Guest
Machine" with a virtual operating system
• Hypervisor software performs the role of managing the execution of the
virtual operating systems
• Hypervisor crucial element of the Virtual Machine Architecture
• Virtual Machines require virtual software in order to interface with the
hardware
• Virtualization process entails defining and mapping the virtual hard drive
and memory to the actual memory.
• Popular virtual machines: Oracle VirtualBox, Microsoft Virtual Product
PC, VMware,

Service Based Systems

1. Software as a Service (SAAS)
• Software As a Service: based on the features of a software licensing and
delivery model.
• Software typically licensed on a subscription basis and centrally hosted
• Users access SASS with thin client via HTTP web browser
• Popular delivery model for the following applications: Messaging
Software, Office applications, Gaming, Virtualization, Enterprise
Resource Planning (ERP) etc
• Based on a multitenant Architecture

• Common Characteristics: Configuration and Customization, Accelerated

Feature Delivery, Open Integration Protocols, Collaborative and Social
Functionality.
• Presents forensic challenges for actual location of data and metadata, co-
ordination with Service provider is essentials

2. Platform as a Service (PaaS)

• Platform based service which largely encompasses of cloud computing
services that provision a platform which enables customers to perform
 and manage applications.
• Customers are at liberty from the complication of emerging complex
infrastructures and networks when deploying the PaaS model by large.
• Delivered based on the following types of models: Public cloud service,
Private Service and Software deployed on public infrastructure as a
service
• Presents forensic challenges in how to recover deleted files, co-ordination
with service provider is essential.

3. Infrastructure as a Service
(IaaS)
• Model is founded on providing the entire infrastructure as a service
• Servers are Virtual Servers, Client Machines are Virtual Machines etc
• Incorporates the cloud orchestration technology such as Open stack,
Apache CloudStack or Open Nebula.
• Hypervisor software such as Xen, Oraclevirtual box, Oracle VM, Hyper-
V operate the Virtual Machines as Guests

The Cloud
• Defined by the National Institute of Technology and Standards (NITS) as
the "Pool of Virtualized resources"
• Functionality of services inside the Cloud is principally maintained by
specific servers that preserve scheduling and routing
• Forensics challenges befalls with regards to lack of localization of data
since data can be resided across multiple servers

Cloud Basics
Cloud systems classically comprise of the following components which
Forensic investigators can recognize and recover evidence from:

• Virtual Storage: this consists of virtual servers whose Hard Drive space
and RAM are partitioned and are stored on one or more physical servers
• Audit Monitor: performs the role of monitoring the Virtual Usage from
the resource pool
• Hypervisor: consists of the software components which provide virtual
servers with the relevant resources
• Logical Network Perimeter: provides logical partition of virtual servers
and the isolation of the resource pool

Example of Cloud Architecture

Cloud Types
Clouds come in the following types of categories forensic investigators
should be aware about:

• Public Clouds: offer infrastructure or services to the public at large

• Private Clouds: used by organizations which largely comprise of private
cloud services with limited public access.
• Community Clouds: used by organizations largely comprise of private
and public access often used for specific community needs.

Vmware Forensic Issues

• Most virtual environment present forensic challenges
• Evidence from virtualized environment can comprise of files, database
files, registry files.
The following files are essential files for forensic examination in VMware
Virtual machines

• log files: Maintains log of all activities on the virtual machine

• vmdk: defined as the actual virtual hard drive.
• Vmem: Critical for forensic investigations, maintains backup of all
virtual machine’s paging file/swap file
• Vmsn: defined as the Vmware snapshot file, captures the status of the
virtual machine when snapshot is established

• Vmsd: Maintains all the metadata regarding the snapshot

• nvram: Captures the BIOS information for the virtual machine
• Vmx: Text file and is a configuration file for the virtual machine
• Vmss: Maintains the state of the suspended virtual machine
Oracle Virtual Box
The following files can be used as part of forensic investigation with Oracle
Virtual box:

• Vdi: Captured as VirtualBox disk images called virtual disk images.

• config/VirtualBox: Defined as a hidden file that contains configuration
data.
• Vbox: This is the machine settings file extension.

Microsoft Virtual PC
The following are the types of files which should be examined for forensic
investigation purposes:

• vhx: Actual hard disks which are essential for examining

• bin files: Comprise of the memory of the virtual machine
• xml files: Comprise of the virtual machine configuration data

Fundamentals
 of
Mobile Forensics
Chapter 10

Mobile Device Concepts

(Foundation)

• This Unit develops understanding of the basic Mobile (Cellular) concepts

which are essential for developing understanding for all the next set of
units

• SIM
International Mobile Subscriber
Identify (IMISI)
• Entails 15 digit number
• Initial three digits define the mobile country code (MCC) in North
America
• Initial two digits define the mobile country code (MCC) in Europe
• Remaining are the mobile subscription identifier number (MSIN) which
identifies the phone for the allocated network

Electronic Serial Number

• Operated by CDMA phones
• Modern phones utilise the International Mobile Equipment Identity
(IMEI) number
• Initial 8 digits define the ESN identify manufacturer name
• Remaining 24 bits identify the phone
• IMEI utilised by GSM and LTE

International Mobile Equipment

Identity (IMEI)
• Unique number utilised to identify GSM, UMTS, LTE and relevant
Satellite phones
• Printed on the phone
• Number can be used to phone can be “blacklisted” or blocked from
connecting to certain networks
 Personal Unlock Number (PUK)
• Code utilised to reset a forgotten PIN
• Restores the phone to default factory settings
• Device become blocked on a permanent basis after 10 failed attempts

Public Switched Telephone Network

(PSTN)
• Refers to the Landline telephone network

Mobile Switching Centre (MSC)

• Refers to the switching of network for cell phones, - 3G or in GSM
networks
• Performs the role of processing all connections for mobile devices,
landlines and routing calls amongst base stations and the PTSN

Base Transceiver Station (BTS)

• Essential part of the cell network
• Responsible for sustaining communication amongst phone and network
switching system (MSC)
• Base Station System (BSS) comprises of radio transceiver equipment that
interconnects with cellular devices
• Acts as the central controller co-ordinating all components of the base
station system (BSS)

Home Location Register (HLR)

• Acts as the database for the MSC to provision subscriber data and service
information
• Relates to the Visitor Location Register (VLR) used for roaming phones

Visitor Location Register (VLR)

• Acts as a database containing information about subscribers roaming in
the MSC location area
• HLR maintains a comprehensive list of all subscribers within the relevant
home area, and VLR maintain listings of all phones which are roaming in
the MSC location area.

Short Message Service (SMS)

• Refers to as “Texting”
• Functionality is based using the Mobile Application Part (MAP) of the
SS7 protocol
• Maximum size messages comprise of 160, 140, and 70 characters
• Multimedia Messaging Services (MMS) extension of SMS

Cellular Networks
The following are the different types of networks which exist:

1.Global System for Mobile

Communication
• Known as 2G
• Developed by the European Telecommunications Standards Institute
(ETSI)
• Supports digital voice and data
• Operates within frequencies of 900MHZ, 1800 MHZ,

2.Enhanced Data Rates for GSM

Evolution (EDGE)
• Design to deliver media such as Television over Cellular Network
• Viewed as intermediate between 2G and 3G

Universal Mobile
3.
Telecommunications Systems
(UMTS)
• Known as 3G
• Upgrade from GSM (2G)
• Supports text, voice, video and multimedia data rates of up to 2 megabits
per second

4.Long-Term Evolution (LTE)

• Known as 4G
• Provides broadband internet, multimedia and voice
• Support up to 300Mbps
• Based on the IP address

5. WiFi
• Permits mobile connectivity of all cellular phones and mobile devices to
WiFI networks
 6. Integrated Digitally Enhanced
Network (iDEN)
• Based on the GSM Architecture
• Performs at 800 MHZ, 900 MHZ, or 1.5 GHZ frequencies

Operating Systems
Forensic Investigators should be aware about the following types of
operating systems:

1. iOS
• Apple, Iphone and Ipad all operate on the iOS operating system
• Based on touch interface
• Divided into four layer: 1) Core OS layer- heart of the operating system,
2) Core Services Layer- applications interact directly, 3) Media Layer-
responsible for music, and video etc, 4) Touch Layer- functionally
responds to all user gestures
• HFS + file system is implemented within iOS

iOS segments data into the following clusters:

• Calendar entries
• Contact entries
• Note entries
• iPod_control directory
• iTunes configuration
• iTunes music
2. Android
• Alternative to Apple iOS
• Based on Linux
• First released in 2003
• Acquired by Google in 2005
• Permits downloading of any App not restrictive as iPhone

3. Windows
• Windows CE first mobile operating system released by Microsoft
• Windows phone released in 2008
• Windows phone 7 released in 2010
• All Microsoft devices will move to Windows 8

Mobile Device Evidence

The following types of evidence can be elicited from cell phones:

• Cell Phone Records

• Photos and Videos
• GPS Records
• App Evidence

Guidelines for Mobile Evidence

Investigators should aim to elicit the following types related evidence:
 • Details of the phone itself
• Call history
• Photos and video
• GPS information
• Network information

Mobile Device Status

Mobile devices can be depicted in four different states when extracting data:

• Nascent State/Factory Default State: no data exists and is in factory

configuration settings.
• Active State: data exists in the file systems and the device is powered on
• Quiescent State: user data exists, and the device is in the dormant mode
but performing background functions.
• Semi-Active State: data exists, and the device is in the state between
active and quiescent

Capturing Evidence Guidelines –

Mobile Phone
The following steps should be performed when eliciting evidence from a
mobile phone:

• Step 1: Plug the phone into the PC, ensure any auto synchronization with
the PC doesnt take place.
• Step 2: Document everything about the device and refrain from touching
the evidence
• Step 3: Establish an image of the (SIM Card) Phone
• Step 4: Place the phone in the evidence bag which prevents
electromagnetic transmissions
• Step 5: Document chain of custody

Imaging a Phone
• Two main types of techniques for data acquisition: Logical Acquisition
and Physical Acquisition

1. Logical Acquisition
• Process of copying the active file system from the original device into
another file
• Initially the first technique utilised by forensic analysts in the pursuit of
retrieving evidence
• Efficient technique in collating data
• Logical Mobile forensic tools will provide reporting capabilities which
depict commonly viewed files by the user

2.Physical Acquisition
• New concept within the mobile device environment to elicit evidence
• Performs physical bit by bit copy of the file system
• Most efficient process of retrieving the largest amount of data from files

Forensic Tools
• Paraben: www.paraben.com/
• Encase: https:/www.guidancesoftware.com/encase-forensic
• Data Recovery Software: www.datarecoverysoftware.com
• Oxygen: www.oxygen-forensic.com/en/.
• XRY: can be used to break Iphone passcode:
 (http://news.cnet.com/8301-1023_3-57405580-93/iphone-passcode-
cracking-is-easier-than-you-think/

iphone Analysis
The following are the types of Iphone Analysis that can be conducted:

• Manual extraction: entails process of basically viewing the phone and

seeing the all the data it contains.
• Logical extraction: entails copying all files in the file structure using
relevant software
• Physical extraction: entails copying bit by bit copy of the whole phone
data storage

Deleted Files-Iphone
• Files within iphone, iPad or iPod when deleted are all migrated to the
.Trashes\501 folder.
• All deleted files unless they are overwritten can be effectively retrieved

Android Forensics
• The techniques and concepts which are incorporated for phone forensics
are universal and have no bearing on the type of models or brands.
• The following list depicts essential Android Directories:
• /data: Captures User data partition
• /data/data: Data that is utilised by various apps
• /mnt/asec: Encrypted apps
• /proc : Process information is held
• /cache: contains useful information, app cache.
 Additional Information
• https://www.virtualbox.org/.
• http://www.microsoft.com/en-us/download/details.aspx?id=3702.
• http://www.ijcit.com/archives/volume1/issue2/Paper010225.pdf.
• Chapter 7, Cloud Architecture and Datacenter in Distributed
Computing: Clusters, Grids and Clouds , by Kai Hwang, Geoffrey Fox,
and Jack Dongarra, May 2, 2010.
• Cloud Tree: A Hierarchical Organization as a Platform for Cloud
Computing , by Khaled A. Nagaty, p. 1, Cloud Computing Using
Hierarchical Organization.
• http://www.ijarcsse.com/docs/papers/Volume_3/3_March2013/V3I3-
0320.pdf.
• http://www.crosstalkonline.org/storage/issue-
archives/2013/201309/201309-Zawoad.pdf.
• http://www.forensicfocus.com/downloads/virtual-machines-forensics-
analysis.pdf.

• 1. http://www.forbes.com/sites/gordonkelly/2014/03/24/report-97-of-
mobile-malware-is-on-android-this-is-the-easy-way-you-stay-safe/.
• 2. http://www.9news.com/news/article/351966/222/Cell-phone-pics-
leads-to-arrest-in-Jewelry-heist.
• 3. http://www.utsandiego.com/news/2014/Feb/12/selfie-photo-burglary-
arrest-chula-vista/.
• 4. http://www.wxii12.com/news/cell-phone-photo-leads-to-nc-child-sex-
arrest/24978636.
• 5. http://www.wafb.com/story/24610756/gps-tracking-leads-to-arrest-in-
br-shooting-armed-robbery.
• 6. http://www.timescall.com/longmont-local-
news/ci_25303558/longmont-police-cell-phone-app-leads-arrest.
• 7. http://www.forbes.com/sites/ericbasu/2013/08/03/hacking-insulin-
pumps-and-other-medical-devices-reality-not-fiction/.
 Fundamentals of Application
Forensics
Chapter 11

File Formats
• Registry windows maintains all the settings, files, desktop settings,
network information etc within Windows
• Registry established on a hierarchical model, comprising of five hives
• Windows registry is an essential component of any forensic investigation

Windows Registry
The following hives are useful for all forensic investigations:

• HKEY_CLASSES_ROOT (HKCR): Scope of this hive is to store and

maintains information about system rules, program shortcuts, User
Interface etc
• HKEY_CURRENT_USER (HKCU): Scope of this hive is to store and
maintain information about currently logged user, desktop settings, user
folder etc
• HKEY_LOCAL_MACHINE (HKLM): Scope of this hive contains
settings related to the entire machine
• HKEY_USERS (HKU) Scope of this hive contains and stores User
 profiles and settings
• HKEY_CURRENT_CONFIG (HCU): Scope of this hive contains
current system configurations
Example of Registry Hives

USB Information
• Forensic investigations can disclose what USB devices have been used to
store information
• HKEY_LOCAL_MACHINE\System\ControlSet\Enum\UBSTOR is the
key which depicts what USB devices have been connected to the device.
• Forensic investigation could reveal additional devices which need to be
investigated

AutoStart Locations
• Key largely used by malware in order to remain persistent on the target
systems
• Depicts programs which start automatically when Windows starts by
default
• Forensic Investigators must be aware about programs which are not
 legitimate programs during start-up

Last Visited
• Forensic Investigators should be aware that the Key
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisited
will show recent sites that have been visited.

Recent Documents
• Forensic Analysts should be aware that recent documents can be
discovered from the following key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs.

Uninstalled Software
• Forensic investigators must be aware about the following key which
displays all the applications that have been uninstalled from the machine:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall. You
can see the key in

Network Adapters
• Forensic Investigators must be aware about the following key which
displays all the network adapters on the machine:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\GUID

Wireless Networks
• Forensic Investigators should be aware about the following key which
depicts WiFi network, SSID and the passphrase:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\NetworkList\Profiles\ key
• All Password are encrypted however tools such as Protected Storage
Passview (Nirsoft) or Helix incident response tools can decrypt all the
values

Passwords
• Forensic investigators must be aware that all User passwords stored by
Internet Explorer are held in the following key which holds the values:
HKCU\Software\Microsoft\Internet Explorer\IntelliForms\SPW

Windows Swap File

• File that stores data on a temporary basis
• File easily retrieved by the RAM
• File ends in .swp extension or pagefile.sys (Window XP)
• Resides in the Windows Root Directory
• Binary File and can be used for Forensic Analysis

Index.dat
• Forensic investigators must know about this file
• Contains cookies, websites visited, files opened, files deleted, history
erased etc all actions performed by the user
• Following tools can be used to retrieve and review the file:
1. http://www.eusing.com/Window_Washer/Index_dat.htm
2. http://www.acesoft.net/index.dat%20viewer/index.dat_viewer.htm
3. http://download.cnet.com/Index-dat-Analyzer/3000-2144_4-10564321.html

Memory Analysis
• Can be used for Forensic Analysis to elicit evidence
 • Contains data
• Analysis can be performed by collating a physical dump of the memory
• Dump can be described as a comprehensive copy of every bit of memory
or cache recorded in a dump file
• Forensic tools such as RamCapture64 from Belkasoft can be used :
(http://forensic.belkasoft.com/en/ram/download.asp)

Types of Memory
• Stack: In the stack domain memory for every function, memory is
aligned to local variables and parameters. Based on the Last In and First
Out Principle (LIFO)
• Heap: Heap Segment provisions dynamic memory for a allocated
program. Memory allocator process is implemented when requests for
allocation of dynamic memory are initiated

Windows File Copying

Forensic investigators must be aware about the following types of
permissions:

• Object Permissions are defined by the Parent Object

• Object Permissions are generated when object is created
• Permissions are generated when object is copied
• Permissions are generated when object is moved to its parent folder
• Original permissions are upheld when object is exported to another folder

Windows File Copying

• File/Folders will incorporate rights of the folders they are being exported
 into
• File/Folders will maintain original permissions when cut/paste takes place
• Files being copy and pasted will inherit the permissions of the folder they
are exported into
Web Forensics- Web Applications
• Websites comprise of HTML, Javascipt, CSS, Pearl Scripts, Java,
ASP.Net etc types of programming languages
• Web popular target for hackers
• SQL Injection popular web attack which entails hacker inserting SQL
commands into the username and password fields of the login page
• Cross Site Scripting similar to SQL Injection which entails hacker
injecting client-side script into website fields

• Cookie Manipulation: Hackers can create and use tools to steal user login
and from cookie text files.
• XML Injection: Hackers use XML values to exploit gaps when querying
Xpath

E-mail Forensics
• Forensic investigators must be aware E-mail evidence can be found on
the sender’s computer, sender e-mail server, recipient e-mail server and
the recipient computer.
• Spoofed E-mail communication is often used by criminals
• Spoofed E-mail: scope of this attack entails creating an email message to
come from someone or somewhere other than real sender or location.

• The following websites can be used for this purpose:

1. http://sendanonymousemail.net/
 2. http://theanonymousemail.com/
3. http://send-email.org/

E-mail Protocols
• Simple Mail Transfer Protocol (SMTP) is used to send e-mail
• SMTP operates on port 25
• SMTP can be encrypted with SSL or TLS
• POP3 has been improved by the Internet Message Access Protocol on
port 143

E-mail Headers
• E-mail Headers reveal important information
• Request for Comments (RFC) 22 is the standard for Email format and
Headers
• Headers maintain information on the journey of the message within the
network such as the IP addresses, the device, and the network location
address
• Forensic investigator can use e-mail headers to identify who sent the
message

E-mail Files
• E-mail clients store all e-mails on the local machine
• File within the Computer holds all the data from the entire mailbox
• File extension largely is dependent on the e-mail client which is
implemented
The following prominent e-mail file extensions
 • .pst (Outlook)
• .ost (Offline Outlook Storage)
• .mbx or .dbx (Outlook Express)
• .mbx (Eudora)
• .emi (common to several e-mail clients)

E-mail Server Forensics

• E-mail servers contain all copies of the e-mails sent and received
The following are the file formats that are used with common e-mail
software:
• Exchange Server (.edb)
• Exchange Public Folders (pub.edb)
• Exchange Private Folders (priv.edb)
• Streaming Data (priv.stm)
• Lotus Notes (.nsf)
• GroupWise (.db)
• GroupWise Post Office Database (wphost.db)
• GroupWise User databases (userxxx.db)
• Linux E-Mail Server Logs/var/log/mail.*

Database Forensics
Forensic Investigators must be aware about the following Relational
Database technologies:

• Microsoft SQL Server

• Oracle
• Microsoft Access
• MySQL
• PostGres T
• NoSQL database
• Forensic investigators should look at the transaction logs, malware,
restoring deleted files etc when examining database servers
• Examination of the Transaction log is critical for Database forensic
investigation as they capture every insert, delete, update, select etc
• Reviewing User Accounts can also provide a detailed insight since user
accounts can be added via SQL injection techniques
• Data that has been deleted can also be retrieved from Database backups,
also an important source of forensic evidence
• Databases are the targets for financially motivated cybercrimes

Record Carving and Database

Reconstruction
• Process of recovering data which has been corrupted or deleted from the
database
• Similar to File carving, records carved from a disk image in order to
restore data
• T0ols for Record Carving: wdsCarve

Additional Information
• http://support.microsoft.com/kb/310316.
• http://www.mongodb.org/.
• http://codex.cs.yale.edu/avi/db-book/db6/appendices-dir/e.pdf.
• https://www.sans.org/reading-room/whitepapers/application/forensic-
analysis-sql-server-2005-database-server-1906.
 Essentials of
Malware Forensics
Chapter 12

Virus Fundamentals
Virus can be defined as a software which has the functional capability of self-
replicating itself and compromise of the following types:
• Armoured Virus: this type of virus uses techniques by creating code
confusion or compressing the code. The intent is to make the code
difficult to follow.
• Sparse Infection Virus: this type of virus is typically active for short
periods making it difficult to detect by virus scanners.
• Macro Virus: this type of virus is defined into a macro in a business
application such as Microsoft office which utilises macros to streamline
certain tasks

• Multipartite Virus: this type of virus launches a attack in several ways

to the boot sector and other components of the system. This virus
infects files and the virus spreads throughout the system as the
user runs the infected file.
• Polymorphic: this type of virus changes form and encrypts itself to hide
from the antivirus software.

Developing Modern Viruses

• Programming skills are no longer required to develop complex viruses
• Tools such as Terabit Virus Maker exist which can create viruses
allowing novices to create viruses

Example of Virus Creating Tool

Trojan Horses
• Trojan Horse Programs have malicious intent
• Can be created by writing a program from scratch or by using a program
that implements a component of malware to an innocuous program, hence
making two programs appear as the one
• Tools such as EliteWrap using the command line and enables person to
bundle two programs into the one.

Example of Elite Wrap

Spyware
• Software which accomplishes monitoring of all computer activities
• Spyware can be software which logs keystrokes or records all websites
visited
• Monitoring activities comprise of phone, e-mail, or web traffic etc
• searchprotocolhost.exe within Windows indexing is a spyware

Buffer Overflow
• Buffer Overflow is an attack which uniquely takes place due to much
information overload within the buffer than it was designed for.
• Program which communicate via the internet or private network have
data memory stores known as a buffer
• To design Buffer Overflow attacks knowledge of C or C++ programming
language is essential

RootKit
• Collection of Hacker tools used by Hackers
• Hacker installs rootkit by cracking the user password
• Rootkit collates user IDs and Passwords
• Rootkits available for most operating systems and not just Sun and Linux
operating systems

Logic Bombs
• Programs or pieces of code which perform when a predefine event occurs
• Designed for specific purpose and extremely difficult for antivirus
software to detect
• Designed by highly skilled programmers typically within the enterprise
• Can be detected through software testing and code reviews

Ransomeware
• Delivered via a Trojan
• Takes control of a system and demands third party to be paid before
control is released
• Control achieved by encrypting hard drive, changing user password and
information.

Example of Ransomeware
Malware Analysis
• Examines malware to understand its behaviours and functionality
• Used by major antivirus vendors, updates are typically released due to
performing Malware Analysis
• Static and Dynamic Analysis techniques can be employed

Malware Analysis
• Static Analysis: involves decomposing the malware and studying
without performing the execution, can be effectively utilised on the
source code of the malware
• Dynamic Analysis: involves executing the malware and employing a
wide array of malware tools and techniques such as function call analysis
to perform analysis on the source code.
• Virtual Machines are very suitable for performing Dynamic Analysis
• Tools such as Windows Sysinternals are very effective in providing
malware analysis of a live windows system
• Tools such as Procmon (Graphical User Interface tool) Provides view of
all running processes within a system
• Tools such as Rammap provide a detailed analysis of all the activities
within the memory.

Additional Information
• http://www.macworld.com/article/1160098/macdefender.html
• http://www.neuber.com/taskmanager/process/searchprotocolhost.exe.html
• http://answers.microsoft.com/en-us/windows/forum/windows_xp-
performance/searchprotocolhostexe-consumes-95-of-cpu/1651e73e-fa99-
4761-9c82-e4778e068207
• http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf.
• htps://iseclab.org/papers/malware_survey.pdf
• http://technet.microsoft.com/en-US/SysInternals

Digital Forensic Technologies

Chapter 13
Social Networks
• Most common types of social network websites: Twitter, Facebook,
YouTube, LinkedIn etc
• Jurisdiction is an important issue when pursuing forensic examination on
social networks
• Criminals in the past have posted crimes online via social network
websites!
• Social media is also largely used by Cyber stalkers, paedophiles and
financial scammers.

New Devices
The following are the types of new devices which significantly impact cyber
security and forensics:
Google Class: Linux based has functional capability of recording videos and
images important from a forensic investigation viewpoint
Cars with GPS devices: GPS data can be utilised to establish if the car was
within the parameters of the crime scene.
Medical Devices with Data: Wireless insulin pumps send data over wireless
communication and could be vulnerable to being hacked if foul play is
involved in a crime scene.

Online Gaming
• Very popular with online cheating become a major issue for many online
gaming vendors
• Can potentially lead to issues such as threats, cyberstalking, and other
crimes.
• Gaming companies are utilising cyber forensic practices to identify
fraudsters and cheaters.
Electronic Discovery
• Refers to the process of manufacturing evidence electronically and where
evidence is stored electronically
• Electronically Stored Information (ESI) encompasses the following: e-
mails, word processing documents, spreadsheets, web pages, etc.
• ESI viewed as extension of traditional civil discovery rules

Types of Electronic Discovery

Investigation
Civil Litigation encompassing the following

• Copyright infringement,
• Patent Infringement
• Discrimination
• Divorce
Administrative Investigation encompassing the following:

• Internal investigations
• Discrimination
• Employee Termination
• forensic investigation of organisation internally

Criminal Investigations encompassing the following:

• Civil proceedings leading to criminal charges

• Financial Embezzlement
• Malware Investigation
Big Data –Cyber Forensics
• Referred to data that is exceptionally large and cannot be maintained by
standard tools and techniques.
• Largely stored on the Storage Area Network (SAN)
• SAN incorporate redundant storage and typically comprise of multiple
servers and network storage devices supported by high speed cabling and
switches
• Forensic Investigators can perform forensic investigation on SANs
bearing in mind that data is spread across diverse storage devices when
collating evidence

Electronic Data Discovery Process

Steps
Forensic Investigators should be aware about the following guidelines when
collating evidence and pursuing a cyber forensic investigation:

• Identify: this entails defining what is in scope and relevant, transaction

logs? Server logs? Social Networks? Cars with GPS?
• Collect: this entails referring to the chain of custody and defining the
approach
• Reduce: this entails process of elimination, reducing unwanted and
irrelevant data
• Review: this entails summarizing all the collated evidence and
identifying the relevant conclusions based on the data collected.
• Produce: this entails populating the relevant report containing all-
encompassing evidence
Additional Information
1. https://www.facebook.com/about/privacy/other.
2.http://happyplace.someecards.com/2013/07/26/facebook/people-
accidentally-confessing-to-criminal-activity-on-facebook/.
3. http://www.cbsnews.com/pictures/facebook-related-crimes/.
4. http://theweek.com/article/index/227257/7-suspected-criminals-who-got-
themselves-caught-via-facebook.
5.http://fusion.net/modern_life/entertainment/story/criminals-caught-social-
media-7700.
6.http://www.theguardian.com/technology/2009/oct/14/mexico-fugitive-
facebook-arrest.
7. http://www.dailymail.co.uk/news/article-2154624/A-Facebook-crime-40-
minutes-12-300-cases-linked-site.html.
8. http://caveon.com/df_blog/forensics-analysis-moves-to-online-games.
9. http://www.law.cornell.edu/rules/frcp/rule_26.