ITS455 – Computer Forensics & Investigations

Chapter 1 Notes

– Forensics –
the use of science to process evidence to establish the facts of a case

– Computer/Digital Forensics –
The use of analytical and investigative techniques to identify, collect, examine and preserve
evidence/information that’s magnetically stored or encoded.

Goal: to recover, analyze, and present computer-based materials in such a way that it can be used
as evidence in a court of law.
Emphasis: integrity & security of evidence
Must:
★​Apply scientific method and processes
★​Have knowledge of relevant scientific disciplines (hardware, OS, computer networks, etc)
Subjects: any device that can store data
Applies to: all domains of IT infrastructure
 Forensic Process:
1.​Collect the Evidence
Follow appropriate procedures to the letter (see Page __)
★​How you collect the evidence determines if it’s admissible in court
2.​Analyze the Evidence
Most time-consuming part of forensic investigation
Put together the data you have found by looking at every detail to reach one or several data-based
conclusions
(See Page __)
3.​Present the Evidence
Goal: interpret the tech info using plain english & paint an accurate picture for the court – do NOT
use jargon
There are two basic forms to present evidence:
1.​Expert Report
2.​Expert Testimony

Expert Report:
Formal doc that lists:
​Your curriculum vitae (CV) specific to your work experience as a forensic investigator
​Every test you’ve conducted
​Everything you found
​Your conclusions

Is thorough
➔​If you don’t put a specific subject in your report you cannot testify about it at trial.
➔​For best results: include items peripheral to the main case in your report so you can talk about
them at trial

MUST Backup your conclusions

​Use minimum 2-3 reputable references other than the reputation/experience/academics of the
expert (you).
​References should either agree with your conclusion or provide support for how you came to
that conclusion

Ex of Sources: US-CERT, FBI, US Secret Service, Cornell University Law School

Typical length & level of detail varies:
◆​ Criminal Court:
Usually don’t require a formal expert report, but rather a report of your forensic examination

Usually statement from an attorney of who you are and what topics you intend to testify about will
be given instead of a full expert report
◆​ Civil Court:
Expert report is detailed and commonly 100-200 pages long but can be longer (1,500 pages)
The lengthier reports are typical in IP cases

Guidelines for writing reports:

1.​Start with experts qualifications
a.​Complete CV detailing education, work history, publications, & elements of expert’s history that
are related to the case
2.​Details what analysis was used – how the expert conducted their exam and analysis
a.​The tools used
b.​The results
c.​ The conditions the tests were conducted in
★​Include enough detail so that any competent forensic analyst can replicate your test
3.​Conclusions
a.​All claims should be supported by intrinsic reputable sources b/c at trial creative attorneys
can extract nontraditional meanings from even commonly understood terms
4.​Completeness
a.​Report must cover every item the expert wishes to opine on in detail
b.​Nothing can be assumed
c.​ Must be error free & proofread
 Expert Testimony:
US Federal RULE 702 – Defines Expert Testimony
A witness who is qualified as an expert by knowledge, skill, experience, training or education may
testify in the form of an opinion or otherwise if:
A.​The experts scientific, technical, or other specialized knowledge will help the tier understand
the evidence or determine a fact in issue;
B.​The testimony is based on sufficient facts or data;
C.​The testimony is a product of reliable principles and methods; and
D.​The expert has reliably applied the principles and methods to the facts of the case.

Scenarios in which you give EXPERT TESTIMONY:

1.​Deposition
2.​Trial

Deposition -
Sworn testimony taken from a witness or party to a case before trial, typically held in an attorney's office
and is less formal than trial.
★​Other side’s lawyer asks the expert questions, even ones that would likely not be allowed by a trial
judge.
★​ Lying under oath is perjury – a felony
Goal: present scientifically valid evidence in a court acceptable manner

If you find evidence that would undermine the case of whoever hired you your duty is to let them know
ASAP.
Do NOT to color your testimony to hide the facts

Trial Testimony -
Related US Federal Rules:
★​ Rule 703 – Bases of an expert
Experts may base an opinion on facts or data that the expert has been made aware of or
personally observed if other experts in the field would reasonably rely on the kind of facts &
data in question to form an opinion on the subject.
➔​the facts/data need not be admissible for the opinion to be admitted
If the facts/data would otherwise be inadmissible, the proponent of the opinion can disclose
them to the jury only if their probative value in helping the jury evaluate the opinion
substantially outweighs their prejudicial effect.
➔​Probative Value –
The weight they carry in helping reach a valid judgment
 ★​ Rule 704 – Opinion on an ultimate issue
An opinion is not objectionable just because it embraces an ultimate issue.
★​An expert witness can offer an opinion as to the ultimate issue in a case.

★​ Rule 705 – Disclosing the facts or data underlying an expert

Unless the court orders otherwise an expert may state their opinion and give the reasons for it
without first testifying to the underlying facts/data.
➔​Expert may be required to reveal these facts/dat in cross-examination

★​ Rule 706 – Court-appointed expert witness

Covers the appointment of neutral experts used to advise the court and who work for the
court.

★​ Rule 401 – Test for relevant evidence

Evidence is relevant if:
a.​It has any tendency to make a fact more or less probable than it would be without the
evidence, and
b.​The fact is of consequences in determining the action.

To give good testimony & decrease your stress levels:

➔​Do a thorough & complete job in your data collection & forensic analysis
➔​Keep calm
➔​Tell the truth
➔​Answer questions directly
➔​Be prepared
◆​Make sure your forensic process is done correctly and is well documented
◆​Use charts, diagrams, and other graphics
◆​Go over your report and notes again before you testify
➔​Look objectively at your own report
◆​Are there alternative ways to interpret the evidence? If so, why did you reject these
alternative interpretations?

Questions that should guide your forensic work:

★​Are you basing your conclusions on sufficient data and facts?
★​Did you apply reliable scientific principles and methods in forming your conclusions?
 Goals of opposing counsel (other side’s lawyers) during deposition:
1.​To find out as much as possible about your position, methods, conclusions, and
your side’s legal strategy
★​Answer honestly, but don’t volunteer information unasked
2.​To get forensic expert to commit to a position they may not be able to defend
later
★​Listen carefully to the specific words the opposing council uses when questioning you.
★​If you don’t fully understand the question, say so, ask for clarification.
★​Do not guess, admit what you don’t know
★​If you are not 100% certain of an answer say something like: “to the best of my current
recollection”
★​Review the documents being referred to whenever possible and refer to them if they are
available – DO NOT testify from memory.
 Entities who actively use computer forensics:
Military Use DF to gather intelligence from computers captured during military actions.
Gov. Agencies Use DF to investigate crimes involving computers.
US Agencies:
➔​FBI
➔​US Postal Inspection Service
➔​Federal Trade Commission
➔​FDA
➔​Secret Service
➔​DOJ National Institute of Justice
➔​National Institute of Standards and Technology
➔​Office of Law Enforcement Standards
➔​Department of Homeland Security
Law Firms Hire forensic analysts to conduct investigations and testify as expert witnesses
Criminal Prosecutors Use digital evidence when working with incriminating documents & try to link
such documents to crimes
Academia Research and educate on computer forensics
Data Recovery Firms Use DF techniques to recover data after hardware/software failures and when
data has been lost.
Corporations Use forensics to assist in employee termination and prosecution (in cases
related to theft of IP/trade secrets, fraud, embezzlement, sexual harassment,
and network/computer intrusions) and find evidence of unauthorized use of
equipment.
Insurance Companies Use digital evidence of possible fraud in accident, arson, and workers’
compensation cases
Individuals Hire forensic specialists to support possible claims (wrongful termination, sexual
harassment, age discrimination, etc)
 Digital Evidence –
Information that has been processed and assembled so that it is relevant to an investigation and
supports a specific finding or determination
★​Not all raw information is evidence
★​Data MUST be relevant to the case to be considered/used as evidence

Investigators must show an unbroken chain of custody to demonstrate that evidence has been protected
from tampering.
Chain of Custody –
The continuity of control of evidence that makes it possible to account for all that has happened to
evidence between its original collection and its appearance in court
★​Evidence should preferably be unaltered
★​If the chain of custody is broken at any point the court may consider all conclusions forensics
specialists derived invalid.

Types of Evidence Courts Deal With:

1.​Real Evidence
Physical objects that can be touched, held, or directly observed
Examples:
​Laptop with suspect’s fingerprints on the keyboard
​Hard drive
​USB drive
​Handwritten note

2.​Documentary Evidence
Data stored as written matter on paper or electronically
★​Must be authenticated by investigators
Demonstrate that the data is genuine
Demonstrate that the data was not created after the fact
Examples:
​Memory-resistant data and computer files
​Email messages
​Logs
​Databases
​Photographs
​Telephone call-detail records

3.​Testimonial Evidence
Information forensic specialists use to support or interpret real or documentary evidence
Example:
 ​Used to demonstrate that fingerprints found on keyboard are those of a specific individual
​System access controls may show a particular user stored specific photographs on a desktop
4.​Demonstrative Evidence
Information that helps explain any other evidence
★​MUST show that the specialist protected the evidence used to make a determination from
tampering
★​MUST show the testifier based their conclusion on a reasonable interpretation of the
information
★​MUST present testimony without jargon and complex technical discussions
Example:
​Chart, graph, picture that explains a technical concept to a judge/jury
​Testimony from forensic specialist to support the conclusion of their analysis
 Scope-Related Challenges to Computer Forensics:
➔​Volume of data to be analyzed
➔​Complexity of the computer system
➔​Size and character of the crime scene
➔​Size of the caseload and resource limitation

The scope of a forensic effort often presents an analytical and psychological challenge to forensic
specialists.

Volume of Data
Examining all areas of potential data storage and all potential representations generates extremely large
volumes of information to analyze, store, and control for the full duration of an investigation and analysis.
➔​Ex: Hard drives in excess of 1 terabyte are common and inexpensive
Specialists must also work within the forensic budget.
➔​Manipulating & controlling large volumes of information is expensive
Resource limitations increase potential for error and may compromise the analysis

Best Practices: when working with large volumes of data

1.​Ensure all equipment is capable of manipulating large volumes of information quickly
2.​Provide for duplicate storage so that original media and its resident info are preserved and
protected against tampering and other corruption
3.​Create backups early and often to avoid losing actual info and its associated metadata
4.​Document everything that is done in an investigation and maintain the chain of custody

Complexity of Computer Systems

There is a wide array of data and formats and the law protects specific items but not others.
Example:
​PDF
​DOC/DOCX
​XLS
​MP4, AVI, MOV, …
​JPEG, GIF, BMP, PNG, …
​VoIP
​IM
​SMS/MMS
​Real-time two-way video conferencing
Systems like video conferencing & VoIP connect & share data with systems that can be located anywhere
in the world.
★​No single forensic software can deal with all the complexity.
Forensic specialists:
​Must understand all the digital information and its associated technology,
​Use a set of software & hardware tools and supporting manual procedures to analyze the
data/evidence,
​Build a case to support their interpretation of the story told by the information being analyzed, and
​Should be able to show corroboration that meets the traditional legal evidence tests.

Basic Legal Evidence Tests That Apply Everywhere:

1.​Chain of Custody
2.​Daubert Standard

To reach a conclusion and turn raw information into supportable, actionable evidence forensic analysts
must identify and analyze corroborating information by examining and correlating multiple individual
pieces of information.
Common Practice:
Use >1 tool to conduct the same test to make sure both tools yield the same result. If so, the
information gathered is likely accurate and reliable.

Distribution of the Crime Scene

Crime scenes may be geographically dispersed because the network used in use is dispersed.
★​Creates jurisdictional problems that criminals take advantage of
Networks and centralized storage also present problems because items of interest may not be stored on
the target computer.

Size of caseload and resource limitation

# of specialists is too small to analyze every cybercrime
Trends:
➔​Caseloads are growing
➔​Resources to analyze those caseloads are relatively becoming more limited.
➔​Criminals use tech to commit crimes and hide evidence
➔​Forensic tools can be used to locate, analyze, and catalog evidence as well as to eradicate it.
 Types of Digital System Forensics Analysis:
Disk Forensics Process of acquiring and analyzing information stored on physical storage media
and includes both the recovery of hidden and deleted information and the
process of identifying who created a file/message.
Including:
➔​Hard drives
➔​Smartphones
➔​GPS
➔​Removable media
Email Forensics Study of the source and content of email as evidence
Includes:
➔​Process of identifying sender, recipient, date, time, origin location
Used to identify:
➔​Harassment
➔​Discrimination
➔​Unauthorized activities
Network Forensics Process of examining network traffic
Includes:
➔​Transaction logs
➔​Real time monitoring using sniffers and tracing
Internet Forensics Process of piecing together where and when a user has been on the internet

Software Forensics Also called Malware Forensics

Process of examining malicious code
Live System Forensics Process of searching memory in real time.
Usually done when working with compromised hosts or identifying system abuse.
★​ Requires special skills and training
Cell Phone Forensics Process of searching contents of cell phones
Includes:
➔​VoIP
➔​Traditional phones
➔​Mobile phones
Overlaps with:
➔​Foreign Surveillance Act 1978 (FISA)
➔​USA PATRIOT Act
➔​Communications Assistance for Law Enforcement Act (CALEA)

General Guidelines for Forensic Work/Best Practices:

1.​Maintain the chain of custody
2.​Touch suspect drives as little as possible
Make forensic copies of the suspect systems and work on/analyze the copies
Tools for creating forensic copies:
➔​AccessData – Forensic Toolkit
 ➔​Guidance – EnCase
➔​PassMark – OSForensics
3.​Document everything
➔​Who was present when the device was seized?
➔​What was connected to the device?
➔​What was showing on the screen when the device was seized?
➔​What specific tools and techniques did you use?
4.​Secure the evidence
Put evidence in locked rooms or safes with given access to those who MUST enter.
Take all reasonable precautions to ensure that no one can tamper with the evidence.

Knowledge Needed For Forensic Analysis:

★​ Hardware
Types of RAM by the way info is written to and read from
Types of RAM by their volatility
Types of Hard Drives by their speed and efficiency of data retrieval
How data is stored in Hard Drives
Terms Common to all Hard Drives
★​ Software
Windows
Linux
macOS
Files & File Systems
★​ Networks
Network topographies
Network Components
Protocols
OSI model
Internet Engineering Task Force (IETF) model
★​ Addresses
Physical Ports
MAC Addressing
IP Addressing
Logical Port Numbers
URLs
Basic Network Utilities
★​ Obscured Information & Anti-Forensics
Obscured information
Anti-forensic techniques
-​ - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Memory: Short-term Memory
RAM –
Random Access Memory
Volatile memory that stores the program and data you currently have open and that gets
deleted/destroyed when the computer loses power.

Types of RAM by the way info is written to and read from

★​ Extended Data Out (EDO) Dynamic RAM (DRAM)
Has the ability to carry out a complete memory transaction in one clock cycle
★​ Burst EDO (BEDO) DRAM
An evolution of EDO that can process four memory addresses in one burst
★​ Asynchronous DRAM (ADRAM)
Is not synchronized to the CPU clock
★​ Synchronous DRAM (SDRAM)
A replacement for EDO
★​ Double Data Rate (DDR) SDRAM
A later iteration of SDRAM of which there are currently four versions: DDR2, DDR3, DDR4, and
DDR5
★​DDR3 & DDR4 are the most common forms of RAM found in PCs and laptops

-​ - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Volatility –
How easily the data can be changed (intentionally/unintentionally)
Types of RAM by their volatility
★​ RAM - Random Access Memory
Easy to read from and write to
Very volatile, data is erased when power is discontinued
★​ ROM - Read-Only Memory
Not volatile, CANNOT be changed
Most often used for firmware embedded in chips that controls how devices and peripherals operate
★​ PROM - Programmable Read-Only Memory
Can be programmed only once
Data is not lost when power is removed
★​ EPROM - Erasable Programmable Read-Only Memory
Data is not lost when power is removed
Another technique for storing instructions on chips
★​ EEPROM - Electronically Erasable Programmable Read-Only Memory
Stores the firmware for most computer’s basic i/o system (BIOS)
 Memory: Hard Drives
Types of Hard Drives by their speed and efficiency of data retrieval:
All the following refer to how the hard drive connects to the motherboard to transfer data and
do NOT define how info is stored on the disk.
★​ SCSI - Small Computer System Interface
Popular in high-end servers
Standard was established in 1986
Such devices must have a terminator at the end of the chain of devices to work and are limited to
16 chained devices
★​ IDE - Integrated Drive Electronics
An older standard that’s been used in PCs for many years
★​If you encounter a 40-pin connector you’re dealing with an IDE or EIDE.
★​ EIDE - Enhanced IDE
An extension/enhancement of IDE
★​ PATA - Parallel Advanced Technology Attachment
Another enhancement of IDE
Uses either a 40-pin or 80-pin connector
★​ SATA - Serial Advanced Technology Attachment
Common in workstations and servers
Internals of hard drive are similar to IDE and EIDE, but the connectivity to the computer’s
motherboard is different
Difference from IDE/EIDE: has no jumpers to set the drive
★​ Serial SCSI
An enhancement of SCSI
Supports up to 65,537 devices and does NOT require termination
★​ SSD
Becoming more common
Have different construction & storage method from hard-drives:
➔​Use microchips that retain data in non-volatile memory chips
➔​Contain no moving parts
➔​Use NAND-based (Negated AND gate) flash memory
Other Differences:
➔​Do not benefit (experience detrimental effects to their life cycle) from defragmentation
High performance flash-based SSDs require ½ - ⅓ the power of HHDs.
High performance DRAM SSDs require as much power as HDDs & consume power when the rest
of the system is shut down.
★​NAND-based flash memory – Retains memory without power
 -​ - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How data is stored in Hard Drives (HDDs):
Data is recorded by magnetizing ferromagnetic material directionally to represent either a 0 or a 1 binary
digit.
➔​Magnetic data is stored on platters
◆​Platters are organized on a Spindle with a read/write head reading and writing data to and
from the platters
Data is organized as follows:
★​ Sector –
The basic unit of data storage on a hard disk
Usually 512 bytes, but is often 4096 bytes on newer systems
★​ Cluster –
A logical grouping of sectors
Can be 1-128 sectors in size OR 512 to 64 kilobytes
Minimum size a file can use is 1 cluster, if file is smaller than the extra space remains unused
★​ Tracks –
Organized sectors
★​ Drive Geometry –
The functional dimensions of a drive in terms of the number of heads, cylinders, and sectors per
track

-​ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Terms Common to all Hard Drives (HDDs):
Slack Space –
The space between the end of a file and the end of the cluster, assuming the file does not occupy the
entire cluster
★​ Space can be used to hide data
Not particularly useful on SSDs due to:
★​Wear Leveling –
A technique used with SSDs to extend the life of the drive by spreading out the use of the SSD
to prevent individual segments (SSD version of Sectors) from becoming unreliable due to too
many erase cycles impacting a segment.
Low-level Format –
Creates a structure of sectors, tracks, and clusters
High-level Format –
The process of setting up an empty file system on the disk and installing a boot sector
★​Also referred to as Quick Format

★​ SSDs are more common that HHDs

 -​ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Operating Systems
➔​Windows
➔​Linux
➔​macOS

Windows –
Windows Registry –
A repository of all settings, software, and parameters for Windows
Information you can get from the Windows Registry:
➔​The password for wireless networks
➔​The serial numbers for all USB devices that have been connected to the computer
★​ Is the most important part of Windows from an IT Support and Forensic POV.

Other interesting places to look for forensic evidence:

➔​index.dat File
➔​Browser cookies
➔​Browser history

Linux –
Offers a lot of free forensic tools
Is a favorite of the security and forensics community
Kali Linux – a distribution of Linux – has an extensive collection of forensic, security, and hacking tools

macOS –
Many forensic techniques that can be used on Linux can be used on macOS from the shell prompt because
macOS (as of 2013 - OS X) is based on FreeBSD (a UNIX-clone)
★​The GUI on macOS is only an interface the backend is UNIX-like
 -​ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Files:
Store discrete sets of related information in files
★​It is easy to change the extension of a file to make it look like a different file type – this however does
not change the file structure itself
★​There are tools that allow viewing of the actual file structure and the file header
Basic File Header Facts:
★​File headers give an accurate understanding of the file regardless of if the extension has been
changed.
★​File headers start at the first byte of a file.
Basic File Facts:
★​In graphics file formats, headers may give info about an image’s size, resolution, number of colors
and the like.
★​ELF (Executable & Linkable Format) files are a common standard file format for executables, object
code, and shared libraries in UNIX-based systems.
★​PE (Portable Executable) files are used in Windows for executables and dynamic-link libraries
(DLLs). They are derived from the earlier Common Object File Format (COFF) found on VAX/VMS,
a common OS for mainframe computers.
★​Area Density – the data per area of disk
★​Windows Office files have Globally Unique IDentifiers (GUID) to identify them.

File Systems:
Can be divided into 2 categories:
★​ Journaling File Systems –
File system that keeps record of what file transactions take place so that files can be recovered in
the event of a hard drive crash.
Are fault tolerant because the file system logs all changes to files, directories, or file structures.
The log where all changes are recorded is called the Journal.
Types of Journaling:
➔​Physical –
System logs a copy of every block that is about to be written to the storage device before it is
written.
Log includes a checksum of those blocks to make sure there is no error in writing the block.
➔​Logical –
Only changes to the file metadata are stored in the journal
★​ Log-Structured File Systems -
Types of File Systems:
★​ File Allocation Table (FAT)
An older system popular in Microsoft OSs
First implemented in Microsoft Standalone Disk BASIC
Stores file locations by sector in a file called the file allocation table
➔​Contains info about which clusters are being used by which files and which clusters are free
FAT extensions are: FAT16 & FAT32 [they differ in the # of bits available for filenames]
★​ New Technology File System (NTFS)
Introduced by Microsoft in 1993 as a new file system to replace FAT
Used by Windows 4, 2000, XP, Vista, 7, Server 2003, and Server 2008
64
Improvement: increased volume size is 2 − 1 clusters
See Page __ for more details
★​ ReFS or Resilient File System
New Microsoft file system
Available on Windows Server 2019
Uses checksums for both metadata and file data and proactive error correction to be more resilient
★​ Apple File System (APFS)
Default file system for Apple computers using MacOS 10.13
Supports encryption, snapshots, and other features
Optimized for use with SSDs, but can also be used with HHDs
★​ Extended (EXT) File System
First file system for Linux
★​ Did not support journaling until version 3
Current version: EXT4
➔​Can support volumes with sizes of up to 1 exabyte and files with sizes up to 16 terabytes
➔​Is backwards compatible with EXT2 & EXT3 which makes it possible to mount drives that use
those earlier versions of EXT.
★​ ReiserFS
Popular journaling system used primarily with Linux
First file system to be included in standard Linux kernel (version 2.4.1)
Supported journaling from its inception
Open-source
★​ Berkeley Fast File System
Also called the UNIX file system
Developed at University of California, Berkeley for UNIX
Is very similar to EXT file system
➔​Uses bitmap to track free clusters
➔​Includes FSCK utility
 -​ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Networks
Network Protocols necessary for transmission:

Open Systems Interconnection (OSI) Reference Model:

Layer 7

Layer 6

Layer 5

Layer 4

Layer 3

Layer 2

Layer 1

Internet Engineering Task Force (IETF) Model:

 -​ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Addresses
Be aware of the way computer info is addressed and the proper vocab for discussing different types of
addresses and units of information transfer.

Physical Ports:
➔​Operates at OSI Layer 1 (Data Link/Physical Layer)
➔​Units of information transfer are 1 & 0 bits grouped into fixed-length units called Layer 1 frames

Media Access Control (MAC) Addresses:

➔​Can be referred to as a computer’s physical address
➔​6-byte (48-bit) addresses used to identify network interface cards
➔​First 3 bytes identify vendor
➔​Second 3 bytes identify the specific network card
➔​Is supposed to be unique and tied to only 1 physical port
★​ Duplication can occur due to bad quality control or intentionally for malicious reasons

IP Address:
Also called logical addresses
Are assigned to computers when they connect to a network
Can be easily changed
Majority of computers use IPv4, some use IPv6

Logical Port Numbers:

➔​Are like channels through which information flows.
➔​The type of information that flows through a port depends on the port #
Common Ports:
20, 21 [ FTP ] Used for transferring files between computers
File Transfer Protocol 20 - for data
21 -for control
22 [ SSH & SFTP ] Secure communications and file transfer
Secure Shell &
Secure FTP

23 [ Telnet ] To remotely log into a system and execute commands via cmd or shell.
Is less secure than SSH.
Popular with network admin.
25 [ SMTP ] For sending mail
Simple Mail Transfer

43 [ WhoIS ] Queries target IP address for info

53 [ DNS ] Translates URLs into web addresses

Domain Name Service

69 [ TFTP ] UDP-based file transfer

80 [ HTTP ] Displays web pages

HyperText Transfer

88 [ Kerberos Auth ] Authenticates in environments using Kerberos Auth

109 [ POP2 ] Old email protocol

110 [ POP3 ] To retrieve email

Post Office Protocol v3

137, 138, 139 Used in windows networks for boot activities

[ NetBIOS ]

161, 162 [ SNMP ] Simple Network Management Protocol

179 [ BGP ] Used by gateway routers exchanging routing data

Border gateway protocol

194 [ IRC ] Used in chat rooms

220 [ IMAP ] Email protocol

389 [ LDAP ] Lightweight Directory Access Protocol

443 [ HTTPS ] Encrypted HTTP

445 [ Active Directory, Used in Windows Networks for access control lists
SMB ]
 464 [ Kerberos ] To change passwords

465 Encrypted email

[ SMTP over SSL ]

636 [ LDAPS ] Encrypted LDAP

LDAP over SSL/TLS

Uniform Resource Locators (URLs):

DNS allows users to type in a URL instead of an IP address to access web pages
Potential issues:
➔​Changing the mapping of a website name -> IP address permanently/temporarily can be used to
redirect browsers incorrectly and confuse forensic efforts

Basic Network Utilities:

★​ Working with ipconfig
Helps you get information about the system you are on
Windows Steps:
1.​Go to the cmd/powershell
2.​Enter ipconfig or ipconfig/all, then press ENTER
Linux Steps:
1.​Go to terminal
2.​Enter ifconfig, then press ENTER
Resulting output is the info about your connection to a network or the internet (network
configuration). Tells you:
➔​Your IP address
➔​Your default gateway
➔​Other details
★​ Using ping
Used to send test/echo packets to a machine to find out if it is reachable and how long the packet
takes to reach the machine.
★​Is a useful diagnostic tool that can be used in elementary hacking techniques.
Steps:
1.​Enter ping [www.url.com] or ping [IPAddress] of the machine you want to
find
— or —
1.​ping -? to find what other output ping can give you.
★​ Working with tracert (Windows)/ traceroute (Linux)
Can be useful for live network troubleshooting
Gives similar info as ping and follows same format for use
Not trustworthy or useful for forensic examination
 -​ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Obscured Information:
Information that is scrambled by either encryption, hidden using steganographic software, compressed, or
in a proprietary format making it difficult to collect and analyze.
Done to:
★​Deter forensic examination
★​Protect business-sensitive information
How to recover obscure information:
★​Convert it with the right tools and detective work.
★​Get the encryption key and algorithm from the data owner.
★​Collect evidence via live extraction process if evidence is in use on a live system.

Anti-Forensics:
The actions perpetrators take to conceal their locations, activities, or identities.
Anti-forensic techniques:
Data destruction
➔​Wiping memory buffers used by program
➔​Repeatedly overwriting a cluster of data with patterns of 1s & 0s
➔​Attaching a hard disk or USB modifies file system timestamps
➔​Starting a computer updates timestamps and modifies files
➔​Turning off a machine destroys RAM
➔​Deleting/shredding files
➔​Defragmenting hard drives
Data hiding
➔​Via reserved disk sectors/logical partitions within public partitions
➔​Change filenames and extensions
Data transformation
➔​Use encryption to scramble a message based on an algorithm
➔​Use steganography to hide message inside larger message
File system alteration
➔​Via corrupting data structures and files
 Daubert Standard –
Standard used by a trial judge to make preliminary assessment of whether an expert’s scientific testimony
is based on reasoning or methodology that is scientifically valid and can properly be applied to the facts at
issue.
The factors that may be considered in determining whether the methodology is valid are:
1.​Whether the theory/technique can be and has been tested,
2.​Whether it has been subjected to peer review and publication,
3.​Its known or potential error rate,
4.​The existence and maintenance of standards controlling its operation, and
5.​Whether it has attracted widespread acceptance within the scientific community.

Any scientific evidence presented in a trial has to have been peer reviewed and tested by the relevant
scientific community.
★​Tools, techniques, or processes used in investigation should be widely accepted in the computer
forensics community.

How do new techniques become widely accepted:

1.​Provide a copy of the tool/technique to professors of forensics and allow them to experiment with it.
2.​Publish an article describing the tool.
3.​Tool is usable after it has been tested by the forensics community & articles have been read and
rebutted.

Affects forensic approach:

★​Make sure that techniques and tools you use are widely used/accepted
★​Make sure that you are qualified to use said tools and techniques
★​Fully document your methodology
★​Maintain the chain of custody

Daubert Challenge:
A motion to exclude all or part of your testimony due to it failing to meet the Daubert standard
★​Common in civil cases, but not in criminal court
 US Laws Affecting Digital Forensics:
Federal Privacy Act 1974 establishes a code of information-handling
practices that governs the:
➔​Collection
➔​Maintenance
➔​Use, and
➔​Dissemination
of information about individuals that is maintained
in systems of records by U.S. federal agencies
Privacy Protection Act 1980 protects journalists from being required to turn
over to law enforcement any work product and
documentary materials, including sources, before it
is disseminated to the public.
Communications Assistance to 1994 a federal wiretap law for traditional wired
Law Enforcement Act telephony.
Expanded in 2004 to include:
➔​Wireless,
➔​Voice over packets, and
other forms of electronic communications,
including:
➔​Signaling traffic and
➔​Metadata.
Unlawful Access to Stored covers access to a facility through which electronic
Communications: 18 USC § communication is provided or exceeding the facility
2701 access that was authorized.
Broad, applies to a range of offenses.
Punishment ranges from: 5 years in prison to fines
for the first offense.

“Whoever—intentionally accesses without

authorization a facility through which an
electronic communication service is provided; or
intentionally exceeds an authorization to access
that facility; and thereby obtains, alters, or
prevents authorized access to a wire or electronic
communication while it is in electronic storage in
such system shall be punished as provided in
subsection (b) of this section.”

Used less frequently than the Computer Fraud and

Abuse Act

Example: applies to when employees leave a

company, they seek to take information that they
can use in competition with the company
Electronic Communications 1986 Governs privacy & disclosure, access, and
Privacy Act interception of content and traffic data related to
electronic communications
Computer Security Act 1987 Improves the security and privacy of sensitive info
on federal computer systems

Requires the establishment of minimum acceptable

security practices, creation of computer security
plans, and training of system users or owners of
facilities that house sensitive info
Foreign Intelligence Surveillance 1978 Allows for collection of foreign intelligence info
Act between foreign powers using physical and
electronic surveillance
A warrant must be issued by FISA court for
actions under FISA
Child Protection and Sexual 1998 Requires service providers that become aware of
Predator Punishment Act the storage or transmission of child pornography
to report it to law enforcement
Children’s Online Privacy 1998 Protects children 13 and under from the collection
Protection Act and use of their personal info by websites
Replaces the Child Online Protection Act of 1988
that was deemed unconstitutional
Communications Decency Act 1996 Designed to protect 18 and under from
downloading or viewing material considered
indecent.
Act has been subject to court cases that changed
some definitions and penalties
Telecommunications Act 1996 Includes provisions relative to the privacy and
disclosure of information motion through and
across telephony and computer networks
Wireless Communications and 1999 Allows for collection and use of empty (nonverbal
Public Safety Act and nontext) communications
Example: GPS
USA PATRIOT Act Primary law under which a wide variety of internet
and communications information content and
metadata is currently collected
Sarbanes-Oxley Act 2002 Contains provisions about recordkeeping and
destruction of electronic records relating to the
management and operation of publicly held
companies
18 USC 1030 Fraud & Related Most widely used laws in hacking cases
Activity in Connection with Covers wide range of crimes involving illicit access
Computers of computers

18 USC 1020 Fraud & Related Related to 18 USC 1030 but covers access devices
Activity in Connection with Example: routers
Access Devices

Digital Millennium Copyright Makes it a crime to publish methods/techniques to

Act (DCMA) circumvent copyright protection.
Controversial because it has been used against
legitimate researchers publishing research papers.
18 USC § 1028A Identity Theft Targets any crime related to identity theft
and Aggravated Identity Theft Often applied in stolen credit card cases

18 USC § 2251 Sexual Covers a range of child exploitation crimes

Exploitation of Children Often seen in child pornography cases
Related Laws:
➔​18 USC 2260 — production of sexually
explicit depictions of a minor for importation
into the US
➔​18 USC 2252 — certain activities relating
to material involving the sexual exploitation of
minors (possession, distribution, and receipt
of child porn)
➔​18 USC 2252A — certain activities relating
to material constituting or containing child
porn
 Warrants:
Are given by the court to LEOs to seize property or interfere with an individual’s access to their property.
Example:
➔​Enter premises of individual’s home, vehicle, storage unit, etc
➔​Intercept communications
Are not needed when LEO conduct does not violate a person’s “reasonable expectation of privacy,” because
in these cases it would not be considered a 4th Amendment search.
Examples:
➔​Evidence is in plain sight
➔​Someone who is authorized to provide consent gives LEOs consent to conduct a search
➔​Border crossing
➔​Imminent danger that evidence will be destroyed

Seizure of Property –
Occurs when there is some meaningful interference with an individual’s possessory interests in that
property (US v. Jacobsen, 466 US 109, 113 [1984]) or the interception of intangible communications
(Berger v. New York, 388 US 41, 59-60 [1967]).
★​LEOs need not take property for it to be considered seizure, interfering with a person’s access to
their property also constitutes seizure.

Context matters when arguing for/against reasonable expectation of privacy.

Example:
➔​Message in electronic diary → reasonable expectation of privacy
➔​Message in public bulletin board → no expectation of privacy

Consent issues in computer cases:

1.​When does a search exceed the scope of consent?
2.​Who is the proper party to consent to a search?
Court has ruled only the:
➔​Actual owner of a property or
➔​Someone who has legal guardianship of the owner
Can grant consent to search.

Exceeding the scope of a warrant happens when methods are applied to investigate a suspect
device for reasons/crimes beyond those explicitly listed in the warrant.
 Federal Guidelines for Forensics:
➔​ FBI
➔​ Secret Service
➔​ Regional Computer Forensic Laboratory Program (RCFLP)

FBI –
First Responders:
MUST preserve the state of the computer at the time of the incident by making a backup copy of any:
➔​Logs,
➔​Damaged or altered files, and
➔​Any other files
Modified, viewed, or left by the intruder.

Incident in Progress:
Activate any auditing or recording software you have available to collect as much data as you can about
the incident so you can analyze the attack in progress.

Secure Evidence especially:

➔​Hard drives
➔​System logs
➔​Portable storage (USB/external drives)
➔​Router logs
➔​Emails
➔​Chat room logs
➔​Cell phones
➔​SIM cards
➔​Logs from security devices (firewalls, IDSs)
➔​Database and Database Logs

Work with copies not originals.

Useful FBI resources: FBI cyber crimes web page
Secret Service (SS) –
Premier federal agency tasked with combating cyber crimes.
Useful resources:
★​Website devoted to computer forensics that includes forensics courses (usually for law enforcement
personnel)

Secret Service cybercrime task force centers:

➔​Atlanta
➔​Baltimore
➔​Birmingham
➔​Boston
➔​Buffalo
➔​Chicago
➔​Dallas
➔​Houston
➔​San Francisco

Golden Rules for First Responders to Computer Crime:

★​Officer Safety: secure scene and make it safe
★​Take steps to preserve evidence if you reasonably believe the computer is involved in a crime you’re
investigating
★​Determine whether you have legal basis for seizing the computer (plain view, search warrant, or
consent)
★​Do not access any computer files, if the computer is off, leave it off.
★​If the computer is on, properly shut it off and prepare it for transport as evidence.
★​If you reasonably believe the computer is destroying evidence, immediately shut it down by pulling the
power cord from the back of the computer.
★​If a camera is available and the computer is on, take pictures of the computer screen otherwise take
pictures of the computer, location of the computer, and any electronic media attached.
★​Determine whether special legal or privacy considerations apply (ex: doctor, attorney, clergy,
psychiatrist, newspaper, or publisher privileges)
Regional Computer Forensic Laboratory Program –
A national network of forensic labs and training centers.
➔​FBI provides startup and operational funding , training, staff, and equipment to the program.
➔​State, local, and federal law enforcement agencies assign personnel to staff RCFL facilities.
➔​Each of the 16 RCFLs examines digital evidence in support of criminal and national security
investigations
➔​Provides LE at all levels with forensic expertise
➔​Work on wide variety of investigations
➔​Conduct digital forensic training
See www.rcfl.gov for more info.
 Quiz Chapter 1 — 8/8
In a computer forensic investigation, this ​Rules of evidence
describes the route evidence takes from the time ​Law of probability
you find it until the case is closed or goes to ​Chain of custody
court. ​Policy of separation

If the computer is turned on when you arrive, ​Begin investigating immediately

what does the secret service recommend you do? ​Shut the computer down according to
recommended SS procedure
​Transport the computer with the power on
​Unplug the machine immediately
Why should you note all the cable connections ​To know what outside connections existed
for a computer you want to seize as evidence? ​In case other devices were connected
​To know what peripheral devices existed
​To know what hardware existed
What is the essence of the Daubert Standard? ​That only experts can testify
​That an expert must affirm that a tool or
technique is valid
​That only tools/techniques that have been
accepted by the scientific community are
admissible at trial
​That the chain of custody must be preserved
When cataloging digital evidence, the primary ​Make bitstream images of a;; hard drives
goal is to fo what? ​Preserve evidence integrity
​Keep evidence from being removed from the scene
​Keep computer from being turned off
Which of the following is important to the ​Logging methods
investigator regarding logging? ​Log retention
​Location of stored logs
​All of the above
Your roommate can give consent to search your ​True
computer. ​False

Evidence need not be locked if it is at a police ​True

station. ​False
 Chapter 2: Overview of Computer Crime Notes
How Computer Crime Affects Forensics
Roles Computers can play in Computer Crimes:
➔​Target of a crime
➔​Instrument of a crime
➔​Evidence repository that stores information about the crime

Applying information about how a computer was used in a crime helps narrow down the evidence
collection process.

How computers have changed crime:

➔​Makes targets more accessible to criminals and lowers the risks involved

The nature of the crime changes the type of evidence you look for during the forensic process:
Example:
➔​Identity theft → look for phishing emails
➔​Hacking → look at firewall and IDS logs

In computer forensics, attacks are categorized based on the type of crime being done NOT the
nature/type of the attack.
Example:
➔​Identity theft
➔​Hacking for data
➔​Cyberstalking/harassment
➔​Internet fraud
➔​Non-access computer crimes
➔​Cyberterrorism
 Details of Identity Theft
Identity Theft –
The use of another person’s identity.
“Refers to all types of crimes in which someone wrongfully obtains and uses another person’s personal data
in some way that involves fraud or deception, typically for economic gain.”
★​Mostly done to commit financial fraud

The crime: The act of wrongfully obtaining another person’s personal data.

Methods of perpetrating identity theft:

➔​Phishing
➔​Spyware
➔​Discarded Information

1.​Phishing –
An attempt to trick a victim into giving up personal info.
Usually done via email to a large general group of recipients.

Spear Phishing –
A targeted phishing attack that attacks a specific group with specific emails.

Whale Phishing/ Whaling –

Phishing attack targeted at a high-value individual target
Example: C-suite executive

2.​Spyware –
Any software that can monitor your activity on a computer.
Example:
➔​Screenshots
➔​Logging keystrokes
➔​Cookies

Situations that allow a person to legally monitor another person’s computer usage:
➔​Parents monitoring minor children (under 18)
➔​Workplace - monitoring company-owned equipment
Spyware products:
➔​Teen Safe – www.teensafe.net
➔​Web Watcher – www.webwatcher.com
➔​ICU – www.softpedia.com/get/Security/Security-Related/ICU-Child-Monitoring-Software.shtml
➔​WorkTime – https://www.nestersoft.com/

Criminals using spyware will typically get it onto software via:

➔​Trojan Horse
➔​Manual installation
➔​Email attachment

3.​Discarded Information –
Gathered from documents that are thrown out without being shredded.
➔​If this is done, the identity thief is likely a local able to dumpster dive.

What the Forensic Investigator should look for:

1.​Presence of spyware on victim’s machine
2.​Where is the spyware sending its data
➔​Periodic email attachment — OR —
➔​Stream of packets to a server
 Hacking
Definition 1:
Experimenting with a system, learning its rules or processes to better understand it or fix its flaws

Definition 2:
Circumventing a system’s security

How to Break Into A System Remotely:

➔​SQL Injection
➔​Cross Site (X-Site) Scripting
➔​Ophcrack
➔​Tricking Tech Support

SQL Injection
Most common web app attack
Based on inserting SQL commands into text boxes (ex: username & password fields)

Are possible if:

​Textbox expects text &
​Textbox is not protected against SQL commands

SQL Injections Work By:

1.​Inputting statements that are always true into textboxes
2.​This causes the application to process the query
3.​Before the true statement is considered, the entered text escapes the application reading it as text
4.​Instead the application processes it as an instruction

Example of an Always True statement:

𝑆𝐸𝐿𝐸𝐶𝑇 * 𝐹𝑅𝑂𝑀 𝑡𝑏𝑙𝑈𝑠𝑒𝑟𝑠 𝑊𝐻𝐸𝑅𝐸 𝑈𝑆𝐸𝑅𝑁𝐴𝑀𝐸 = '' 𝑜𝑟 1 = 1 𝐴𝑁𝐷 𝑃𝐴𝑆𝑆𝑊𝑂𝑅𝐷 = '' 𝑜𝑟 1 = 1
SQL injections can be more sophisticated than the example (such as cross-site scripting)

SQL injection techniques are only limited by your knowledge of SQL.

Tools that make the process of executing SQL Injection Attacks/ or testing your website against this
vulnerability easier:
➔​Database Security Tools – ___
➔​Sqlmap – https://sqlmap.org
➔​SQL Ninja – https://sqlninja.sourceforge.net/

SQL injection attacks leave forensic evidence in firewall logs and database logs.
Cross Site (X-Site) Scripting
Common type of attack where legitimate websites allow malicious scripts to act (and deliver content) as if
it comes from the legit website.

How it works:
Attacker looks for a place on the target website that allows malicious script to wait for end users to fall
victim to it
1.​May put JavaScript into post text such as product reviews
2.​Site will then execute the script
➔​Redirecting user to a phishing/pharming site that looks near identical to the legitimate site
3.​Prompt user to enter information
4.​Fake site will capture the information
5.​Send the user back to the legitimate site

A complex crime to investigate.

How to Identify/Investigate Cross-Site Scripting:
1.​Look for any malicious scripts on the website via developer browser functions (tedious)
— OR —
1.​Search the affected web server’s logs for any redirect messages (HTTP messages in the 300 range)
2.​Determine if any redirects cannot be accounted for via legitimate web coding
Ophcrack (and similar tools)
Most basic tools for physically accessing a Windows machine
It’s a free Windows password cracker based on rainbow tables that runs on a variety of systems and is
usually effective in 10 minutes or less.
Available for download at: https://ophcrack.sourceforge.io/

How does Ophcrack work:

1.​Put the Ophcrack CD into the system and restart it
2.​During the restart hit the key to enter the system’s BIOS to change the boot order
3.​Choose “Boot from CD” option
4.​Ophcrack boots to a Linux Live CD and scans its rainbow table searching for matches then displays
all the passwords in an easy to understand GUI
5.​Once the attacker has a valid login account they can log into that computer, even remotely.

Where is this a problem in corporate networks where:

➔​Physical security is lax
➔​It’s possible to find an unoccupied desk in the building
➔​Network’s focus is on domain accounts (not local accounts)

How to detect Ophcrack and similar software:

1.​Having an account logged on at a time when the actual user was not present
2.​Examine physical security using traditional forensic methods (security cameras, fingerprints)
3.​In Windows Server 2003, 2008, & 2012 machines:
➔​Likely used if you see: restart/reboot → successful login with an account like Administrator
Tricking Tech Support
May be done as a follow-up to using Ophcrack to break local accounts

Commands to enter to get domain admin privileges:

1.​Write the following 2-line script:
net user /domain /add local_account_name password
net group /domain “Domain Admins” /add local account
2.​Save this script in the All Users startup folder
3.​Get a domain admin to log into the machine so the script will run in the background and make the
current account a domain admin by rendering the machine not fully operational

How to detect this attack:

➔​Search system for unrecognized scripts (especially in startup folders)
➔​Search the usage of the compromised account for instances of network admin account being used
when the admin is away
➔​Check physical security
 Cyberstalking & Harassment
Using electronic communications to harass or threaten another person

US DoJ Definition:
The use of the internet, email, or other electronic communications devices to stalk another person.
Stalking generally involves:
➔​Harassing and threatening behavior that an individual engages in repeatedly, such as:
​Following a person
​Appearing at a person’s home/place of business
​Making harassing phone calls
​Leaving written messages/objects
​Vandalizing a person’s property
Most stalking laws require that the perpetrator make a credible threat of violence against the victim or
victim’s family.
Other stalking laws require only that the stalker’s course of conduct constitutes an implied threat

Criteria LEOs use when considering cyberstalking and harassment cases (only some
need be present):
1.​Is it possible/likely? Is the threat credible?
2.​How frequently is it happening?
3.​How serious is it?

How to detect:
1.​Trace emails and text messages
2.​Examine any electronic device in the suspect’s possession to for evidence
 Fraud on the Internet
A broad category of crime where attempts are made to gain financial reward through deception
Subclasses of fraud:
➔​Investment offers
➔​Data piracy

Investment offers:
Not necessarily illegal, but can be used to artificially & fraudulently inflate the value of target stock
Scams are easier to carry out with the internet via fake blogs, emails, etc.

“Pump and Dump” —

1.​Perps buy large amounts of stock in a company relatively cheap
2.​Then fuel false rumors to increase the value of the stock significantly
3.​Perps sell the stock at inflated price when rumors have raised its price as high as perps think it will
go

Examples:
➔​Nigerian Prince
➔​Legal fees to receive big inheritance
➔​Processing fee to receive lottery winnings

Resources to learn more about fraud schemes:

https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-scams-and-crimes

How to detect:
1.​Trace communications
2.​Follow the money

Data piracy:
The illegal copy of IP
Typically addressed in civil court not criminal court
Usually better for the victim to sue the perp than press charges

Warez –
Sites that have copies of activation codes for software or illegal copies of software

How to detect:
1.​Track the website distributing IP
2.​Trace the owners of the website that is distributing the IP
➔​Find who registered the domain by performing WHOIS search on the domain
 Non-access Computer Crimes
Crimes that don't involve an attempt to access the target
Examples:
➔​DoS
➔​Virus
➔​Logic bomb

DoS Attacks:
Attempt to prevent legit users from being able to access a given computer resource
➔​The cyber equivalent of vandalism
➔​Require minimal skill
There are tools that are freely available and are easy to use that will create a DoS attack
➔​Low Orbit Ion Cannon
➔​Tribal Flood Network (TFN)
➔​TFN2K – launches DDoS
➔​Trin00 – send client to machines via trojan to launch a DDoS
➔​Cause economic damages
Common targets: websites

★​Do not directly compromise data or seek to steal personal info

Resources about TFN & TFN2K:

➔​Washington University at http://staff.washington.edu/dittrich/misc/tfn.analysis.txt
➔​Packetstorm Security at http://packetstormsecurity.com/distributed/TFN2k_Analysis-1.3.txt
➔​The Computer Emergency Response Team (CERT) at
http://www.cert.org/advisories/CA-1999-17.html

Smurf Attack:
A DoS attack that uses a combination of IP spoofing and ICMP to saturate a target network with
traffic

Elements:
1.​Source site (attacker sends modified ping to broadcast address of a large network)
2.​Bounce site (large network – everyone at the bounce site replies to the target site due to the
modified packet containing the source address of the target site)
3.​Target site

Fraggle Attack:
Variation of Smurf Attack where attacker sends a large amount of UDP traffic to port 7 (echo) and 19
(changen) to a broadcast address, spoofing the intended victim’s source IP address
DHCP Starvation:
A type of DoS attack where a flood of requests flood into a network exhausting the address space
allocated by the DHCP (which is used to dynamically assign IP addresses to computers) servers for an
indefinite period of time

Tools available:
➔​Globber

HTTP post:
DoS attack that targets web servers by sending a legit HTTP post message body at an extremely slow
rate. The server is then “hung” waiting for the message to complete.

Permanent DoS (PDoS) / phlashing:

Attack that damages the system so badly that the victim machine needs an operating system reinstall or
new hardware
★​Usually involves a DoS attack on the device’s firmware

Telephony DoS (TDoS):

Done to traditional phone systems by using an automatic dialer to tie up target phone lines
Flourishing with VoIP tools that make automated TDoS attacks against traditional and IP-based VoIP
easy to carry out

How it works:
1.​Call center/business receives so many inbound calls that the equipment and staff are overwhelmed
and unable to do business
2.​A call is placed to a supervisor/manager to demand a sum of money to be sent or an eradication
service be purchased to stop the attack

Other methods:
1.​Attacker creates/uses a program that submits registration forms repeatedly adding a large number
of false users to the app.
2.​Attacker overloads the login process by continually sending login requests that require the
presentation tier to access the authentication mechanism rendering it unavailable and slow to
respond

How to detect DoS:

1.​From single machine: (DoS)
➔​Trace packets coming from that machine for MAC address
2.​From several machines: (DDoS)
➔​Trace back the packets to get a group of infected machines
➔​Seek out commonalities on those machines (similar downloads or frequent traffic to a site)
 Viruses
Any software that self-replicates
Recent Viruses:
FakeAV.86 Appeared in July 2012
A fake antivirus that claims its a free antivirus scanner but is a trojan
Affected Windows systems from Windows 95 → Windows 7 and Windows Server 2003
Flame Discovered in May 2012 at several locations including Iranian gov. sites
Virus that targeted Windows OS for spy purposes
Can monitor network traffic and take screenshots of the infected system
Stores data in local database that is heavily encrypted
Able to change its behavior based on the specific antivirus software running on the
target machine
Is signed with a fraudulent Microsoft certificate so Windows would trust the software
Gameover ZeuS Began to show up in 2015
Virus that creates peer to peer botnet that creates encrypted communication between
infected computers and the command computer allowing the attacker to control various
infected computers
Wannacry Began to show up in March 2017
Virus that exploited a vulnerability for which there was a patch that had been available
for weeks
Emotnet Began to show up in 2019
Malware that pretended to be a scanned copy of Edward Snowden’s memoir
When attachment was clicked the Word window would pop up with the message “Word
hasn’t been activated” prompting the user to click the “Enable content” button, then
PowerShell would be launched to download the botnet malware from 1 of 3 URLs
embedded in the app.
Ryuk Began to show up in 2019
Ransomware that affected millions
Targeted state, local, and territorial gov. entities and demanded ransom in Bitcoin
Rombertik Began to show up in 2015
Uses browser to read user credentials to websites
Often sent as an attachment to an email
Can also overwrite the master boot record on the hard drive making the machine
unbootable or encrypt files in the user’s home directory
Locky Began to show up in 2016
Ransomware virus that encrypts sensitive files on victims computer including data on
unmapped network shares

Virus Categories:
Macro Infect the macros (mini-programs users can write using office products) in office docs
Can also be written as a virus
 Common due to the ease of writing such a virus
Memory-resident Installs itself and remains in RAM from the time the computer is booted to when it is
shut down
Multi-partite Attack the computer in multiple ways:
➔​Infecting boot sector of hard disk and 1 or more files
Armored Uses techniques that make it hard to analyze
Techniques:
➔​Compressing code
➔​Encrypting code with weak encryption method
Sparse infector Tries to elude detection by performing its malicious activities sporadically.
Users will see symptoms for a short period, then no symptoms for a while.
May target specific programs but only execute every 10th or 20th time that the
program runs.
Polymorphic Changes its form from time to time to avoid detection by antivirus software
Advanced version: metamorphic virus (can completely rewrite itself)

Viruses are easy to locate but difficult to trace back to the creator. (slow and tedious process but
possible.)

How to detect:
1.​Document particulars of virus
2.​See if there are commonalities among infected computers
3.​Check information sources from software publishers and virus researchers online

Logic Bombs:
Malware designed to harm a system when some logical condition is reached.
Usual triggers: Date & time
Usual medium: trojan horse
Usual perp: disgruntled employees
How to detect:
1.​Investigate nature of logic bomb for clues about the creator
➔​Has access to system
➔​Has programming background
➔​Motive
2.​Method/pattern of distribution
 Cyberterrorism/Cyberespionage
Use the same techniques as other cybercrimes – the differences here are motive, scope, and target
Can be committed against governments or individuals associated with the government
Goals:
➔​Stealing classified data
➔​Surveilling targets for later physical attack against them or their family (espionage)
➔​Attacking important infrastructure to spread terror (water, heat, electricity, sewage)

Cyberattacks on power grids involves exploiting vulnerabilities in firewall firmware

China Eagle Union:

1000’s of Chinese hackers whose goal is to infiltrate Western computer systems

How is the investigation of Cyberterrorism/Cyberespionage different from other cyber

crimes:
➔​Jurisdiction of the crime are referred to the FBI
 Quiz Chapter 2 — 5/8
When investigating a virus what is the first ​Check firewall logs
step? ​Check IDS logs
​Document the virus
​Trace the origin of the virus

Which of the following crimes is most likely to ​Cyberstalking

leave email evidence? ​DoS
​Logic Bomb
​Fraud
Where would you seek evidence that Ophcrack ​In the logs of the server; look for the reboot of the
had been used on a Windows Server 2008 system
machine? ​In the logs of the server; look for the loading of a
CD
​In the firewall logs
​In the IDS logs
Logic bombs are often perpetrated by _____. ​Identity thieves
​Disgruntled employees
​Terrorists
​Hackers
Spyware is legal. ​True
​False
It is legal for employers to monitor work ​True
computers. ​False

What is the primary reason to take ​It can damage your system
cyberstalking seriously? ​It can be annoying and distracting
​It can be a prelude to real-world violence
​It can be part of identity theft
What is the starting point for investigating ​Firewall logs
DoS attacks? ​Email headers
​System logs
​Tracing the packets
 Chapter 3 Notes
Methodologies Used in Forensic Investigations
1.​Make at least two copies of suspected storage devices and hard drives
Use tools like: EnCase, Forensic Toolkit, and OSForensics or Linux commands
2.​Handle original information as little as possible to avoid altering the evidence via
Locard’s Principle
Exceptions: Live Forensics when extracting evidence from the cloud (imaging the cloud is impractical)
3.​Comply with Rules of Evidence
Chain of Custody
Daubert Standard
Federal Rules of Evidence (FRE)
Federal Rules 702, 703, 705
4.​Do not exceed your current level of knowledge and skill – your reputation depends
on it
5.​Create an analysis plan before beginning the forensic examination
Include:
➔​How will you gather evidence?
➔​Are there concerns about evidence being changed/destroyed?
➔​What tools are appropriate for this specific investigation?
➔​Is the case federal or state?
➔​Will what you are doing/plan to do affect the admissibility of the evidence?
★​Have a standard data analysis plan that you customize to specific situations
6.​Collect the most volatile evidence first in the following order:
➔​Registers & cache
➔​Routing tables
➔​ARP cache
➔​Process table
➔​Kernel stats and modules
➔​Main memory
➔​Temporary file systems
➔​Secondary memory
➔​Router configuration
➔​Network topology
Or following the order outlined in the RFC 3227 standards document:
➔​Volatile data
➔​File slack
➔​File system
➔​Registry
 ➔​Memory dumps
➔​System state backups
➔​Internet traces
7.​Keep in mind the lifespan of information (how long information is valid for)
8.​Information must be collected quickly
9.​Collect bit-level information

Locard’s Principle of Transference –

Forensics principle that states you cannot interact with an environment without leaving some trace.

Federal Rules of Evidence (FRE) –

A code of evidence law that governs the admission of facts by which parties in the US federal court
system may prove their cases.
Provides guidelines for the authentication and identification of evidence for admissibility under Rules 901
& 902.
States:
To satisfy the requirement of authenticating/identifying an item of evidence the proponent must
produce sufficient evidence to support a finding that the item is what the proponent claims it is.
Sufficient evidence could be:
★​testimony from a witness with knowledge, (Expert Testimony)
★​comparison by an expert witness or the trier of fact, or (comparison between a given specimen
and another item)
★​evidence describing a process or system and showing that it produces an accurate result (you
MUST understand how the tool works in detail so you can authenticate the process if
necessary).

Federal Rule 702 –

defines what constitutes an EXPERT WITNESS

Federal Rule 703 –

discusses the bases of an EXPERT OPINION

Federal Rule 705 –

unless court orders otherwise experts may state an opinion and give their reasons for it without first
testifying to the underlying facts/data though they may be required to disclose those facts/data in
the cross-examination.

Information Lifespan –
How long information is valid
Is determined by the nature of the information + org policies and practices (ex: network/firewall/log rules)
Typically:
More volatile info → shorter lifespan
Org policies for data retention → Longer lifespan
 Formal Forensic Approaches
➔​DoD Forensic Standards
➔​DFRWS Framework
➔​SWGDE Framework
➔​EBDFI Framework

DoD Forensic Standards –

Set by the DoD Cyber Crime Center (DC3) to process, analyze, and diagnose digital evidence

DoD Cyber Crime Center (DC3) –

Provides computer investigation training for forensic examiners, investigators, system admins, etc
Ensures defense info is secure
More info at: www.dc3.mil

DFRWS Framework (Digital Forensic Research Workshop) –

Framework for digital investigation created by the Digital Forensic Research Workshop forensics
non-profit
Has a matrix with 6 classes:
➔​Identification
➔​Preservation
➔​Collection
➔​Examination
➔​Analysis
➔​Presentation

Digital Forensic Research Workshop –

Non-profit volunteer org with goal of enhancing the sharing of knowledge and ideas about digital forensics
Sponsors annual conferences, technical working groups, and challenges to drive R&D

SWGDE Framework –
Has 4 stages:
➔​Collect
➔​Preserve
➔​Examine
➔​Transfer

Scientific Working Group on Digital Evidence (SWGDE) –

Event-Based Digital Forensics Investigation (EBDFI) Framework –
Proposed by Brian Carrier & Eugene Spafford (CERIAS at Purdue University) in 2004 as a more intuitive
and flexible framework than DFRWS
Has 5 primary phases which each contain 2 subphases:
★​Readiness
➔​Operations readiness
Training people and testing investigation tools
➔​Infrastructure readiness
Configuring equipment
★​Deployment
➔​Detection & Notification
Someone detects an incident and alerts investigators
➔​Confirmation & Authorization
Investigators receive authorization to conduct the investigation
★​Physical Crime Scene Investigation

★​Digital Crime Scene Investigation

★​Presentation
 Proper Documentation of Methodologies and Findings
System forensics specialist should have a good understanding of how:
➔​Computer hard disks
➔​Flash drives
➔​Compact disks (DCs)
Are structured and understand the techniques and automated tools used to capture and evaluate file slack.

Also know how to find data hidden in obscure places on CDs and hard disk drives

Hard disks/CDs are segmented into clusters of a particular size, each cluster holds only 1 file or part of a
file. If the file does not use all the space in the cluster then it will typically go unused/wasted.

File Slack/Slack Space – the cluster space that goes unused; presents a potential security leak
Pieces of a file may remain after they are deleted and not overwritten when a new file is created
 Evidence-handling tasks
1.​Find Evidence
2.​Preserve Evidence
3.​Prepare Evidence for Trial (Document everything)

Evidence-Gathering Measures:
1.​Avoid changing the evidence
2.​Determine when evidence was created
3.​Trust only physical evidence
4.​Search throughout a device
5.​Present the evidence well

Complete an Expert Report

How to set up a forensics lab

Equipment –
★​Adequate data storage equipment
Server with as much storage as possible & minimum redundancy of RAID 1 but the
recommended redundancy is RAID 5 with backup once a day
★​Computers capable of attaching various types of drives (USBs, SCSIs, EIDEs, and SATA)
★​Power connectors for all types of smartphones, laptops, routers, and devices

Security –
​Machines being examined should not be connected to the internet
​Lab network should be separate from working network
​Lab in a room shielded from Electromagnetic Interference (cell & wi-fi signals cannot penetrate the
lab)
​Limit access to the lab
​Record who enters and exits the lab via swipe-card access or similar
​Room should be difficult to forcibly enter
​Have a fire-resistant safe to secure evidence in when it’s not being examined

Relevant Security Standards:

ISO/IEC 27037:2012 – Information Technology – Security Techniques
Common standard for digital forensics about forensic practices and processes for capturing forensic
evidence.
Guidelines for:
➔​Identification,
 ➔​Collection,
➔​Acquisition and
➔​Preservation
Of digital evidence.

ISO/IEC 27041:2015 – Information Technology – Security Techniques

Guidance on assuring suitability and adequacy of incident investigative method.
This standard is about forensics methods and tools.
ISO/IEC 27042:2015 – Information Technology – Security Techniques
Guidelines for the analysis and interpretation of digital evidence.
This standard provides guidance on processing and analyzing digital evidence.

National Institute of Standards and Technology (NIST) has a Computer Forensics Tool Testing Program
that is used to test forensic tools.

American Society of Crime Laboratory Directors (ASCLD):

Provides:
➔​Guidelines for managing a forensics lab
➔​Guidelines for acquiring crime lab and forensics lab certifications.
➔​Voluntary accreditation to public and private crime laboratories in the United States and around
the world.

TEMPEST –
Certifies equipment that is built with shielding that prevents EMR release.
TEMPEST can be applied to an entire lab, but this is extremely costly and involves:
★​Lining the walls, ceiling, floor, and doors with specially grounded, conductive metal sheets
★​Installing filters that prevent power cables from transmitting computer emanations
★​Installing special baffles in heating and ventilation ducts to trap emanations
★​Installing line filters on telephone lines
★​Installing special features at entrances and exits that prevent the facility from being open to the
outside at all times
TEMPEST-certified labs must be inspected and tested regularly.
Only large, regional computer forensics labs that demand absolute security from eavesdropping should
consider complete TEMPEST protection.
For smaller facilities, use of TEMPEST-certified equipment is often a more effective approach.
★​More about TEMPEST at http://www.gao.gov/products/NSIAD-86-132.
 Common forensics software programs
EnCase –
A very widely used forensic toolkit from Guidance Software that allows examiners to connect an Ethernet
cable or null modem cable to a suspect machine and to view the data on that machine.
★​Prevents the examiner from making any accidental changes to the suspect machine.
Organizes information into “cases,” a structure that matches the way examiners normally examine
computers.

The EnCase concept is based on the evidence file. This file contains:
➔​Header
➔​Checksum
done to ensure there is no error in the copying of that data and that the information is not
subsequently modified.
★​Any subsequent modification causes the new checksum to not match the original checksum.
➔​Data blocks
the actual data copied from the suspect machine

Process of Evidence Analysis with EnCase:

1.​Evidence file is added to a case
2.​EnCase begins to verify the integrity of the entire disk image.
The evidence file is an exact copy of the hard drive.
3.​EnCase calculates an MD5 hash when the drive is acquired.
This hash is used to check for changes, alterations, or errors.
When the investigator adds the evidence file to the case, it recalculates the hash; this shows
that nothing has changed since the drive was acquired.

Methods to acquire the data from the suspect computer using EnCase:
★​ EnCase boot disk
Boots the system to EnCase using DOS mode rather than GUI mode.
The suspect drive can then be copied to a new drive to examine it.

★​ EnCase network boot disk

Very similar to the EnCase boot disk, but it allows you to perform the process over a crossover cable
between the investigator’s computer and the computer being investigated.

★​ LinEn boot disk

Is specifically for acquiring the contents of a Linux machine.
Operates much like the boot disk method, but it is for target machines that are running Linux.
Tree Pane (on left):
Functions like Windows Explorer
Lists all folders and can expand any folder in the tree
Table Pane (on right):
Allows you to select items and displays the content of selected items on the View Pane at the bottom.
View Pane (bottom):
Displays the content of the selected file or property details about the selected file

Filter Pane: allows examiner to filter what is viewed to specific items of interest & to search data
Forensic Toolkit
Widely used forensic analysis tool from AccessData
Popular with law enforcement
Available for: Windows & macOS
Download at: www.exterro.com/forensic-toolkit

Allows you to select:

➔​Which hash to use to verify the drive when you copy it
➔​Which features you want to use on the suspect drive
➔​How to search

Useful for:
➔​Cracking passwords
➔​Analyzing the Windows Registry for the presence of certain programs
➔​Examining email
★​Allows you to see email timeline
➔​Distributed processing
★​Allows you to distribute the hard drive scanning, registry search, and complete forensic
analysis processing and analysis to up to 3 computers
★​3 computers perform the 3 parts of the analysis in parallel → speeding up the forensic
process
➔​Detecting pornographic images
★​Has Explicit Image Detection add-on that automatically detects pornographic images

OSForensics
Widely used forensic tool since 2010 from company PassMark Software (Australia)
Why it’s popular:
★​Full product cost = $899, a fraction of the cost of other tools
★​Fully functional 30-day trial version
★​Easy to use
★​Will do most of what EnCase & FTK do – lacks specialized features
Ex: does NOT have Known File Filter (FTK)

Helix
Customized Linux Live CD used for computer forensics
How it works:
1.​Suspect system is booted into Linux using the Helix CDs
2.​Tools provided with Helix are used to perform the analysis
Offers a lot of features → has not become as popular as AccessData’s FTK & Guidance Software’s EnCase
Learn more at: www.e-fense.com/products.php
Kali Linux
Formerly BackTrack
A Linux Live CD used to boot a system and then use the tools

Kali
A free Linux distro used for forensics, general security, and hacking
Attractive to schools teaching forensics & labs on a strict budget
★​ Most widely used collection of security tools available

AnaDisk Disk Analysis Tool

From New Technologies Incorporated (NTI)
Turns a PC into a sophisticated disk analysis tool
Originally created to meet the needs of the US Treasury Department in 1991
Scans for anomalies that identify odd formats, extra tracks, and extra sectors
★​ Can be used to uncover sophisticated data-hiding techniques
Supports all DOS formats & many non-DOS formats (Apple MacOS & UNIX TAR)

CopyQM Plus Disk Duplication Software

From NTI
Turns PC into disk duplicator
Formats, copies, and verifies a disk in a single pass
Useful for:
➔​System forensic specialists who need to preconfigure CDs for specific uses and duplicate them
➔​Creating self-extracting executable programs that can be used to duplicate specific disks
➔​Security reviews
★​Anyone can use it to make preconfigured risk-assessment disks once a CopyQM creation
program has been preconfigured
➔​When security is a concern
★​Disk images can also be password-protected when they’re converted to self-extracting
programs.
➔​Creating computer incident response toolkit disks

Disk image of the original disk can be restored on multiple disks automatically once the resulting program
is run.

Sleuth Kit
Collection of command line tools available for free download at: www.sleuthkit.org/sleuthkit/
A good option for budget conscious agencies
Not as rich or easy to use as EnCase, FTK, or OSForensics
Useful for:
➔​Searching for a given file
➔​Searching for deleted versions of a given file

Autopsy
The GUI for Sleuth Kit
Is a good second tool to validate results derived from your primary tool with
Can be downloaded at: www.sleuthkit.org/autopsy/download.php

Disk Investigator
Free utility that comes with a GUI
For use with Windows OSs
Can be downloaded at: www.theabsolute.net/sware/dskinv.html
Is NOT a full-featured product, but IS easy to use
Allows you to view:
➔​Cluster by cluster view of your hard drive in hexadecimal form
➔​Directories and root from the View menu
Useful for:
➔​Searching for specific files
➔​Recovering deleted files
 Common forensics certifications
General IT Certifications:
CompTIA A+ shows a baseline of competence in PC hardware

CompTIA Network+ shows baseline competence in basic networking

Cisco Certified Network Associate (CCNA) shows baseline competence in basic networking

CISSP shows baseline knowledge of security

CompTIA Security+ shows baseline knowledge of security

Offensive Security’s test shows baseline competence in hacking

Certified Ethical Hacker shows baseline competence in hacking

GIAC Penetration Tester (GPEN) shows baseline competence in hacking

Forensic Certifications:
EnCase Certified Examiner Cert Open to public & private sector
Focuses on use and mastery of system forensic
analysis using EnCase
AccessData Certified Examiner Open to public & private sector
Specific to use and mastery of FTK
Requirements for certification:
➔​Completing AccessData boot camp
➔​Completing Windows forensics courses
OSForensics Certification Test Covers basic forensic methodology
Focuses on the use of the OSForensics tool
Certification does NOT have specific educational
requirements
Certified Hacking Forensic Investigator (CHFI) General forensics certification
https://www.eccouncil.org/train-certify/computer- Covers general principles and techniques of
hacking-forensic-investigator-chfi/ forensics
Good starting point to learn forensics
GIAC Certifications (for security, hacking, & Several levels of certifications
forensics) From GIAC Certified Forensic Analyst → GIAC
Certified Forensic Examiner
 Chapter 3 Quiz — 6/7
To preserve digital evidence, an investigator ​Make 2 copies of each evidence item using a single
should ____. imaging tool
​Make a single copy of each evidence item using an
approved imaging tool
​Make 2 copies of each evidence item using different
imaging tools
​Store only the original evidence item

Bob was asked to make a copy of all the evidence ​A disk-imaging tool would check for internal
from the compromised system. Melanie did a self-checking and validation and have an MD5
DOS copy of all the files on the system. What checksum.
would be the primary reason for you to ​The evidence file format will contain case data
entered by the examiner and encrypted at the
recommend for or against using a disk-imaging
beginning of the evidence file
tool? ​A simple DOS copy will not include deleted files, file
slack, and other info.
​There is no case for an imaging tool because it will
use a closed, proprietary format that if compared
with the original will not match up sector for
sector.
It takes ___ occurrence(s) of overextending ​Only one (if it’s a major case)
yourself during testimony to ruin your ​Several
reputation. ​Only one
​At least two
The MD5 message-digest algorithm is used to ​Wipe magnetic media before recycling it
____. ​Make directories on an evidence disk
​View graphic files on an evidence drive
​Hash a disk to verify that a disk is not altered
when you examine it
You should make at least 2 bitstream copies of a ​True
suspect drive. ​False

What is the purpose of hashing a copy of a ​To make it secure

suspect drive? ​To remove viruses
​To check for changes
​To render it read-only
What is the most important reason that you do ​Each time you touch digital data, there is some
not touch the actual original evidence any more chance of altering it
than you have to? ​You might be accused of planting evidence
​You might accidentally decrypt files
​It can lead to data degradation
 Chapter 4 Notes
Using Proper Forensic Procedure
1.​Shut Down the Computer
2.​Transport the Computer System to a Secure Location
3.​Prepare the System
4.​Document the Hardware Configuration of the System
5.​Mathematically Authenticate Data on All Storage Devices

Shut Down the Computer

Before shutting down the computer:
1.​Check for running processes
1.​Press CTRL+ALT+DELETE simultaneously then select “Task Manager”
2.​Click the “Processes” tab in the new window
3.​Take a picture of the screen (with a separate device) to have record of all the running
processes
2. Check for live connections
1.​Use the netstat, net sessions, and openfiles commands
2.​Take pictures of the screen after you receive output from each command
3.​Document the time at which the commands were run, when they started, and what the
results were
3. Capture the RAM memory
➔​Insert a USB drive with OSForensics preinstalled to capture the memory – OR –
➔​Use RAM Capture and/or DumpIt to capture memory – OR –
➔​Use AccessData’s FTK to capture memory
4.​Document the surroundings of the device and whether there were other devices or wires
connected
Remove the machine’s power source to interrupt normal operations

netstat
Shows network stats and current connections even the meaningless/obvious ones (ex: computer opening
web browser)
★​ Look for external connections especially ones from outside the local network

net sessions
More helpful version of netstat
Shows only established network communication sessions (ex: someone logging into the system)

openfiles
Tells you if any shared files/folders are open and who has opened them
RAM Capture & DumpIt
Free tools that help capture memory
Can be found online

Transport the Computer System to a Secure Location

Treat suspect computers as evidence and store them out of reach of curious computer users
Transport the computer in a locked vehicle that is driven directly to the lab
Any period of time where you cannot account for the evidence is a break in the chain of custody

Prepare the System

Either:
1.​Remove the drives from suspect machines
2.​Create a chain of custody form for each drive & device
3.​Take photos of all drive connections, cable connections, and general work area
Or:
1.​Use forensically safe boot disks, CD-ROMs, or USB drives to acquire the data contained on drives
connected to a system

In case of phones, either:

Remove SIM cards from phones
Or:
Use modern phone forensics software to dock the phone into the device

Document the Hardware Configuration of the System

Take pictures of the computer from all angles
Label each wire
Remove all drives
Record BIOS/EUFI information [ system time & date ] & the actual time
Eject all media contained on drives that cannot be operated w/o power & remove them
Fill out chain of custody forms for all you’ve found

Mathematically Authenticate Data on All Storage Devices

1.​Create a hash of the original and the copy to prove no data was altered
2.​Compare the hashes → identical hashes == data is genuine
3.​Document the hashing algorithm used
(usually SHA1 or SHA2)
How hashes are created:
Linux – has built-in tools for hashing
Command:
md5sum /dev/hda1
Hashes a partition called hda1

Command:
md5sum /dev/hda1 | nc 192.168.0.2 8888 -w 3
Creates a hash of the partition hda1, then uses netcat to send it to a target machine
that has IP address = 192.168.0.2 through port 8888

EnCase & Forensic Toolkit – hash suspect drives after imaging them to check for copy errors

OSForensics – hash suspect drives post-imaging

Handling Evidence Appropriately
Collecting Data
1.​Secure physical evidence
2.​Collect volatile data
Examples:
Swap File / pagefile.sys – used to optimize the use of RAM, often contains important data
State & Network Connections – via net session/netcat commands on Windows
& Linux; must be captured before system is shut down
State of Running Processes – via Task Manager on Windows; must be captured before
system is shut down
3.​Collect temporary data
Data that an OS creates and overwrites w/o the computer taking a direct action to save the data
★​Likelihood of corruption of temporary data is < that of volatile data
4.​Collect persistent data

Documenting Filenames, Dates, & Times

1.​Catalog all allocated and “erased” files’:
➔​Filenames
➔​Creation dates, and
➔​Last-modified dates & times
2.​Sort the files based on:
➔​Filename
➔​File size
➔​File content
➔​Creation date
➔​Last-modified date & time
This documentation provides a timeline of computer usage.
The output should be in a word-processing compatible file to help document computer evidence issues tied to
specific files.

Identifying File, Program, & Storage Anomalies

1.​Manually evaluate encrypted, compressed, and graphics files…
…Since search programs cannot identify text data stored in these file formats
2.​Depending on the type of file, view and evaluate the content as potential evidence
3.​Review the partitioning on seized hard disks for hidden partitions
4.​Document hidden partitions & the data they contain
5.​Evaluate the files contained in the Recycle Bin
If relevant files are found in Recycle Bin document:
1.​How the files were found
2.​What condition the files were in (was all the file or only parts of it recovered)
3.​When was the file originally saved

Evidence-Gathering Measures
1.​Avoid changing the evidence
Prior to transport:
➔​Photograph equipment in place
➔​Label wires & sockets
In transport avoid:
➔​Heat damage
➔​Jostling
➔​Touching original computer hard disks and CDs
In analysis:
1.​Make exact bit-by-bit copies
2.​Store copies on an unalterable medium (ex: DVD-ROM)
2.​Determine when evidence was created
a.​Before logs disappear capture:
➔​The time a document was created
➔​The last time a document was opened
➔​The last time a document was changed
b.​Calibrate / recalibrate evidence based on a time standard
c.​ Work around log tampering
3.​Search throughout a device
a.​Search at bit level through:
➔​Email
➔​Temporary files
➔​Swap files
➔​Logical file structures
➔​Slack & free space
➔​Web browser data caches
➔​Bookmarks
➔​History
➔​Session logs
b.​Correlate evidence to activities and sources
Forensic tools automate a lot of this
4.​Determine information about encrypted and steganized files
a.​Do not attempt to decode encrypted files
b.​Look for evidence in a computer that indicates what the encrypted files contain
 c.​ Compare steganized files to identical non-steganized files to identify differences
5.​Present evidence well
➔​Create a step-by-step reconstruction of actions with documented dates and times
➔​Prepare charts, graphs, and exhibits that explain what was done and how
➔​Explain in regular English

What to Examine
Swap File
Called pagefile.sys in modern Windows systems.
Most important type of ambient data used by Windows OS to write data when additional RAM is needed.
★​ Size of Swap file = 1.5 times size of physical RAM
Can contain remnants of word processing docs, emails, internet browsing activity, database entries, etc.

Files can be temporary or permanent depending on the version of Windows installed and the setting
selected by the user.
➔​Permanent Swap Files are of great forensic value because they hold larger amounts of info for longer
periods of time.
➔​Temporary/Dynamic Swap Files are more common – they shrink and expand as needed.
➔​When Swap shrinks to near zero it sometimes releases the file’s content to unallocated space.

Unallocated (Free) Space

Can be the area of the hard drive that has not been allocated to a file for storage — OR — the leftover
area that the computer regards as unallocated after file deletion.

What Happens when a file is Deleted?

Only the header or reference point is deleted – the file remains.
Space taken by the file is now considered unallocated space and is available to be overwritten by new data.
If no data is written over the entirety of the space the “deleted” file occupies then fragments of the
“deleted” file will remain.

How to clean unallocated space?

Use Scrubbers/Sweepers
These are cleansing devices that overwrite the unallocated old fragments to remove evidence.

Where can you find evidence in free space?

Evidence tends to be found next to partition headers, file allocation tables (FAT), and the last sectors of
clusters BUT can be anywhere on the disk or in a separate partition.
Techniques of Forensic Analysis
1.​Live Analysis
The recording of any ongoing network processes.
2.​Physical Analysis

Physical Imaging
Making a physical bit-by-bit copy of a disk.
Is standard but it is sometimes not possible to perform on phones.

3.​Logical Analysis

Logical Imaging
Uses the target system's file system to copy data to an image for analysis.
➔​Not ideal method b/c it can miss deleted files, files no longer in the file system but on the drive and
similar data.

Easiest Things to Extract & Analyze:

➔​ List of all Website URLs visited
➔​ List of all Email Addresses on the computer
Can be reconstructed from various places on the hard drive

Steps:
1.​Image a system
2.​Reconstruct a list of all website URLs & email addresses
3.​Index the different kinds of file formats based on the type of case:
Graphic files — indexed first in porn cases
Document formats — indexed first in forgery cases
Multimedia
Archive
Binary
Database
Font
Game
Internet-related
4.​Reconstruct the events that led to the corruption of a system by creating a timeline
Challenges that create confusion:
➔​Clock drift
★​Record drift and time zone in use
★​NEVER change to clock on a suspect system
 ➔​Delayed reporting
➔​Different time zones
Common timeline format syntax used: (called TLN Pipe-delimited format)
Time | Source | System | User | Description

Metadata
Data about the data
Ex: creation time/date, size, date last modified, file header info
Different Storage Formats
Magnetic Media
Used by most computers
Examples: hard drives, floppy disks
Characteristics:
★​Data is organized by sectors and clusters which are further organized in tracks around the platter.
Sector is usually = 512 bytes
Newer drives use sectors = 4096 bytes
Clusters = 1 → 128 sectors
★​Have moving parts
★​Are susceptible to physical damage
★​Data is stored magnetically
★​Are susceptible to magnetic interference
Data on demagnetized drives CANNOT be recovered.

Drives should be transported in special transit bags that reduce electrostatic interference to reduce the
chance of inadvertent loss of data.

Types of Drive Connections:

➔​Integrated Drive Electronics (IDE)
➔​Extended Integrated Drive Electronics (EIDE)
➔​Parallel Advanced Technology Attachment (PATA)
➔​Serial Advanced Technology Attachment (SATA) – The current norm
➔​Serial SCSI
Drive connections refer to the connection between the drive and the motherboard and the total capacity
of the drive.

Solid-State Drives (SSDs)

Characteristics:
★​Use microchips, which retain data in non-volatile memory chips and contain no moving parts
★​Most SSDs use NAND gate-based flash memory which retains memory when there is no power
★​Are less susceptible to physical damage than magnetic drives
★​Are standard for many internal drives and all external drives
★​Internal SSDs can use the same interfaces/connections magnetic drives use (SCSI & SATA)
★​External SSDs commonly have USB connection

Popular because:
➔​They require only ½ – ⅓ the power of HDDs
➔​Startup time is faster than magnetic drives
Common Features Shared By SSDs and Magnetic Drives Important for Forensics:
1.​Host Protected Area (HPA)
Designed as an area where computer vendors could store data protected from user activities and OS
utilities.
★​Data can be hidden here if the user writes a program to access the HPA and write data to it.
2.​Master Boot Record (MBR)
Requires only 1 sector and leaves 62 sectors of MBR space empty
★​Data can be written/hidden in the empty sectors
3.​Volume Slack
Space that remains on a hard drive if the partitions do not use all the available space.
★​Example:
Deleting a filled partition does not delete the data within it just leaves it hidden/somewhat inaccessible.
4.​Unallocated Space
The OS cannot access unallocated space within a partition
★​This space may contain hidden data
5.​Good Blocks Marked As Bad
Happens when someone manipulates the file system metadata to mark unused blocks as bad.
★​OS will not access these blocks → blocks can be used to hide data
6.​File Slack
Unused space created between the end of a file and the last data cluster assigned to a file

Digital Audio Tape (DAT) Drives

Sometimes used to contain archived/backup data. (A legacy mechanism)
★​ Look very similar to audio tape
Uses 4-mm magnetic tape enclosed in protective plastic shell to record info digitally.

Remember:
★​ DAT tapes wear out & must be replaced periodically

To analyze a DAT tape:

1.​Forensically wipe the target drive you’re going to image the DAT tape to
2.​Restore the DAT tape to the target drive to analyze the data it contains

Digital Linear Tape (DLT) & Super DLT

Another type of relatively uncommon magnetic tape storage
Characteristics:
➔​Relies on a linear recording method
➔​Has either 128 or 208 total tracks
➔​Used to store archived data

★​Follow the same method as for DAT tapes to analyze DLT.

Optical Media
Use high and low polarization to set bits of data
Examples:​
CD-ROMs
DVDs
Blu-Ray

CDs
Have reflective pits that represent the low bit — 0. If a pit does not exist the data is a 1.
Susceptible to scratches due to the mechanism used to read data from them.
★​A 780-nm wavelength laser light diode mechanism is used to detect the distance the light beam has
traveled to detect the presence or absence of a pit.

DVDs
Use a 650-nm wavelength laser diode light
Smaller wavelength allows DVDs to use smaller pits thus increasing the storage capacity
Can hold:
4.7 GB for a 1-sided DVD
9.4 GB for a 2-sided DVD

Blu-Rays
Usually used to store movies
Can also store backup data cheaply — attractive to small orgs.
Store up to:
25GB for a 1-layer Blu-Ray
50GB for a 2-layer Blu-Ray
100GB for a 3-layer Blu-Ray
150GB for a 4-layer Blu-Ray Disc XL

★​Follow the same method as for DAT tapes to analyze CDs, DVDs, and Blu-Rays.
USB Drives
USB is a connectivity technology NOT a storage technology.

USB flash drives/thumb drives are the storage technology.

Most widely used USB standards are USB 3.2 & USB 2.0
USB standard 4.0 was released in August 2019
Differences in USB standards/specs relate mostly to the speed of data transfer.

Characteristics:
★​ Can be overwritten/erased easily
Important to copy the data from the USB to the target forensic drive for analysis as soon as
possible.

★​ Have no moving parts

★​ Use SSD technology
★​ Are resilient to shock damage (they’ll survive being dropped)
★​ Come with a small switch to put them into READ-ONLY mode

File Formats
Advanced Forensic Format (AFF)
Invented by Basis Technology

An open file standard with 3 variations:

AFF
Stores all data and metadata in a single file
AFF file format is part of the AFF Library & Toolkit — a set of open-source forensics programs.
Sleuth Kit & Autopsy both support AFF.

AFM
Stores data and metadata in separate files

AFD
Stores data and metadata in multiple small files

EnCase
A proprietary format defined by the GUidance Software for use in its EnCase tool to store hard drive
images and individual files.
★​Includes hash of the file to ensure nothing was changed when it was copied from the source.
Generic Forensic Zip
An open-source file format used to store evidence from a forensic examination.

Process of Forensically Imaging a Drive

Imaging with Linux
Steps:
1.​Forensically wipe the target device (the drive the suspect drive’s content will be copied to)

2.​Set up the forensic server to listen

Forensic Wipe ⇒ overwriting every single bit with some random pattern to ensure that no residual data
from a previous case remains

Imaging with EnCase

Steps:
1.​Disconnect hard drive from suspect machine
a.​Optional: Connect forensic computer to device that prevents writing to suspect device/drive
Examples of such devices: FastBlock & Tableau
2.​Connect the drive to the forensic computer
3.​Select “New” at top left of EnCase window
4.​In “Case Options” dialogue, select the case name & examiner’s name
5.​Select the buttons to the right of the “Default Export Folder,” “Temporary Folder,” and “Index
Folder” text boxes to fill in the boxes with the absolute paths (typically fill automatically)
6.​Click the “Finish” button
7.​Click “Save” on the top left of the EnCase toolbar
8.​Select a path to the save location when asked
9.​Click “Add device” on the Encase toolbar
10.​ In the “Add device” pop-up window, choose which device to add from those listed under the
“Local” folder
11.​ Select “Add to Case”
12.​ Click “Finish”

Imaging with Forensic Toolkit

Forensic toolkit can be purchased or downloaded for free
Free download @: https://marketing.accessdata.com/imager4.3.1.1
Steps:
1.​Hover on “File” at top left corner
2.​Select “Create Disk Image” from “File” dropdown menu
3.​In the “Select Source” pop-up wizard, select what you want to image (usually “physical drive”)
 4.​Select which physical drive to image
5.​In the “Create Image” pop-up wizard, select the “Image Destination(s)”
6.​Make sure the “Verify images after they are created” option is checked
7.​Click “Start” to start the imaging process

Imaging with OSForensics

OSForensics allows investigator to mount images created with other tools or create an image
Steps:
1.​Select “Forensic Imaging” from menu on left
2.​Select “Drive Imaging”
3.​Select the source of the drive you want to image & where the target image will be put
4.​Leave all default check marked options as they are
5.​Click “OK” to start imaging process

Acquiring RAID
RAID –
Redundant Array of Independent Disks
RAID Levels:
★​ RAID 0
Distributes data across multiple disks to give improved data retrieval speed
Also called Disk Striping

★​ RAID 1
Mirrors the content of disks completely

★​ RAID 3 or 4
Combines 3 or more disks to protect data against loss of any 1 disk
Fault tolerance is achieved by adding an extra disk to the array and dedicating it to storing parity
information, BUT the storage capacity of the array is reduced by 1 disk
Also called Striped Disks with Dedicated Parity
★​ RAID 5
Combines 3 or more disks to protect data against loss of any 1 disk
Fault tolerant BUT parity is NOT stored in a dedicated drive but interspersed across the drive array
Storage capacity of the array is a function == # of drives – space needed to store parity
Also called Striped Disks with Distributed Parity
★​ RAID 6
Combines 4 or more disks to protect data against loss of any 2 disks
Also called Striped Disks with Dual Parity
 ★​ RAID 1+0 (10)
A mirrored data set (RAID 1) which is then striped (RAID 0)
Requires a minimum of 4 drives that mirror each other

Best way to acquire a RAID array is to make a forensic image of the entire RAID array.
 Chapter 4 Quiz — 6/7
What is the most commonly used hashing ​MD5
algorithm? ​Whirlpool
​SHA1
​CRC

What Linux Command can be used to create a ​SHA

hash? ​MD5
​MD5sum
​Sha3sum
What linux command can be used to wipe a ​Del
target drive? ​Delete
​Nc
​dd
RAID 4 should be acquired as individual disks. ​True
​False
Which of the following drives would be least ​SCSI
susceptible to damage when dropped? ​SSD
​IDE
​SATA
It is acceptable, when you have evidence in a ​True
vehicle, to stop for a meal, if the vehicle is ​False
locked.

Which of the following might contain data that ​Swap file

was live in memory and not stored on the hard ​Registry hive
drive? ​Backup file
​Log file
 Chapter 5
Notes Techniques for Hiding & Scrambling Info

Understanding the Use & Detection of Steganography

Steganography
The art and science of writing hidden messages
Most common technique is Least Significant Bit (LSB) method
Goal: to hide info so that even if intercepted, the message will be hidden
Most common steganography method: hiding message within pictures

Steganographic Terms:
★​ Payload
The info to be covertly communicated. The message you want to hide.

★​ Carrier
The signal, stream, or file in which the payload is hidden.

★​ Channel
The type of medium used.
Can be a passive channel (photos, video, or sound files)
Can be an active channel (Voice over IP call or video streaming connection)

Available Steganographic Tools:

QuickStego — easy to use but limited
Invisible Secrets — has free and commercial version, robust features
MP3Stego — hides a payload in MP3 files
Stealth Files 4 — works with sound, video, and image files
Deep Sound – hides data in sound files

Historical Steganography:
1.​Chineses wrapped notes in wax and swallowed them for transport.
2.​Greek messenger’s heads would be shaved, the message would be written on the head, and hair would
be allowed to grow back. Upon arrival at the other camp, the messenger’s head would be shaved
again to read the message.
3.​Johannes Trithemius (1962-1516) wrote a book on cryptography and described a technique where a
message was hidden by having each letter taken as a word from a specific column.
4.​French resistance in WW2 sent messages written on the backs of couriers using invisible ink.
Technical Steganographic Techniques:
➔​ Least Significant Bit (LSB) Method
When the last bit/least significant bit is used to store data
Most often used to change the last bit of a colored pixel in an image.
★​Only by comparing the original image, bit by bit, to the steganized image can it be determined
that info may be hidden within.
➔​ Echo method
Adds an extra sound to an echo inside an audio file. The extra sound contains info.
➔​ Bit-Plane Complexity Segmentation Steganography (BPCS)
Increases the storage area for the payload by replacing the complex areas on the bit planes with the
payload.
Bit plane → the set of bits that correspond to a given bit position in a discrete digital file.
★​There are 24 bit-planes in 24-bit files
★​Colors in images are most often stored in 24 bits.
Can be applied to signals as well as files.

Steganophony
Term for hiding messages in sound files
Can be done using the LSB method or the echo method.
Can be used with static (MP3) and dynamic files (VoIP) and LSB to imperceptibly change the sound being
transmitted.

Video Steganography
Info is hidden in video files
Can be done using the LSB method, …
★​Warning: Since video files are significantly larger than other file types they provide a greater
opportunity for hiding info.
Steganalysis
Process of analyzing a file or files for hidden content.
At best it can show the likelihood that a given file has additional info hidden in it.

Common Easy to Use Indicators:

★​ Examine metadata
Created Date — when the file was created on the device it’s on
Last-Modified Date — when the file was last changed
Possibilities:
Last-Modified Date = same as = Created Date [ music file has not been modified ]
Last-Modified Date < older than < Created Date [ music file has not been modified ]
Last-Modified Date > newer than > Created Date [ file has been modified since download ]
Last-Modified newer than Created Date discrepancy is not suspicious if the device user is known to
mix music and has such software installed, but suspicious if not.

★​ Unusually large/bloated file size

Common Technical Methods:

➔​Analyzing close-color pairs to detect Least Significant Bit (LSB) steganography
Close-color pairs [ 2 colors that have binary values that differ only in the LSB ] occurring too
frequently in a given file can indicate a steganographically hidden message may be hidden.

➔​Raw Quick Pair Method

Performs a quick analysis to determine if there are more close-color pairs than would be expected.

➔​Chi Square Method

Calculates the average LSB and builds a table of frequencies and a second table with pairs of values
then performs a chi-square test on these two tables.
Measures the theoretical versus calculated population difference.

➔​Examine the noise distortion in the carrier file

Noise distortion could indicate the presence of a hidden signal

Steganography Detection Tools:

★​ Forensic Toolkit (FTK)
Checks for steganography in images
https://accessdata.com/blog/image-detection-or-image-recognition-quin-c-does-both

★​ EnCase
Checks for steganography
 ★​ McAfee
online steganography detection tool
https://www.mcafee.com/enterprise/en-us/downloads/free-tools/steganography.html

★​ Steg Secret
https://stegsecret.sourceforge.net/

★​ StegSpy
Fewer limitations than StegDetect
https://www.spy-hunter.com/stegspydown-load.htm

Effectiveness of Steg Tools Varies Based on the:

➔​Size of payload compared to the size of the carrier file
Ex: A 10 kilobyte message in a 2 megabyte image file will be harder to detect than a 1 megabyte
image in a 4 megabyte image

➔​Steg tool in use

Some tools are more reliable, efficient, or effective than others

➔​Nature of the Steganography

Encrypted and steganized info may not be detected by tools

Invisible Secrets
Inexpensive, easy to use steg tool that has a trial version
For download @: https://www.east-tec.com/invisiblesecrets/download/
Steps:
Choose whether you want to hide a file or extract a hidden file.
If “Hide a file” is chosen:
1.​Click Next
2.​Select the image to use as the carrier file
3.​Select the file you want to hide (can be a text file or another image file)
4.​Select whether you want to encrypt as well as hide the file
5.​Select a password for the hidden file
6.​Pick a name for the resulting file that contains the hidden file
7.​Click Next and follow the prompts

MP3Stego
Free program used to hide data in MP3 files
Takes info [ usually text ] and combines it with a sound file to create a new sound file that contains the
hidden info.
Download @: https://www.petitcolas.net/steganography/mp3stego/
Steps:
Use the following command to hide data:
encode -E data.txt -P pass sound.wav sound.mp3
1.​Compress sound.wav and hide data.txt using the password “pass”.
2.​Produce output called sound.mp3.
3.​Text in data.txt is encrypted using “pass”
Use the following command to show data:
decode -X -P pass sound.mp3
1.​Uncompress sound.mp3 into sound.mp3.pcm and extract hidden info using the
password “pass”
2.​Output: hidden message will be decrypted, uncompressed, and saved to sound.mp3

Deep Sound
An easy to use free tool used to hide files in mp3, wav, cda, and other file formats.
Download @: http://jpinsoft.net/deepsound

Additional Resources
★​https://towardsdatascience.com/hiding-data-in-an-image-image-steganography-using-python-e491b68b1372
★​https://resources.infosecinstitute.com/topic/steganography-tools-to-perform-steganography/#gref
★​https://link.springer.com/article/10/1186/s42787-019-0061-6
★​ https://www.securityondemand.com/news-posts/detecting-steganography-in-your-soc/
Encryption
Cryptography — the study of encryption and decryption methods.
Cryptanalysis — the study of breaking ciphers
Cryptology — the combination of cryptography and cryptanalysis

Concept of Cryptography
Messages must be changed in such a way that they cannot be read easily by any party that intercepts
them but can be decoded easily by the intended recipient.

History of Encryption
Caesar Cipher
A mono-alphabet/single alphabet substitution cipher that uses a number to shift the alphabet by a
certain number of places and the letter the shift lands on represents the first letter of the alphabet in
the message.
Was purported to have been used by the Roman Caesars
Can be overcome via:
➔​Brute force attack — due to the limited # of possible keys
➔​Attacker’s knowledge of language/alphabet — uses letter and word frequency
Example:
In a shift +9 the letter A → I
In a shift of -3 the letter A → X

Key — the number used to decrypt the message (+9/-3)

Plaintext — text to be encrypted
Ciphertext — text after it has been subjected to the algorithm and key

Atbash Cipher
A single alphabet Hebrew substitution cipher that performs reverse substitution on the alphabet (Ex: A
→ Z & B → Y & so on)
Was used by Hebrew scribes to copy the book of Jeremiah
★​ Susceptible to the same issues as Caesar Cipher

ROT13 Cipher
A single alphabet substitution cipher that ALWAYS uses a +13 key
Is a permutation of the Caesar Cipher where all characters are rotated 13 characters through the
alphabet
★​ Susceptible to the same issues as Caesar Cipher (& is even easier to solve)

Scytale Cipher
Is attributed to the Spartans
Depended on a baton/cylinder that they used to encrypt messages.
Turning the cylinder produced different ciphertexts.
Required: same size rod & leather “key.”
To decrypt:
1.​Recipient received a rod of the same diameter as the one used to create the message.
2.​Recipient then wrapped the parchment around the rod to read the message
To encrypt reply:
1.​Recipient wrote across a leather strip attached to a rod.

Playfair Cipher
Invented in 1854 by Charles Wheatstone was popularized by Lord Playfair
Used in WW1 and WW2
Works by encrypting pairs of letters at a time via a 5x5 table that contains a keyword or key phrase.
Requirements: memorize the keyword and four rules

Steps:
1.​Draw 5x5 table
2.​Fill in the keyword
3.​Add the letters that don’t appear in the keyword in alphabetical order in the remaining cells.
4.​I/J will be combined in a single cell
5.​Divide the plaintext message into pairs of letters (digraphs)
6.​If there are any duplicate letters in a pair replace the second with an x
7.​ Remove punctuation marks and spell out numbers
8.​Find the letter pairs in the table and look at the rectangle formed by those letters where the first
letter is at one corner of the rectangle and the second letter is at the opposite corner
9.​Replace the first letter with the letter in the horizontally opposite corner of the resulting rectangle
and do the same with the second letter.
10.​ Repeat steps 8-9 for all pairs
11.​ Pad remaining single letters in the plaintext message with a z to make the final pair

Example: Encrypt “Attack at dawn” using Keyword == Falcon

F A L C O
N B D E G
H I/J K M P
Q R S T U
V W X Y Z

At ta ck at da wn
At → CR
A L C
B D E
I/J K M
R S T

At ta ck at da wn → CR RC LM CR BL VB → CRRCLMCRBLVB

Multi-Alphabet Substitution
An improvement on Caesar Cipher where multiple numbers by which the letters will be shifted are selected.
Alphabet shift is done by rotating the shift applied for each letter in the message.
Examples: +2, -2, +3 means 3 substitution alphabets have been selected
A CAT → C ADV where
A → +2 → C​ C → -2 → A​ A → +3 → D​ T → +2 → V

Vigenere Cipher
One of the most widely known multi-alphabet ciphers.
Invented in 1553 by Giovan Battista Bellaso misattributed to Blaise de Vigenere
Method of encrypting alphabetic text by using a series of monoalphabetic ciphers selected based on the
letters of a keyword.
A table such as the following is used:

Steps:
1.​Match each the letter of your keyword on the top with a letter of your plaintext on the left to find
the ciphertext rotating the keyword when it ends
Example: encrypting the word “cat” with the keyword “horse”

Enigma Machine
An electromechanical rotor-based cipher system used Germany in WW2
Pivotal to the history of cryptography
A multi alphabet substitution cipher consisting of 26 possible alphabets that used machinery to
accomplish encryption.
★​ Mechanical implementation of multi alphabet substitutions

Steps:
1.​Each time the operator pressed a key the encrypted ciphertext for that plaintext was altered

Allied cipher machines were similar to Enigma but with some security improvements:
➔​TypeX (British)
➔​SIGABA (American)
Modern Cryptography
Substitution
Involves converting some part of the plaintext for some matching part of the ciphertext.
A letter by letter 1 to 1 relationship
Examples:
Caesar Cipher​ Atbash Cipher​ Vigenere Cipher

Transposition
The swapping of blocks of ciphertext
Example: every 3-letter sequence

★​ All modern block cipher cryptographic algorithms use both substitution and transposition

Block Ciphers
Encrypts data in blocks
Usual block size == 64-bits or 128-bits

General Truths About Block Ciphers: (assuming the algorithm is mathematically sound)
1.​Larger block sizes ⇒ increase security
2.​Larger key sizes ⇒ increase security (against brute force attacks)
3.​If round function is secure → more rounds increase security up to a point

Stream Ciphers
Encrypt data as a stream, 1 bit at a time

Feistel Function/Network/Cipher
Is at the heart of many block ciphers — one of the most influential developments in symmetric block
ciphers.
★​Difference in block ciphers comes down to what is done in the round function and how the blocks are split.
Steps:
1.​Splits block of plaintext data into 2 typically equal parts 64-bits long [ L0 & R0 ]
2.​Round function is applied to 1 of the halves
3.​Output of each round function and the remaining half of the data are then run through the
exclusive OR (XOR) function
4.​Halves are transposed or their positions are switched
5.​Steps 1–4 will occur a set number of times to encrypt the data.
Cryptographic Hashes
Hash
A one-way (non-reversible) collision resistant cryptographic algorithm that generates a fixed length
output.
Collision
Happens when 2 different inputs to the same hashing algorithm produce the same output (hash/digest)
Hashing Algorithms
SHA-1
SHA-256
MD5

Is separated into 2 distinct groups:

1.​Symmetric Cryptography
Can either use:
➔​The same key to encrypt and decrypt the plaintext
➔​2 keys — 1 from sender to receiver & another from receiver to sender to encrypt message
★​This method provides additional security if keys are learned/disclosed
★​Is considered Symmetric b/c the same key is used for encryption as is used for
decryption
Examples:

DES
One of the oldest encryption standards
No longer considered secure b/c the key is too short to prevent brute-force attacks from
modern computers
Steps:
1.​Data is divided into 64-bit blocks
2.​Data is manipulated by 16 separate steps of encryption involving substitutions,
bit-shifting, and logical operations using a 56-bit key
3.​Data is scrambled by a swapping algorithm
4.​Data is transposed one last time

Triple DES
Interim solution while a new encryption standard was found when DES was found to no longer
be secure enough.
Does DES 3 times with 3 different keys
Uses a key bundle with 3 DES keys (K1, K2, K3)
Steps:
1.​DES encrypts data with K1
2.​DES decrypts data with K2
3.​DES encrypts data with K3
 Key Options:
1.​All 3 keys are independent & different — most secure option
2.​K1 & K3 are identical
3.​All 3 keys are identical — least secure

AES / Rijndael Block Cipher

Developed by Belgian cryptographers Joan Daemen & Vincent Rijmen
The replacement for DES as of 2001 and the Federal Information Processing Standard 197
via FIPS 197
Operates on block size of 128 bits and a 4x4 column matrix of bytes
Is NOT based on a Feistel network — uses a substitution-permutation matrix
Can have 3 key sizes:
128 bits​ 192 bits​ 256 bits
Steps of AES:
1.​Key Expansion
2.​Initial Round
a.​AddRoundKey
3.​Rounds
a.​SubBytes
b.​ShiftRows
c.​ MixColumns
d.​AddRoundKey
4.​Final Round (no MixColumns)
a.​SubBytes
b.​ShiftRows
c.​ AddRoundKey

Blowfish

Serpent

Skipjack
2.​Asymmetric Cryptography
Uses 2 different keys to encrypt and decrypt the plaintext
Examples:

RSA
Most widely used public-key algorithm based on the relationships between prime numbers and
that it is difficult to factor a large integer composed of 2 or more large prime factors.
Steps to Create A Key:
1.​2 large random prime numbers — P & Q — of approximately equal size are
generated
 2.​2 numbers are chosen so that when multiplied together the product will be the
desired size
3.​P & Q are multiplied to get N
4.​Euler’s Totient is multiplied by each of these prime numbers
5.​Another number E — a coprime to M — is selected
6.​A number D is calculated that when multiplied by E and modulo M would yield 1
7.​Find D such that [D x E]mod(M)=1
8.​The public keys will be E & N and the private keys will be D & N
Steps to Encrypt:
1.​Take the message raised to the power of E and modulo N
MEmod(N)
Steps to Decrypt:
1.​Take ciphertext raised to the power of D and modulo N
P = CDmod(N)

Diffie-Hellman
Cryptographic protocol that allows 2 parties to establish a shared key over an insecure
channel.
Used to allow parties who do not have a pre-established relationship to exchange a symmetric
key through an insecure medium to enable secure communication & facilitated communications
between parties that did have a pre-established relationship.
Developed by Whitfield Diffie & Martin Hellman in 1976
Pre-established relationship ⇒ e-banking
No relationship ⇒ e-commerce

MQV

Elliptic Curve

DSA
Breaking Encryption
Classical Methods of Breaking Encryption:
1.​Cryptanalysis
Using techniques other than brute force to attempt to uncover a key.
Knowledge-based/academic code breaking where there is no guarantee of any method working and
that is likely to be a long and tedious process.
Often used to:
➔​Test the efficacy of a cryptographic algorithm.
➔​Test hash algorithms for collisions

2.​Frequency Analysis
A basic tool used for breaking most classical ciphers.
Examines the frequency with which certain letters appear in ciphertext to derive information on the
key used to derive it and the natural language alphabet used.
Not effective against modern cryptographic methods

3.​Kasiski Examination
Developed by Friedrich Kasiski in 1863
Method of attacking polyalphabetic substitution ciphers (ex: Vigenere Cipher)
The longer the ciphertext the more effective the Kasiski Examination is
Used to:
1.​Deduce the length (N) of the keyword used
2.​Ciphertext is then lined up in N columns, where N is the length of the keyword
3.​Each column is then treated as a mono-alphabetic substitution cipher and can be cracked
with frequency analysis

Modern Methods of Breaking Encryption:

1.​Known Plaintext Attack
Required Materials: Sample of known plaintexts​ &​ Sample of resulting ciphertexts
Sample is used to figure out the key used to encrypt the plaintext.

2.​Chosen Plaintext Attack

Attacker obtains ciphertexts corresponding to a set of plaintexts they choose.
Can allow attacker to derive the encryption key and decrypt other messages encrypted with that key.

3.​Ciphertext-only
Attacker only has access to a sample of ciphertexts
Most difficult & most likely situation
Attacker will be most successful if they can deduce the corresponding plaintext or encryption key.
 Attacker is also successful if they’re able to obtain ANY info about the underlying plaintext.

4.​Related-key Attack
Attacker can obtain ciphertexts encrypted under 2 different keys.
Is a useful attack if you can obtain the plaintext and matching ciphertext

5.​Differential Cryptanalysis (Advanced)

6.​Integral Cryptanalysis (Advanced)
7.​Social Engineering
Obtaining keys or copies of info before encryption is done via non-technical means
Examples:
➔​Dumpster diving
➔​Lying
➔​Getting a job at a target company & stealing desired info
➔​Shoulder surfing
➔​Phishing
8.​Rainbow Tables
Attacker compares the hashed value to the possibilities in the rainbow table to find a match to the
hash. If a match is found the original text for the hash is found.
Examples: Ophcrack — Windows password cracker, depends on Rainbow Tables

9.​John the Ripper

Command Line-based password cracker popular for both network admin and hackers
Download @: http://www.openwall.com/john/
Allows users to select files for word lists to attempt cracking a password
Passwdqc — Tool that ensures passwords are not easily cracked by John the Ripper

Quantum Computing & Cryptography

Situation Challenge Conclusion
Quantum computers are great at: RSA Security is based on the Widespread Effective Quantum
1.​Factoring large integers difficulty of (1) factoring large Computing will make these
into their prime factors integers into their prime factors. algorithms insecure.
and
Diffie-Hellman, ElGamal, & MQV
2.​Solving discrete log
are based on the difficulty of (2)
problems. solving discrete log problems.

Most online encrypted

communication currently uses
these algorithms.
 Chapter 5 Quiz — 10/12
The Caesar Cipher is the oldest known ​True
encryption method. ​False

An improvement on the Caesar Cipher that uses ​DES encryption

more than one shift is called _________. ​Multi-alphabet substitution
​IDEA
​Triple DES
What type of encryption uses a different key to ​Private key
encrypt the message that it uses to decrypt the ​Asymmetric
message? ​Symmetric
​Secure
Which of the following is an asymmetric ​PGP
cryptography algorithm invented by 3 ​DES
mathematicians in the 1970’s? ​DSA
​RSA
Which of the following encryption algorithms ​DES
uses three key ciphers in a block system and ​RSA
uses the Rijndael algorithm? ​AES
​NSA
What is the key length used for DES? ​56
​64
​128
​256
Which of the following is an example of a ​Caesar
multi-alphabet cipher? ​Vigenere
​Atbash
​ROT13
How many rounds does DES have? ​64
​56
​16
​4
Hiding messages inside another medium is ​Cryptography
referred to as ___________. ​Cryptology
​Steganalysis
​Steganography
In steganography, the __________ is the data ​Payload
to be covertly communicated. In other words, it ​Carrier
is the message you want to hide. ​Signal
​Channel
In steganography, the __________ is the P​ ayload
stream or file into which the data is hidden. ​Carrier
​Signal
​Channel
The most common way steganography is ​MSB
accomplished is via ______________. ​ASB
​RSB
​LSB
 Chapter 6 Notes
Retrieving deleted data (a fundamental task for forensic examiners)

Traditional Hard Drives

Use platters to magnetically store data
View and store data in sectors
Sector
An area of one of the disk platters defined by two radii.
Are contiguous on a disk
Can be either 512 bytes or 4096 bytes
Found in: PCs and servers
Uncommon in: laptops
Not found in: tablets

Modern Drives → Solid State Drives (SSD)

File Systems
View data in Clusters NOT Sectors
Clusters
Can be from 1 → 128 sectors
Clusters do NOT have to be contiguous sectors

How to Undelete Data (Windows)

Deleted files can be recovered from the Windows OS due to the structure of the file system.

Windows File Systems:

★​ FAT
Has 2 versions:
➔​FAT16
Used by MS-DOS, Windows 95, Windows 98, Windows NT, Windows 2000, & certain Unix
OS’s
➔​FAT32
Used by Windows 98/Windows 95 OSR2 and Windows 2000
Uses a table called the File Allocation Table (FAT) to store cluster→file information
File Allocation Table (FAT)
A list of entries that map to each cluster on the disk partition.
Each entry records 5 things:
​Cluster # of the next cluster for the file
 ​End of Cluster (EOC) Chain entry if the the cluster is the end of a chain
​Bad clusters
​Reserved clusters
​Open/available clusters

When a file is deleted:

Data is NOT removed from the drive →
1.​FAT is updated to reflect that the clusters the file was using are no longer in use.
2.​New info saved to the drive MAY be saved to those clusters overwriting some or all of
the old info but it MAY NOT
Forensically this means…
The more recently a file is deleted, the more likely it is that you can recover the file.
The longer since deletion, the more likely that you will only be able to recover portions of the
file.
★​ NTFS
New Technology File System
Used from Windows 2000 onward
Fundamental files:

➢​Master File Table / Meta File Table (MFT)

Describes all files on the volume including:
Filenames​ ​ time stamps​ security identifiers​ file attributes
Contains one base file record for each file and directory on an NTFS volume
Serves the same purpose as the FAT does in FAT16 & FAT32

➢​Cluster Bitmap
A map of all the clusters on the hard drive
An array of bit entries where each bit indicates whether its corresponding cluster is
allocated/used or free/unused.

When files are deleted:

Data is NOT removed from the drive →
1.​Cluster is marked as “deleted” → moves cluster to the Recycle Bin. (No Deletion Yet)
2.​User MUST empty the Recycle Bin. (No Deletion Yet)
3.​Cluster is marked fully available. (No Deletion Yet)
4.​Filename in the MFT is updated with a special character to signify that the file has been
deleted. (No Actual Deletion Yet – file can be recovered)
5.​New info saved to the drive MAY be saved to those clusters overwriting some or all of
the old info but it MAY NOT (Some or Complete Deletion)
Forensically this means…
The more recently a file is deleted, the more likely it is that you can recover the file.
How Recycle Bin Works:
Windows 2000 & Earlier (FAT)
1.​Deleted files were moved to folder called:
\Recycler\%SID%\
%SID% ⇒ the security identifier of the current user
\Recycler\%SID%\ ⇒ was created for every user on a computer the first time they used the
Recycle Bin
2.​File called INFO2 was updated with an entry similar to the following:
D%DriveLetter%_%IndexNumber%_%FileExtension%
D → Drive
%DriveLetter% → drive that the file was on before deletion
%IndexNumber% → index # assigned to each file sent to Recycle Bin that indicates the order of deletion
%FileExtension% → original file extension (NOT present deleted item is a folder)

INFO2
A hidden folder created for every user on a computer the first time they used the Recycle Bin.
Is meant to keep track of the:
➔​Original location of deleted files/folders
➔​File size, and
➔​Deletion time.
★​Allows deleted files to be related to specific users.

Windows 7 & Later (NTFS)

INFO2 file is not present & Recycle Bin is located in a hidden directory named:
\$Recycle.Bin\%SID%
%SID% ⇒ the security identifier of the user that performed the deletion
Steps:
1.​File is moved to Recycle Bin
2.​Original file is renamed:
$R[randomChars].ogFileExt
3.​A new file is created and named:
$I[randomChars].ogFileExt
$I files are 544 bytes long and contain:
Bytes 0-7 → file header: 01 00 00 00 00 00 00 00
Bytes 8-15 → original file size: stored in hex in little-endian format
Bytes 16-23 → date/time stamp of when the file was moved to the Recycle Bin:
in # of seconds since midnight Jan 1, 1601
Bytes 24-543 → original file path/name

★​ File systems view a cluster as entirely utilized if even 1 bit in the cluster is used.
Tools to Recover Deleted Files in Windows:
★​ DiskDigger
An easy to use tool to recover files on Windows machines
Has a free and commercial version:
Free version requires you to recover files one at a time
Commercial version allows you to recover many files at once
Download @: http://diskdigger.org/
★​ WinUndelete
Easy to use tool with GUI that allows users to recover drives.
Steps:
1.​Choose the drive to recover
2.​Select the file types to recover
3.​Select folder to place recovered files in
4.​Go to the folder containing the recovered files to view them
Download @: http://www.winundelete.com/download.asp
★​ FreeUndelete
Easy to use tool with GUI that allows users to view recoverable files from a selected drive before
recovery.
Versions:
Free for personal use
Fee for commercial use
Steps:
1.​Select the drive you want to recover files from
2.​Click “Scan”
3.​Any files that can be partially recovered will be listed.
Download @: http://www.officerecovery.com/freeundelete/
★​ OSForensics
Robust forensic tool that has an undelete function
Allows user to undelete from a mounted image or from the live system
Steps:
1.​Click on “Deleted Files Search” on the menu on the left hand side
2.​OSForensics will scan the drive and return a color coded list of files. The color coding indicates
how likely you are to be able to recover the deleted file.
3.​You can recover a file by selecting it and following further prompts
★​ Autopsy
A free open-source digital forensics tool that includes a deleted file recovery function.
★​ Automatically begins recovering deleted files when a disk image is loaded.
Download @: https://www.autopsy.com/
Forensically Scrubbing a File/Folder Depending on the Type of Media on Windows:
According to the 2001 DOD 5220.22-M ECE recommendations

Key:
A.​Degauss with Type I degausser.
B.​Degauss with Type II degausser.
C.​Overwrite all addressable locations with a single character.
D.​Overwrite all addressable locations with a character, its complement, then a random character,
then verify.
E.​Overwrite all addressable locations with a character, its complement, then a random character.
F.​Each overwrite must reside in memory for a period longer than the classified data resided
G.​Remove all power including battery power.
H.​Overwrite all locations with a random pattern, all locations with binary zeros, and all locations with
binary ones.
I.​Perform full chip erase as per the manufacturer’s data sheets.
J.​ Perform full chip erase as per the manufacturer’s data sheet, then overwrite all addressable
locations with a single character, repeat 3 times.
K.​Perform an ultraviolet erase according to the manufacturer's recommendation.
L.​Perform an ultraviolet erase according to the manufacturers recommendation increasing time by a
factor of 3.
M.​Destroy — disintegrate, incinerate, pulverize, shred, or melt.
N.​Destruction required only if classified info is contained.
O.​Run five pages of unclassified text (font test acceptable).
P.​Ribbons must be destroyed, platens must be cleaned.
Q.​Inspect and/or test screen surface for evidence of burned-in info. If present, the cathode ray tube
must be destroyed.
Media Clear Sanitize
Magnetic Tape
Type I A or B A, B, or M
Type II A or B B or M
Type III A or B M
Magnetic Disk
Bernoullis A, B, or C M
Floppies A, B, or C M
Non-removable Rigid Disk C A, B, C, or M
Removable Rigid Disk A, B, or C A, B, C, or M
Optical Disk
Read Many, Write Many C M
Read-Only M or N
Write Once, Read Many (Worm) M or N
Memory
DRAM C or G C, G, or M
EAPROM I J or M
H or M
 EEPROM I C then I or M
FEPROM I M
PROM C A, B, E, or M
C & F or M
Magnetic Core Memory C​
M
Magnetic Plated Wire C​ C, G, or M
Magnetic Resistive Memory C M
Non-Volatile RAM C or G C & F, G, or M
Read-Only Memory (ROM)
SRAM C or G

Equipment
Cathode Ray Tube (CRT) G Q
Printers
Impact G P the G
Laser G O then G
How to Undelete Data (Linux)
Linux gives users the option to use either prepackaged tools or built-in Linux commands to recover files.

Linux File System: (Extended File System — Ext)

Linux can use multiple file systems but Ext is the most common.
Most recent version of Ext: Ext4 (Ext3 is still in use)

How files are stored:

Ext4 divides the file system into blocks of equal size.

Blocks
Are the fundamental unit of storage
Are similar to sectors in a hard drive or clusters in NTFS
Block size may be 1,024 bytes – OR – 2,048 bytes – OR – 4,096 bytes based on the size of the partition
and the commands used to create it.

Block Groups
Are made from grouping consecutive blocks
Makes it easier to refer to them.
Each group — EXCEPT the last – MUST have the same # of blocks.
The last group can have <= the same # of blocks
The last group contains the remaining blocks that have not already been grouped.
Each block group is identified by a number, starting from zero
For N block groups the numbering would be from 0 → (N-1)
Each block group contains the following elements:

➔​Superblock
Holds critical file system metadata
Example:​ Block size​ ​ # of blocks​​ Location of other essential structures

➔​Group descriptor table

Resides after the Superblock
Provides details about each block group within the file system.
Each entry corresponds to a specific block group and stores information (ex: block and inode bitmap
locations) for that group.

➔​Block bitmap
Uses individual bits to represent the allocation status of each data block within the group.
A set bit [1] indicates a block is occupied, while a cleared bit [0] signifies it's free.

➔​Inode bitmap
Tracks the allocation state of inodes (file information structures) belonging to that group.
A set bit [1] represents an allocated inode, and a cleared bit [0] indicates it's available.
 ➔​Inode table
Stores crucial information about each file and directory in the file system, including its size,
permissions, timestamps, and data block locations.
★​Each file is uniquely identified by an inode number.
➔​Data area
Largest portion of the file system
Holds the actual data content of files and directories.
Data blocks pointed to by inodes in the inode table are stored here.

Manual File Recovery

Does NOT require external tools
Commands may not work due to variations between Linux versions
Steps:
1.​Move system to single-user mode
a.​Execute wall command (to notify network users of what you’re going to be doing if the
computer is networked)
b.​Execute the init 1 command (to move into single user mode)
2.​Recover a file… that starts with a specific word ‘forensics’& ignores case
a.​Execute grep -i -a -B10 -A100 ‘forensics’ /dev/sda2 > file.txt

Linux Recovery Tools

extundelete Utility
Shell utility that works to recover files from ext3 & ext4 partitions
Download @: http://extundelete.sourceforge.net/
To restore all deleted files from a partition execute:
extundelete /dev/{sda4: this is the partition} --restore-all

Scalpel
Linux & MacOS tool that works best on Linux
Steps:
1.​Install scalpel by executing:
sudo apt-get install scalpel
2.​In the Scalpel configurations file, uncomment the specific file format you want to recover
Scalpel config file ⇒ etc/scalpel/scalpel.conf
3.​Create an empty directory in which to store recovered files
4.​Execute the following command to recover files:
sudo scalpel [device/directory/file name] -o [output directory]
How to Undelete Data (MacOS)
Is a Unix-like system based on FreeBSD, a Linux clone, but has its own file systems called HFS+ & APFS.
Many Unix commands work in the MacOS shell and can be used to recover files.

File Systems possible with MacOS:

➔​ HFS (Hierarchical File System)
Present in the earliest Macintosh/MacOS
Was replaced by HFS+
➔​ HFS+ (Hierarchical File System Plus)
File system that replaced HFS 20 years ago
Was replaced by APFS in 2017 @ release of MacOS High Sierra
➔​ APFS (Apple File System)

MacOS Recovery Tools

MacKeeper
Useful tool for recovering deleted files on Apple computer
Free trial version possible
Download @: http://mackeeper.zeobit.com/recover-deleted-files-on-mac
Steps:
1.​Open Files Recovery Tool
2.​Select the volume where your lost files were
3.​Start the scan
4.​Select undelete

What to Know About Recovering Info From Damaged Drives

Physical Damage Recovery Techniques:
Assume that unless the case is visibly damaged, the drive itself is still operable.
When data is deemed “Lost”:
1.​Remove the printed circuit board and replace it with a matching circuit board from a known
healthy drive
2.​Change the read/write head assembly with matching parts form a known healthy drive
3.​Remove the hard disk platters from the original drive and install them into a known healthy drive.

Recovering Data After Logical Damage:

Logical Damage
More common than physical damage
May prevent host OS from mounting or using file systems

Can be caused by:

➔​Power outages
➔​Turning off machine while its booting/shutting down
➔​Errors in hardware controllers (especially RAID controllers)
➔​Errors in drivers
➔​System crashes

Can cause problems like:

➔​System crashes
➔​Data loss
➔​Intermittent failures
➔​Trigger strange behavior
◆​Infinitely recursing directories
◆​Drives reporting negative free space remaining

Solving Logical Damage:

Programs can correct inconsistencies that result from logical damage
➔​chkdsk (Windows)
A basic built in repair tool for Windows OS and native file systems
➔​fsck utility (Linux)
➔​Disk Utility (MacOS)
➔​SleuthKit
can solve logical file system errors
➔​TestDisk
3rd party product that can recover data even when the OS’s repair utility doesn’t recognize the disk.
Download @: http://www.cgsecurity.org/wiki/TestDisk
Preventing Logical Damage:
★​ The structure of the file system.
Journaling file systems help reduce the incidence of logical damage.
You are able to roll the system back to a consistent state in the event of damage
Examples: NTFS 5.0 & Ext3
★​ Use a consistency checker
Protects against file system software bugs and storage hardware design incompatibilities
★​ Use hardware that does not report data as written until it is actually written.
★​ Use disk controllers with battery backups.
Allows pending data to be written to disk after power is restored after an outage.
★​ Use a system battery backup to provide power long enough to shut down systems safely.

Logical Damage Recovery Techniques:

★​ Consistency Checking
Involves scanning a disk’s logical structure and ensuring that it is consistent with its specifications.
There should be a dot (.) entry and a dot-dot (..) entry.
Dot (.) entry – points to the directory itself
Dot-dot (..) entry – points to the parent directory
Examples: chkdsk & fsck

Issues with Consistency Checking:

1.​Check can fail if the file system is highly damaged causing the repair program to crash or
believe the drive has an invalid file system.
2.​chkdsk utility may automatically delete data files if the files are out of place or unexplainable.
❖​This is done to ensure the OS can run properly but it may delete irreplaceably important
user files in the process.
★​ Zero-Knowledge Analysis
File system is rebuilt from scratch using knowledge of an undamaged file system structure.
Steps:
1.​The drive of the affected computer is scanned
2.​The file system structures and boundaries are noted
3.​The results are matched to the specifications of a working file system
Tends to be much slower than consistency checking
Can be used to recover data even when the logical structures are almost completely destroyed
ZKA does not repair the damaged file system but does allow you to extract the data to another
storage device.
File Carving
A technique used to attempt to recover a file when a file is/can only be partially recovered
Instances when this might be true: damaged disk – OR – corrupted file – OR – file metadata is damaged
Purpose: to extract the data from a single file from the larger set of data (ex: partition or entire disk)
Tools: Scalpel (see above) & carver-recovery (see below)
Steps:
1.​Look at file headers/footers
2.​Pull out data found between header and footer boundaries

carver-recovery
Requires users to be familiar with file headers and footers to use the program effectively.
A free tool that includes its source code (allows tool modification) and contains several utilities:
Carver-recovery.exe – allows you to select a drive image to attempt to recover files from

Hexadecimal values for common files that are present in file headers are:
JPEG FF D8 GIF 47 49 ZIP 50 4B AVI 52 49
BMP 42 4D MP3 49 44 PNG 89 50
EXE 4D 5A PDF 25 50 WAV 52 49
 Chapter 6 Quiz — 4/4
Which of the following is the linux equivalent of ​Hard link
a shortcut? ​Symbolic link
​Partial link
​Faux link

What file system does Windows 10 use? ​FAT

​FAT32
​NTFS
​HPFS
What file system does MacOS use? ​HPFS
​HFS+
​NTFS
​EXT3
Why can you undelete files in Windows 7? ​Nothing is deleted; it’s just removed from MFT
​Nothing is deleted; it’s just removed from FAT
​Fragments might exist, even though the file is
deleted.
​You cannot.
 Chapter 7 Notes
Incident Response

Disaster Recovery

Preserving evidence

Adding forensics to disaster recovery plan

Chapter 7 Quiz
​

​
Chapter 8 Notes
Chapter 8 Quiz
​

​
Chapter 9 Notes
Chapter 9 Quiz
​

​
Chapter 10 Notes
Chapter 10 Quiz
​

​
Chapter 11 Notes
Chapter 11 Quiz
​

​
Chapter 12 Notes
Chapter 12 Quiz
​

​
Chapter 13 Notes
Chapter 13 Quiz
​

​
Chapter 14 Notes
Chapter 14 Quiz
​

​
 Chapter 15 Notes
Technical, Legal, & Procedural Trends in Forensics

Technology Trends & Their Impact on Forensics

1.​Digital crimes are typically punished via probation & fines NOT prison.
2.​Moore’s Law

Moore’s Law:
“The number of components/transistors in integrated circuits doubles
every 18 - 24 months (2 years).”
Each doubling of capacity is done at ½ the cost:
“A component worth $100 today will have 2x the capacity and be ½ the
price ($50) 2 years from now.”
Is applicable to:
★​integrated circuits
★​storage capacity
★​processor speed
★​Capacity
★​Cost
★​fiber-optic communication
★​digital forensics
You can expect to conduct investigations requiring analysis of an increasing volume of data from an
increasing number of digital devices.
★​etc.
Requires forensic specialists to develop new techniques, software, and hardware to perform forensic
assessments.
New techniques should:
★​Simplify documentation of the chain of custody
★​Selectively evaluate data based on relevance

Effect of Moore’s Law on Forensics:

★​Need for more storage on forensics servers (MANY Terabytes)
★​Need for more bandwidth & time to transmit forensic images of suspect machines over the network
(especially when suspect machine has lots of storage capacity)
★​Forensic labs must use the highest capacity cabling available [optic cable is recommended]
★​SaaS (see below)
★​Cloud (see below)
★​Devices (cars, medical devices, GPS, IoT devices) (see below)
SaaS

Cloud

Devices

Legal & Procedural Changes in Forensics

Law Changes

Private Labs

International Issues

Techniques
 Chapter 15 Quiz — 3/4
Which of the following is a main advantage of ​Speed of accessing data
cloud computing? ​Fault tolerance
​Both A & B
​Ease of use

Moore’s law concerns which of the following? ​How to seize evidence

​Who can seize evidence
​How fast computing power improves
​How long it takes new devices to be adopted
When performing forensic analysis on devices ​Adhere to the jurisdiction with the least restrictive
from divers jurisdictions, the proper approach is requirements
to: ​Adhere to the jurisdiction with the most restrictive
requirements
​Adhere to the international requirements
​Use your own best judgment
How would you connect to a smart TV with ​Connect a USB device and use adb
ADB? ​Use adb connect ipaddress
​Connect from the TV to the computer
​Use the same approach as when connecting to a
smartphone