Cyber Forensics

PALLAVI ENGINEERING COLLEGE

CYBER FORENSICS [JNTUH – R18]

IV-II [Link]. CSE

SYLLABUS

UNIT – I

Introduction of Cybercrime: Types, The Internet spawns crime, Worms

versus viruses, Computers' roles in crimes, Introduction to digital forensics,
Introduction to Incident - Incident Response Methodology – Steps - Activities
in Initial Response, Phase after detection of an incident.

UNIT – II

Initial Response: Initial Response & Volatile Data Collection from Windows
system-Initial Response & Volatile Data Collection from Unix system.

Forensic Duplication: Forensic Duplicates as Admissible Evidence, Forensic

Duplication Tool Requirements, Creating a Forensic. Duplicate/Qualified
Forensic Duplicate of a Hard Drive.

UNIT – III

Forensics analysis and validation: Determining what data to collect and

analyze, validating forensic data, addressing data-hiding techniques,
performing remote acquisitions.

Network Forensics: Network forensics overview, performing live acquisitions,

developing standard procedures for network forensics, using network tools,
examining the honeynet project.

UNIT – IV

Current Forensic tools: Evaluating computer forensic tool needs, computer

forensics software tools, computer forensics hardware tools, validating and
testing forensics software.

1
Cyber Forensics

E-Mail Investigations: Exploring the role of e-mail in investigation, exploring

the roles of the client and server in e-mail, investigating e-mail crimes and
violations, understanding e-mail servers, using specialized e-mail forensic
tools.

Cell phone and mobile device forensics: Understanding mobile device

forensics, understanding acquisition procedures for cell phones and mobile
devices.

UNIT – V

Working with Windows and DOS Systems: Understanding file systems,

exploring Microsoft File Structures, Examining NTFS disks, Understanding
whole disk encryption, windows registry, Microsoft startup tasks, MS-DOS
startup tasks, virtual machines.

*****

2
Cyber Forensics

UNIT – II

INITIAL RESPONSE & FORENSIC DUPLICATION

INTRODUCTION

What is Volatile Data?

Volatile Data is stored in system memory (e.g. system registers, cache, RAM)
and is lost if the machine loses its power, is shutdown, or rebooted.

Why Volatile Data collected first?

Volatile data is not permanent, it is loosed when the machine loses its power,
is shut down, or rebooted. During an investigation, volatile data can contain
critical information that would be lost if not collected first.

Historically, there was a “pull the plug” mentality when responding to an

incident, but that is not the case anymore.

INITIAL RESPONSE & VOLATILE DATA COLLECTION FROM WINDOWS

SYSTEM

Volatile data is the data that is usually stored in cache memory or RAM. This
volatile data is not permanent this is temporary and this data can be lost if
the power is lost i.e., when computer lose its connection.

During any cyber crime attack, investigation process is held in this process
data collection plays an important role but if the data is volatile then such
type of data should be collected immediately. Volatile information can be
collected remotely or onsite. If there are many number of systems to be
collected then remotely is preferred rather than onsite.

It is very important for the forensic investigation that immediate state of the
computer is recorded so that the data does not lost as the volatile data will be
lost quickly. If the volatile data is lost on the suspect’s computer if the power
is shut down, Volatile information is not crucial but it leads to the
investigation for the future purpose. To avoid this problem of storing volatile
data on a computer we need to charge continuously so that the data isn’t lost.
So that computer doesn’t lose data and forensic expert can check this data
sometimes cache contains Web mail.

3
Cyber Forensics

This volatile data may contain crucial information. So this data is to be

collected as soon as possible. This process is known “Live Forensics”. This
may include several steps they are:

1) Initially create response tool kit.

2) Storing in this information which is obtained during initial response.
3) Then obtain volatile data.
4) Then after that performing in in-depth live response.

Procedure of creating a response toolkit in windows System: Initial

response requires appropriate planning for gathering the entire information
while avoiding the critical evidence to get affected. This can happen because
of the reason that the victim’s system is used as administrator by investigator.
To make this possible, a response toolkit can be produced.

In windows-based systems, the incident response information is gathered

using a set of tools which are maintained in a CD or two floppy disks. These
tools include the following:

i. [Link]: It is a built-in tool of windows operating system which offers

a command-based interface.
ii. psLoggedOn: It is a utility offered by [Link] that displays all
local and remote users of the system.
iii. rasuers: It is a command offered by NT resource kit that displays list
of users accessing the system remotely.
iv. netstat: It is a built-in system tool that manages all the listening ports
along with their current connections.
v. Fport: It is a system utility offered by [Link] for windows
NT/2000 systems. This utility helps in determining the process that
accessed a TCP/IP port.
vi. PsList: It is a system utility offered by [Link] that helps in
determining all the processes that are currently running on the system.
vii. ListDLLs: It is a system utility offered by [Link] that helps in
obtaining the list of all the running process along with their command
line arguments. It also provides the list of Dynamically Linked Libraries
(DLLs) that are necessary for the running processes.

4
 Cyber Forensics

viii. nbstat: It is a built-in tool of windows which displays last 10 minutes

history of NetBIOS connections.
ix. Arp: It is a built-in tool of windows which displays the list of systems
that are in communication with the target system.
x. Kill: It is a command offered by NTRK for process termination.
xi. md5sum: It is a system utility offered by [Link] for generating
MD5 hashes of a file.
xii. rmtshare: It is a command offered by NTRK for displaying the shares
that can be accessed remotely.
xiii. Netcat: It is a system utility offered [Link] for providing
communication channel among two systems.
xiv. cryptcat: It is a system utility offered [Link] for providing
an encrypted communication channel.
xv. PsLogList: It is a system utility offered by [Link] for
maintaining the event logs that are not in use.
xvi. ipconfig: It is a built-in system tool of windows which is used for
displaying information related to interface configuration.
xvii. PsInfo: It is a system utility offered by [Link] for collecting
the information regarding Local system build.
xviii. PsFile: It is a system utility offered by [Link] for displaying
the information regarding the files accessed remotely.
xix. PsService: It is a system utility offered by [Link] for
displaying the information regarding the current processes and
threads.
xx. auditpol: It is a system utility offered by NTRK for providing security
audit settings.
xxi. doskey: It is a built-in system tool of windows which is used for
displaying the list of commands used in [Link] shell.

The applications of Windows operation systems are two types. They are
Graphical User Interface (GUI) and console User Interface (CUI). The GUI
based applications are avoided in investigation because they provide a user-
friendly interface to its users while performing all its operations/command in
the background.
5
Cyber Forensics

Preparation of Toolkit: The following are the steps involved in the

preparation of toolkit for the initial response.

 Step-1: Labeling the Response Toolkit media – In this first step, the
evidence collected is documented and labeled. These can be maintained
in the form of CD’s or floppy disks each labeled according to the
inspected port. Some examples of such specialized labels are case
number, date and time, investigators name and output files associated
with the response media.
 Step-2: Checking out for the Dependencies with Filemon – The
filemon utility is used for identifying changes made by the tools on files
and DLLs. This helps in decided the tools which should be avoided to
be used on the target system.
 Step-3: Creating a Checksum for the Response Toolkit – The CD’s,
USB drives etc., maintained as response kit, carries a file called
‘checksum’ containing all the commands. An example for checksum is
the text file generated by md5sum command.
 Step-4: Making the Toolkit Disks Write – Protected When CD or
floppy is created successfully, it needs to be write-protected to avoid
deletion or modifications on the evidentiary files.

Process of storing Information Obtained During the Initial Response: The

process of initial response gathers large amount of information while
inspecting the live system. Live system typically refers to the attack on victims
system under investigation. Information from the live system can be gathered
in 4 ways. They are as follows:

i. The retrieved data can be stored in a hard disk.

ii. The retrieved data can be noted down in a notebook.
iii. The retrieved data can be stored on removable devices like floppy disks,
CD’s etc.,
iv. The retrieved data can be stored on a remote “forensic system” using
netact or cryptcat.

The use of hard disk for data storage is not preferred as the system gets
modified. The second way of data storage is difficult because the amount of
6
Cyber Forensics

information is large enough that it cannot be noted down in a note book. The
third way can be considered as effective if the removable drive is of larger
capacity. However, the system under investigation needs to be compatible
with the media. One of the best alternatives is the use of removable USB
drives. These devices are small enough but can offer storage capability in
gigabytes. Moreover, the Windows operating system automatically install the
drivers whenever these drivers are connected to the system.

Apart from the offline storage, it is necessary to store the data on network.
This can be done using netcat tools as they can store the data on a remote
forensic workstation.

Obtain volatile data: The volatile data that needs to be collected before
shutting down the window system includes the following:

i. Date and time of the system.

ii. The Users logged into the system.
iii. The time/date stamps of file system.
iv. The active processes.
v. The open sockets.
vi. The applications reading data from open sockets.
vii. The systems connected recently.

Process of obtaining Critical Data: The steps involved in obtaining critical

data lost when the system is turned off are as follows:

1) Organization and Documentation of Investigation: The documentation

of investigation is performed because of the following reasons:

i. It provides protection to the organization.

ii. It gathers the information that can be used as critical evidence against
the criminals.

The task of recording each of the steps taken during the information retrieval
process is necessary to avoid misunderstanding and blames on someone who
has performed all the tasks accurately. For such recording md5sum file with
checksum are required. Recordings involve the following fields:

i. Start-time of the command.

7
Cyber Forensics

ii. Command-line used.

iii. The binaries involved are trusted or untrusted.
iv. The data generated by MD5 sum.
v. Additional description.

2) Volatile Data Collection:

i. The execution of trusted [Link]

ii. The recording of date and time.
iii. The specification of users logged in.
iv. The recording on actions of files like creation, modification and access
times.
v. The identification of open ports.
vi. The applications utilizing open ports.
vii. The running process.
viii. The recently and currently active connections.
ix. The recording of time and date of system.
x. The documentation of commands that are used in the process of initial
response.

3) Initial Response Scripting: The process of scripting initial response starts

with the creation of text file and then converting it to a batch file by changing
its extension to ‘.bat’. After this, netcat can be used for forwarding the output
to the forensic workstation.

The batch file created can be executed on the target systems to get information
required. The following command is used for storing the result of script to a
single netcat socket.

[Link]-L -P 2222>>[Link]

8
Cyber Forensics

Here ‘L’ is referred as ‘listen harder’ and ‘[Link]’ is the output file carrying
results of all the commands. These results are considered as the volatile
information.

Procedure of performing an in-depth live response: Forensic investigation

sometimes requires in-depth information from the target system before it shut
down. This is necessary to obtain the evidences while eliminating the rogue
program. These tasks must be performed without distracting the services like
inability of disabling network connections, inability of shutting down or
disallowing use of forensic tools SafeBack and Encase.

Following are the steps involved in performing in-depth live response:

1) Collecting the Most Volatile Data: The following are the steps involved in
performing in gathering the most volatile data:

i. The date and time commands are executed in order to collect the
information between a specific time period of system and correlate the
same with network time. This helps in organizing the system logs.
ii. The PsLoggedOn command is used to identify the users or systems
connected to the victims system.
iii. The netstat command is used to identify the system/users currently or
recently connected to the listening ports.
iv. The PsList command is used to identify the running processes.
v. The Fport command is used to identify the programs which are
currently active along with their associated ports. If any rouge process
is detected, it is sent to the tool analysis.

When the most volatile data is collected, additional steps are performed
inorder to reduce the problems that affect the operation of target system.

2) Creating an In-Depth Response Toolkit: There are some commonly used

tools each generating standard output for performing an in-depth live
response. These commands can be used with netcat for generating response
across network connection. These tools include the following:

i. auditpol: It is a command-line tool offered by NTRK for identifying the

audit policy.

9
 Cyber Forensics

ii. reg: It is a command-line tool offered by NTRK for dumping the

information in NT/2000 Registry.
iii. regdump: It is a command-line tool offered by NTRK for dumping
registry in text file.
iv. pwdump3e: It is a system utility offered by [Link] for dumping
the SAM database for cracking the passwords.
v. NTLast: It is a system utility offered by [Link] for identifying
successful and failed logons.
vi. Sfind: It is a system utility offered by [Link] for identifying
the files hidden in NTFS file streams.
vii. Afind: It is a system utility offered by [Link] for identifying
the files accessed during a time period.
viii. Dumpel: It is a command-line tool offered by NTRK for dumping the
event logs of NT/2000.

3) Collecting Live Response Data: Event log and Registry on the target
machine are considered as the important sources of evidence in windows
NT/200 systems. However, for collecting live response data the following steps
are performed:

i. Reviewing the event logs.

ii. Reviewing the registry.
iii. Obtaining the system passwords.
iv. Dumping system RAM.

i. Reviewing the event logs: The following are the tools used for reviewing
the event logs a live system:

a) Auditpol: It is an NTRK tool used for identifying the audit policies

present on the system. This tool tracks all the events when security
policy changes and auditing option is enabled. All the events are stored
in security log.
b) NTLast: It is a system utility offered by [Link] for identifying
successful and failed attempts to login to system. This information is
obtained when the system’s logon and logoff auditing is enabled.
NTLast can be used with the following extensions:

10
Cyber Forensics

ntlast-f -> It is used for identifying the unsuccessful attempts to logon.

ntlast-r -> It is used for identifying the successful logins from remote
systems.
ntlast-f –r -> It is used for identifying the unsuccessful attempts of
remote logon.
c) dumpel: It is an NTRK tool used for identifying the remote logins from
the windows Nt/2000. Dumpel can be used with the following
extensions:
dumpel-l security –t -> It is used for dumping the security logs using
tabs as delimiter.
dumpel-l application –t -> It is used for dumping the application logs
to standard output.

ii. Reviewing the Registry: The ‘regdump’ and ‘regquery’ can be used for the
live retrieval of critical registry data. The former one is used to create text file
associated with the registry whereas the latter one is used to obtain key values
associated with the registry.

iii. Getting System Passwords: The “pwdump3e” utility can be used for
dumping the passwords from the Security Accounts Manager (SAM) database.
Further, various tools can be used for cracking the passwords from the
workstation. One such tool is LOphterack. These passwords are needed while
performing forensic duplication.

iv. Dumping System RAM: Forensic investigation prefer collecting two types
of memories which are user mode memory and full-system memory. The
former one can be obtained using user [Link] utility whereas, the latter
one can be obtained using “GNU utility add”.

INITIAL RESPONSE & VOLATILE DATA COLLECTION FROM UNIX

SYSTEM

The process of creating response toolkit involves high complexity and also
requires more time. The reasons for this are that, individual toolkit is
necessary for each and every variant of Unix. Subsequently, the user has to
perform the process of compilation of source on their own. This because most

11
Cyber Forensics

of the suggested tools are not used in standard rebase of all Unix operating
systems

Example: For instance, if the intruded system is spare serve operating upon
Solaris 2.8, the team has to compile these tools on a clean copy of Solaris 2.8
consisting of same architecture.

Moreover, in order to make the process more complex, several versions of Unix
does not operate property and show forward or backword incompatibility i.e.
program that work on one operating system may not work with another
operating system. Therefore, the creation of Unix response toolkit, Entails
problems like requirements of more number of resources as well as time.

So, it is very important to ensure that the create response toolkit is created
before the occurrence of an incident. This is because, once an incident occurs,
user may not have the time to create response toolkit. In doing so, the user
should adopt trusted commands irrespective of the type of incident. To
generate response for Unix systems, users use several CDs as well as floppy
disks along with the tools given below:

Process of storing the information obtained during the initial response

in Unix systems: It is essential for every user to save the information obtained
during the initial response phase. The various options of storage are given
below:

i. Saving the data on the local hard drive.

ii. Saving the data on remote media like USB drives, floppy disks and tape
drives.
iii. Recording the data manually.

12
Cyber Forensics

iv. Transferring the data collected across a network to a forensic

workstation using netcat tool.

Among four storage options, the first option of saving information on local
hard drive is mostly not preferred. The reason for not opting this option is
that, if situation demands necessity of data recovery or forensic analysis then
information saved on local hard drive will overwrite the deleted data present
in unallocated space. This could be dangerous because, the overwritten data
would be for investigation purpose.

The Second storage option is also not preferred because very few versions of
Unix support USB drives. These are not suitable for retrieval of data through
direct physical connection. This issue can be addressed by employing fourth
option, wherein the data stored is transferred across the network to a forensic
workstation using netcat or cryptcat tool. Here, forensic workstation is
associated with USB drive. To get quick response, forensic workstations are
incorporated with Linux operating system. This can extensively solve the
problem of limited storage space.

Once selection of how data should be retrieved from the intended system is
completed, user need to decide the most suitable time for responding Apart
from these, user needs to identify if the target or intended system maintains
network connectivity. If not then what if the network cable is pull of to stop
users and attackers connection to system in initial phase.

Once these issues resolved, user can respond at the target system console.

Volatile data collected prior to forensic duplication in Unix system:

When volatile data is gathered, user instead of accessing it over network
should respond at the console of the target system. This restricts the intruder
or attacker in monitoring the response. Apart from this, it gives surety that
user is implementing trusted commands. Once the creation of forensic
duplication corresponding to target system is done then user must focus on
attention in gathering the volatile system data like running processes, opening
socket, RAM content and the location of unlinked files. Moreover, this task
must be accomplished before the system is switched off.

13
Cyber Forensics

The files which are meant to be deleted are referred to as unlinked files. These
files will be lost once the power is turned off. So in initial response, the
recovery of all types of volatile evidence along with those files meant for
deletion should be made. This will reduce some sort of distress as in Unix
based system, recovery of deleted file is a complex process.

The user must collect the information given below:

i. Collect Date and time of the system.

ii. Collect a list of Users who are currently logged in.
iii. Collect time and date stamps for the complete file system.
iv. Collect list of those processes which are currently running in the
system.
v. Collect list if currently open sockets.
vi. Collect the applications that sense the open sockets.
vii. Collect list of those systems which have recent connections to the
system.

FORENSIC DUPLICATION

Forensic duplication is the copying of the contents of a storage device

completely and without alteration. The technique is sometimes known as
bitwise duplication, sector copying, or physical imaging. Forensic duplication
is the primary method for collecting hard disk, floppy, CD/DVD, and flash-
based data for the purpose of evidence gathering.

Copying files from a suspects device using standard techniques (Windows

Explorer, cutting and pasting, xcopy) or imaging of logical drives (using Ghost
or DriveImage) provides some of the data for an investigation but is usually
insufficient for forensic imaging and may violate best evidence rules.

FORENSIC DUPLICATION TOOL REQUIREMENTS

The requirements of forensic duplication tool includes the following:

1) The tool must be capable of duplicating each bit of information with

respect to the original storage medium.
2) The tool must be capable of generating a forensic duplicate or mirror
image of the source storage medium.
14
Cyber Forensics

3) The tool must be capable of effectively handing read errors.

4) The tool should not modify original storage medium.
5) The tool must be capable of considering scientific and peer reviews.

The tools are tested for their reliability before they are used in the process of
forensic duplication. It has been observed that business organizations have
also started developing and using forensic tools. However, the tools they use
are customized according to their vision.

In the year 1923, a set of standards called Frye test were set by federal court.
These standards are later refined as suggested by the supreme court of United
States to assist the consideration of scientific evidence in federal cases. As a
result, the test case of Daubert [Link] Dow pharmaceuticals, 509 U.S
579(1993) transformed from general acceptance to reliability and relevance.

The factors applicable for finding the reliability of scientific techniques include
the following:

1) Is empirical testing performed on the scientific theory or techniques?

2) Is peer review and publication carried out on the scientific theory or
techniques?
3) Is there any standard considered to provide control over the operation
of technique?
4) Is there any general acceptance of technique exists in the relevant
scientific community?

Later, the court identified insufficiencies in Daubert testing for the Kumho
Tire co et al. [Link] et al, case.

This is because, the technique was not designed based on scientific

framework. The court then decided to consider certain additional tests that
reveal the following shortcomings:

1) Is the methodology developed for legal proceedings or some other

purpose?
2) Is the expert capable of describing crucial empirical data?
3) Is the methodology developed according to the qualitatively sufficient
data?

15
Cyber Forensics

4) Is there any way of measuring consistency of process or methods

associated with the technique as applicable to the present case?
5) Is there any way of measuring consistency of process or methods
associated with the technique?
6) Is any literature represented by the technique?
7) Is the expert has sufficient credentials in the fields?
8) In what ways, the methodology adopted is different from other
techniques?

All these factors assist attorneys in identifying factors that provide relevance
and reliability.

DUPLICATE/QUALIFIED FORENSIC DUPLICATE OF A HARD DRIVE

Qualified Forensic Duplicate: A file containing a true copy of source

information but stored in an altered form is referred to as qualified forensic
duplicate. The best examples of altered forms are in-band hashes, empty
sector compression.

Tools that create qualified forensic duplicate output files:

SafeBack, EnCase, FTK Imager

Process of creating a forensic duplicate of a hard drive: If you have verified

that your system has been attacked or exploited, the first thing to do is take
immediate action to stop the attack or limit that machine's exposure. Ideally,
this would mean disconnecting the machine from the network to conduct
further analysis. If this is not possible, you will still want to disable any
suspect accounts, kill any rogue processes, and possibly block offending IP
addresses at the firewall while you figure out what is going on.

Once you have eliminated the immediate danger, you should make a copy of
any important data to look at offline per the tenet of good forensic analysis
described earlier. You don't want to use your tools on live data. To do this,
make a perfect copy of the data. This requires creating an image of the data
rather than just copying it. You don't want to use the operating system's built-
in copy functions because this might change file dates and insert other
unwanted information. There are special tools for making these mirror-image

16
Cyber Forensics

copies. Unfortunately, there are not any good open source alternatives for the
Windows platform right now (anyone want to sign up for a good Windows open
source project?). The most popular program for Windows is Norton Ghost by
Symantec, which retails for about $50.00. Under UNIX, there is an excellent
open source program for doing this: dd, which stands for data dump.

Procedure of creating a qualified forensic duplicate of a hard drive: The

process of creating forensic duplicate of hard drive is a sensitive task as there
are several number of items present on the evidence media. If the system is
booted from this drive, it can modify the data as BIOS performs execution of
the boot block residing on the hard drive. Items such as file access
timestamps, the Registry, partition information, configuration files and
essential log files can get altered in a fraction of seconds during the process
of initial booting.

The process of creating drive image in MS-DOS based application requires

creation of MS-DOS boot disk. Examples of such applications are SafeBack
and Encase. The command used in MS-DOS 6.22 or Windows 95/98 for
formatting as well as copying the system files to a floppy is,

C:\format a:\/S

The root directory of the floppy must include four files. The coding present in
these files obtain information about computer system performing minimal
operating system functionalities.

Directory of A:\

02/02/2020 19:02 222, 390 [Link]

02/02/2020 19:02 68, 871 [Link]

02/02/2020 19:02 93, 880 [Link]

03/02/2020 20:01 9 [Link]

In the above directory, the [Link] file is processed first whose code loads the
contents of [Link] and performs the following tasks, [Link] file loads
the [Link] driver file if disk attached to the computer system makes
use of compression software like DriveSpace or DoubleSpace at the time of

17
Cyber Forensics

loading drivers. Such usage is not recommended during the process of

forensic duplication.

When booting is performed from book disk then it must be ensured that
loading [Link] driver files must not be successful. To ensure this,
the following process should be followed,

i. Loading the [Link] file in the hex editor.

ii. Manually changing the strings.

Editing of file usually carried out using Norton’s Disk Editor.

It is also possible to make DOS to restrict from loading [Link] file.

To do this, its name must be changed making it unavailable in the file system.

In [Link] file, four instances must be changed. After completion of these

tasks, the following task need to be performed,

i. Saving the file.

ii. Exiting from the hex editor.
iii. Deleting [Link] file from floppy.

*****

18
Cyber Forensics

19