5/8/2024

Cyber Forensics
The Fascinating World of Digital
Evidence

• Note: This lecture will not make you a certified

digital forensics technician.
• This lecture is designed to provide an introduction
to this field from both a theoretical and practical
perspective.
Digital forensics is a maturing scientific field with
many sub-disciplines.

1
 5/8/2024

Digital Forensic Science

• Digital Forensic Science (DFS):

“branch of forensic science that uses scientific

understanding to acquire, evaluate, record, and present
digital evidence related to computer crime in court.”

Communities
There at least 3 distinct communities
within Digital Forensics
Law Enforcement
Military
Business & Industry
Possibly a 4th – Academia
4

2
 5/8/2024

Digital Forensic Science

Cyber Forensics
• Includes:
• Networks (Network Forensics)
• Small Scale Digital Devices
• Storage Media (Computer forensics)
• Code Analysis

3
 5/8/2024

Cyber Forensics
The scientific examination and analysis of
digital evidence in such a way that the
information can be used as evidence in a
court of law.

Cyber Forensic Activities

Cyber forensics activities commonly include:
the secure collection of computer data
the identification of suspect data
the examination of suspect data to determine details
such as origin and content
the presentation of computer-based information to
courts of law
the application of a country's laws to computer practice.
8

4
 5/8/2024

The 3 As
The basic methodology consists of the 3 As:
Acquire the evidence without altering or
damaging the original
Authenticate the image
Analyze the data without modifying it

Crime Scenes

Physical Crime Scenes vs. Cyber/Digital Crime

Scenes
The basic mindset is same across both physical
and cyber/digital
Locard’s Principle applies
• “When a person commits a crime something is always left at the
scene of the crime that was not present when the person
arrived”

10

5
 5/8/2024

Digital Crime Scene

Digital Evidence
• The collection of digital artifacts contained on the target
computer device, which can be used as evidence in court
Digital Crime Scene
• The electronic environment where digital evidence can
potentially exist

11

Forensic Principles
Digital/ Electronic evidence is extremely volatile!
Once the evidence is contaminated it cannot be de-
contaminated!
The courts acceptance is based on the best evidence
principle
• With computer data, printouts or other output readable by sight,
and bit stream copies adhere to this principle.
Chain of Custody is crucial

12

6
 5/8/2024

Cyber Forensic Principles

The 6 Principles are:
1. When dealing with digital evidence, all of the general forensic and
procedural principles must be applied.
2. Upon seizing digital evidence, actions taken should not change that
evidence.
3. When it is necessary for a person to access original digital evidence, that
person should be trained for the purpose.
4. All activity relating to the seizure, access, storage or transfer of digital
evidence must be fully documented, preserved and available for review.
5. An Individual is responsible for all actions taken with respect to digital
evidence whilst the digital evidence is in their possession.
6. Any agency, which is responsible for seizing, accessing, storing or
transferring digital evidence is responsible for compliance with these
principles.
13

Process/Phases
Identification
Collection
Bag & Tag
Preservation
Examination
Analysis
Presentation/Report
14

7
 5/8/2024

Identification
The first step is identifying evidence and
potential containers of evidence
More difficult than it sounds
Small scale devices
Non-traditional storage media
Multiple possible crime scenes

15

Small scale devices

Small-scale devices, such as Internet of Things
(IoT) devices, wearables, and embedded
systems, are increasingly prevalent in our daily
lives.
These devices collect and store data,
presenting opportunities and challenges for
digital forensics investigations.

8
 5/8/2024

Challenges
• Limited resources: Small-scale devices often have limited
processing power, memory, and storage capacity, making
forensic acquisition and analysis more challenging.
• Proprietary systems: Many small-scale devices run on
proprietary operating systems or firmware, which may require
specialized tools and techniques for forensic analysis.
• Connectivity issues: Some devices may have intermittent or
limited connectivity, requiring forensic examiners to consider
offline analysis methods.

Non-traditional storage media

• Non-traditional storage media refers to storage
solutions that deviate from conventional physical
storage devices like hard drives or USB drives.
• Examples include cloud storage, virtual
machines (VMs), network-attached storage
(NAS), and distributed file systems.

9
 5/8/2024

Challenges
• Data dispersion: Non-traditional storage solutions often
distribute data across multiple servers or locations, making
forensic acquisition and analysis more complex.
• Data volatility: Cloud storage and virtual environments may
exhibit data volatility, with data being dynamically allocated and
de-allocated, posing challenges for evidence preservation.
• Legal and jurisdictional issues: Data stored in the cloud may
be subject to different legal jurisdictions, raising questions about
jurisdictional authority and legal admissibility.

Considerations
• Legal considerations: Forensic examiners must be aware of
legal and regulatory requirements governing the acquisition and
analysis of data stored in non-traditional media, such as privacy
laws and data protection regulations.
• Access controls: Investigators may encounter access controls
and encryption mechanisms when accessing data in cloud
storage or virtual environments, requiring appropriate
authorization and decryption capabilities.
• Data integrity: Techniques for verifying the integrity of data
stored in non-traditional media, such as cryptographic hashes and
digital signatures, should be employed to ensure the reliability of
forensic findings.

10
 5/8/2024

Tools and Techniques

• Cloud forensics tools: Specialized tools and services are
available for acquiring and analyzing data from cloud storage
platforms, such as Amazon S3, Google Cloud Storage, and
Microsoft Azure.
• Virtual machine forensics: Virtualization-aware forensic tools
can be used to acquire and analyze data from virtual machines,
including snapshots, disk images, and memory dumps.
• Network forensics: Network analysis tools can be employed to
capture and analyze network traffic associated with non-
traditional storage solutions, such as NAS devices and
distributed file systems.

Multiple Possible Crime Scenes in Digital

Forensics
• Investigators often encounter scenarios
involving multiple possible crime scenes, which
may include interconnected devices,
compromised networks, or distributed systems.
• Investigating multiple crime scenes requires
careful coordination, thorough documentation,
and forensic expertise to uncover evidence and
reconstruct the chain of events accurately.

11
 5/8/2024

Challenges
• Complexity: Investigating multiple crime scenes introduces
complexity due to the interconnected nature of digital systems
and the potential spread of evidence across diverse locations.
• Coordination: Coordinating investigations across multiple
crime scenes requires effective communication and
collaboration among forensic teams, law enforcement agencies,
and other stakeholders.
• Data synchronization: Ensuring the synchronization of data
and timelines across multiple crime scenes is crucial for
reconstructing events and establishing causality in digital
investigations.

Considerations
• Prioritization: Investigators must prioritize crime scenes based
on the severity of the incident, the potential impact on critical
systems or data, and the availability of resources.
• Legal jurisdiction: Consideration of legal jurisdiction and
jurisdictional boundaries is essential when investigating multiple
crime scenes across different geographic locations or
jurisdictions.
• Evidence correlation: Correlating evidence collected from
multiple crime scenes, such as log files, timestamps, and network
traffic, is necessary to reconstruct the sequence of events and
identify potential suspects or motives.

12
 5/8/2024

Strategies
• Parallel investigations: Conducting parallel investigations allows
forensic teams to focus on individual crime scenes while
maintaining communication and sharing relevant findings in real-
time.
• Centralized command: Establishing a centralized command
center or digital forensics lab can facilitate coordination, resource
allocation, and information sharing among investigative teams.
• Cross-disciplinary collaboration: Collaboration with experts in
related fields, such as network security, data analytics, and legal
counsel, can provide valuable insights and expertise for complex
multi-scene investigations.

Identification

Context of the investigation is very

important
Do not operate in a vacuum!
Do not overlook non-electronic sources of
evidence
Manuals, papers, printouts, etc.

26

13
 5/8/2024

Devices Identification

27

Collection
Care must be taken to minimize contamination
Collect or seize the system(s)
Create forensic image
Live or Static?
Do you own the system?
What does your policy say?

28

14
 5/8/2024

29

Collection: Documentation

30

15
 5/8/2024

Collection: Documentation
• Take detailed photos and notes of the computer / monitor
• If the computer is “on”, take photos of what is displayed on the monitor – DO
NOT ALTER THE SCENE

31

Collection: Documentation
Make sure to take photos and notes of all connections
to the computer/other devices

32

16
 5/8/2024

Collection: Imaging
• Rule of Thumb: make 2 copies and don’t work from the
original (as much as possible)
• A file copy does not recover all data areas of the device for
examination
• Working from a duplicate image
• Preserves the original evidence
• Prevents unintentional alteration of original evidence during
examination
• Allows recreation of the duplicate image if necessary

33

Collection: Imaging
•Digital evidence can be duplicated with no degradation
from copy to copy
• This is not the case with most other forms of evidence

34

17
 5/8/2024

Collection: Digital Data Replication

•When digital evidence is duplicated, whether
through forensic imaging or file copying, the copied
data is an exact replica of the original.
•Each duplicate contains the same data, metadata,
and structure as the original, preserving its integrity
and authenticity.

35

Collection: Benefits of Duplication

•Preservation of Original Evidence: Duplication allows
forensic examiners to create multiple copies of digital
evidence while preserving the original, ensuring its
integrity and chain of custody.
•Analysis and Examination: Duplicate copies enable
forensic investigators to conduct parallel analysis and
examination without altering or compromising the original
evidence.
•Collaboration and Sharing: Copies of digital evidence
can be shared with other forensic examiners, experts, or
stakeholders for review, analysis, and collaboration.
36

18
 5/8/2024

Collection: Imaging

Write blockers
Software
Hardware

37

Write blockers
• Write blockers are hardware or software
devices used in digital forensics to prevent
data alteration on storage devices during the
process of evidence acquisition.
• They ensure that the original data on the
storage device remains unchanged, preserving
its integrity for forensic analysis.

19
 5/8/2024

Functionality
• Write blockers intercept write commands from
the forensic examiner's computer to the
storage device, allowing read operations while
blocking write operations.
• They act as a transparent intermediary
between the storage device and the forensic
tool, ensuring that no data is written to the
device during the forensic process.

Purpose
• Prevents contamination: By blocking write access to
the storage device, write blockers prevent accidental or
intentional alteration of data, preserving the integrity of
the original evidence.
• Admissibility in court: The use of write blockers
ensures that the forensic examiner can demonstrate the
integrity of the evidence, increasing its admissibility in
legal proceedings.
• Protects against malware: Write blockers help mitigate
the risk of malware infection or tampering with the
storage device during forensic analysis.

20
 5/8/2024

Types of Write Blockers

• Hardware write blockers: Physical devices that
connect between the forensic workstation and the
storage device, ensuring that data flows only in one
direction (read-only).
• Software write blockers: Software applications
installed on the forensic workstation that control write
access to the storage device, intercepting write
commands from the operating system or forensic tools.

Considerations
• Compatibility: Write blockers must be compatible with a
wide range of storage devices, including hard drives, solid-
state drives (SSDs), USB drives, and memory cards.
• Validation: Forensic examiners should validate the
effectiveness of write blockers through testing and
verification to ensure they function as intended and do not
introduce any unintended artifacts.
• Chain of custody: Write blockers play a crucial role in
maintaining the chain of custody by ensuring that the
original evidence remains intact and unaltered throughout
the forensic process.

21
 5/8/2024

Collection: Imaging
Forensic Copies (Bitstream)
Bit for Bit copying captures all the data on the copied media including
hidden and residual data (e.g., slack space, swap, residue, unused
space, deleted files etc.)
Often the “smoking gun” is found in the residual data.
Imaging from a disk (drive) to a file is becoming the norm
Multiple cases stored on same media
No risk of data leakage from underlying media
Remember avoid working for original
Use a write blocker even when examining a copy!

43

Smoking Gun
• Definite: A smoking gun provides clear and undeniable
evidence that supports the investigator's hypothesis or
conclusion without ambiguity.
• Decisive: It has a significant impact on the investigation,
often leading to breakthroughs, confessions, or
convictions.
• Contextual: The significance of a smoking gun may
depend on the context of the investigation and the
relevance of the evidence to the case.

22
 5/8/2024

Examples of Smoking Guns in Digital Forensics

• Incriminating Files: Discovering files containing explicit
evidence of illegal activity, such as financial fraud,
intellectual property theft, or cyberattacks.
• Deleted Data Recovery: Recovering deleted files,
messages, or logs that provide critical information about
the perpetrator's actions or intentions.
• Digital Signatures: Identifying digital signatures,
timestamps, or metadata that link a suspect to specific
digital artifacts or activities.

Impact of a Smoking Gun

• Case Resolution: A smoking gun often leads to the
resolution of the case, either through the prosecution of
the perpetrator or the exoneration of the accused.
• Legal Proceedings: It serves as compelling evidence in
legal proceedings, strengthening the prosecution's case
or providing grounds for defense arguments.
• Deterrence: The discovery of a smoking gun may deter
future criminal activity by demonstrating the effectiveness
of digital forensic investigations in uncovering
wrongdoing.

23
 5/8/2024

Challenges in Finding a Smoking Gun

• Data Overload: Sorting through vast amounts of digital
data to identify relevant evidence can be challenging and
time-consuming.
• Encryption and Obfuscation: Criminals may use
encryption, obfuscation/camouflaged, or other techniques
to conceal incriminating evidence, making it difficult to find
a smoking gun.
• Legal and Ethical Considerations: Adhering to legal
and ethical standards in digital forensic investigations is
crucial to ensure the admissibility and reliability of
evidence obtained.

Imaging: Authenticity & Integrity

•How do we demonstrate that the image is a true unaltered copy of
the original?
-Hashing (MD5, SHA 256)
•A mathematical algorithm that produces a unique value (128 Bit,
512 Bit)
• Can be performed on various types of data (files, partitions,
physical drive)
•The value can be used to demonstrate the integrity of your data
• Changes made to data will result in a different value
•The same process can be used to demonstrate the image has not
changed from time-1 to time-n
48

24
 5/8/2024

• Hash — A hash value (or simply hash) is a number generated from a

string of data.
• The hash is substantially smaller than the data itself, and is
generated by a formula in such a way that it is extremely unlikely that
some other data will produce the same hash value.
• One-way hash function — An algorithm that turns data into a fixed
string of digits, usually for security or data management purposes.
The "one way" means that it's nearly impossible to derive the original
data from the string.
• Message Digest (MD) — The representation of data in the form of a
single string of digits, created using a formula called a one-way hash
function.

Examination
Higher level look at the file system representation of the
data on the media
Verify integrity of image
• MD5, SHA1 etc.
Recover deleted files & folders
Determine keyword list
• What are you searching for
Determine time lines
• What is the time zone setting of the suspect system
• What time frame is of importance
• Graphical representation is very useful 50

25
 5/8/2024

Examination
Examine directory tree Search for relevant
• What looks out of place evidence types

• Stego tools installed • Hash sets can be useful

• Evidence Scrubbers • Graphics

Perform keyword searches • Spreadsheets

• Indexed • Hacking tools

• Slack & unallocated space • Etc.

51

Issues
lack of certification for tools
Lack of standards
lack of certification for professionals
lack of understanding by Judiciary
lack of curriculum accreditation
Rapid changes in technology!
Immature Scientific Discipline
52

26
 5/8/2024

What is live forensics analysis or live incident

response?

• methodology employed by digital forensics investigators to perform

the real-time examination and investigation of a computer system or
network while it remains operational.
• This process entails the retrieval and examination of volatile and
transient data, which resides solely within the system’s memory,
temporary files, or cache, and will be lost once the system is powered
down or altered by other processes.
• The primary objective of live forensics analysis is to capture an
extensive amount of information from the system without altering its
state or jeopardizing its integrity.

Benefits over dead box analysis

• Volatile data acquisition: Live forensics analysis allows investigators
to collect volatile data in Random Access Memory (RAM), such as
network connections, running processes, and system logs, that would
be lost in a dead box analysis.
• Real-time monitoring: Live forensics analysis enables investigators
to monitor a system or network in real-time, which can help identify
suspicious behavior and provide early warning of potential threats.
• Immediate response: Live forensics analysis can improve the quality
and speed of investigations by providing investigators with access to
critical information in real time.

27
 5/8/2024

Network forensics

• involves analyzing the data traffic that flows in and out of a

network to detect and investigate security incidents.
• involves identifying sources of evidence, such as routers,
firewalls, switches, and web proxies, and analyzing the data
traffic that flows through them.
• a means of understanding the intentions and actions of
attackers, as well as identifying the artifacts they leave behind.
• often used to investigate serious security incidents, such as
ransomware attacks and advanced persistent threats.

Network forensics

• Investigating a data breach: In the event of a data breach,

network forensics can be used to identify how the attacker
gained access to the network and what data was compromised.
• By analyzing network traffic logs, investigators can trace the
attacker’s path through the network and identify the specific
systems and data that were targeted.

28
 5/8/2024

Network forensics

• Analyzing malware behavior:

• Network forensics can also be used to analyze the behavior of
malware on a network.
• By capturing and analyzing network traffic, investigators can
identify the communication channels used by the malware, the
commands issued by its controllers, and the data it collects and
ex-filtrates.

Network forensics

• Identifying insider threats:

• Network forensics can be used to identify insider threats, such
as employees who are stealing company data or engaging in
other unauthorized activities on the network.
• By analyzing network traffic logs, investigators can identify
suspicious patterns of behavior and trace them back to specific
individuals.

29
 5/8/2024

Network forensics

Detecting network intrusions:

• Network forensics can be used to detect network intrusions in
real-time. By monitoring network traffic, investigators can identify
suspicious activity and respond quickly to prevent damage.

Network forensics

• Investigating cyber-attacks:
• Network forensics can be used to investigate cyber-attacks,
including phishing attacks, DDoS attacks, and ransomware
attacks.
• By analyzing network traffic, investigators can identify the
source of the attack, the methods used by the attacker, and the
extent of the damage caused.

30
 5/8/2024

List of sources of network forensics data

• Wired networks
• Wireless networks
• Firewall logs
• Proxy Server logs
• Routing tables on routers
• Domain controller logs
• Endpoint/system network logs
• Authentication logs
• IDS/IPS logs

• Tap wired network traffic: To capture network traffic using a tap, you
would typically use a network sniffer such as Wireshark.
• To capture traffic, you would select the interface that is connected to the
tap and then start the capture.
• To capture wired network traffic, you can use a packet capture tool such
as tcpdump or Wireshark. Here is an example command to capture
wired traffic using tcpdump.
• But first we need to find out the ethernet interface name, which you can
get by running ifconfig. In our case it is eth0.
• Command: Sudo tcpdump -i eth0 –w capture.pcap
• -i is a switch for the interface where you can provide either ethernet or
wireless. - w is a switch for writing the packet capture to a file, which, in
our case it capture.pcap.

31
 5/8/2024

• Wireless networks: To capture wireless network traffic, you can use a

wireless packet capture tool such as Wireshark or tcpdump.
• These tools allow you to capture wireless traffic on a specific wireless
network interface.
• Here is an example command to capture wireless traffic using tcpdump:
• Command: sudo tcpdump -I wlan0 –w wireless_capture.pcap
• This command captures wireless traffic on the wlan0 interface and
writes it to a file called wireless_capture.pcap.
• You can then analyze the captured traffic using a tool like Wireshark.

• Firewall logs: To view firewall logs natively, you would typically access
the device’s management interface and navigate to the log settings.
From there, you can typically view the logs in real-time or export them to
a file.
• To view firewall logs, you can use the firewall’s management interface or
command line interface.
• Here is an example command to view firewall logs on a Palo Alto
Networks firewall.
• For example, on a Cisco ASA firewall, you could use the following
commands to view the logs:
• Command: show log traffic

32
 5/8/2024

• Proxy server logs:

• To view proxy server logs natively, you would typically access the device’s management interface and
navigate to the log settings.

• From there, you can typically view the logs in real-time or export them to a file.

• For example, on a Squid proxy server, you could use the following command to view the access log:

• Command: tail -f /var/log/squid/access.log

• This command would display the access log in real-time:

• The logs list the client IP address, the username (if authentication is enabled), the date and time of the
request, the HTTP method and URL, the response status code, the size of the response in bytes, and
any additional information such as the reason for a denied request.

• IDS/IPS logs: To view IDS/IPS logs natively, you would typically access the device’s
management interface and navigate to the log settings.

• From there, you can typically view the logs in real-time or export them to a file.

• For example, on a Snort IDS, you could use the following command to view the alert
log:

• Command: tail -f /var/log/snort/alert

• Output of the tail –f /var/log/snort/alert command:

• In the above example, the log entry contains the following information:

• Timestamp: 05/05-2023:16:45:28.789983

• Snort rule ID: [1:2016056:4]

33
 5/8/2024

• Snort rule description: ET TROJAN CoinMiner Known Malicious Stratum Authline

Detected

• Classification: A Network Trojan was detected.

• Priority: 1

• Protocol: TCP

• Source IP address: 192.168.1.100

• Source port: 52094

• Destination IP address: 12.34.56.78

• Destination port: 3333

• This log entry indicates that Snort has detected a known malicious stratum
authentication line associated with a CoinMiner Trojan on a host with IP address
192.168.1.100, attempting to communicate with an external IP address 12.34.56.78
on port 3333.

• The severity of this alert is classified as Priority 1, indicating that it is a high-priority

alert that requires immediate attention.

Memory forensics

• focuses on analyzing a computer system’s volatile memory (RAM) to

extract valuable information and uncover evidence related to a digital
investigation.
• This includes information about currently running processes, network
connections, encryption keys, passwords, and other sensitive data.
• Memory forensics can also be used to detect and analyze malware.
• Malicious software often employs various techniques to hide its presence
on a compromised system, such as rootkits or process injection.
• Through memory analysis, investigators can identify signs of malicious
activity, locate injected code, and discover Indicators of Compromise
(IOCs) that can be used to detect and mitigate the malware.

34
 5/8/2024

Memory acquisition from virtual platforms

• Make sure the target virtual machine which would be used for
memory capture is running, as seen in the example below:

• Go to the terminal of the host environment and make sure you have
Vboxmanager installed.
• Command: vboxmanage debugvm "Target_Ubuntu_Machine" dumpvmcore
-- filename=/home/kidrah/Documents/Victim\ shared/Ubuntu/ubuntu.dmp
• The above command will acquire the memory of the Target_Ubuntu_Machine
and output it as ubuntu. dmp at the specified location.

Network forensics

• Analyzing malware behavior:

• Network forensics can also be used to analyze the behavior of
malware on a network.
• By capturing and analyzing network traffic, investigators can
identify the communication channels used by the malware, the
commands issued by its controllers, and the data it collects and
ex-filtrates.

35
 5/8/2024

Careers
One of the fastest
growing job
markets!

71

Paths to Careers in CF
Certifications
Associate Degree
Bachelor Degree
Post Grad Certificate
Masters
Doctorate
72

36
 5/8/2024

Job Functions

CF Technician
CF Investigator
CF Analyst/Examiner (lab)
CF Lab Director
CF Scientist

73

37