Lecture Delivery Plan

UNIT 4: UNDERSTANDING COMPUTER FORENSICS

Lecture-25
4.25.1 Introduction

Cyber Forensics is simply application of computer investigation and analysis techniques in the
interest of determining potential legal evidence. Forensic computing is the process of identifying
preserving, analyzing and presenting the digital evidence in a manner that is legally acceptable. It is
the study of evidence from attacks on computer system in order to learn what has occurred, how to
prevent it from recurring and the extent of the damage .

Cyber Forensics is one of the emerging professions of 21st century. It can be thought of as an
investigation of computer based evidence of criminal activity, using scientifically developed methods
that attempts to discover and reconstruct event sequences from such activity.

The fascinating part of the science is that the computer operating system invariably leaves behind the
computer evidences transparently without the knowledge of computer operator. The information may
actually be hidden from view. Any enterprise that uses computer networks should have concern for
both security and forensic capabilities. They suggest that forensic tools should be developed to scan
continually computers and networks within an enterprise for illegal activities.

When misuse is detected these tools should record sequence of events and store relevant data for
further investigation. Special Forensic software tools and techniques are required in order to
recognize and retrieve such evidences. Cyber Forensics involves obtaining and analyzing such digital
information for use in civil/criminal or administrative cases. Digital evidence was not considered as
tangible evidence in courts until recently but now they are gaining importance.

4.25.2 Digital Forensics Science :-

With the advent of new forms of criminality associated with growth of digital technologies, numbers of
terms are used within the forensic community. These include cyber crime, high tech crime, new
technology crime to indicate new and digitized versions of existing crime. Some crimes can be placed
on the spectrum depending upon the extent of digital environment.
Consider a street thief who first observes an unwary user input the PIN in an ATM and then steals the
card and later withdraws cash; this is not a crime that appears to be particularly digital and it is
therefore placed at the less digital end of the spectrum. On the other hand, skimming the magnetic strip,
cloning a card Skimming and cloning a credit card and then using it to make transactions is clearly a
crime unique to digital era and would appear to be placed at the more digital end of the spectrum.
Similarly, some crimes are more likely to have a digital aspect rather than uniquely exploit digital
technologies. For example, a fraud enacted via an e-bay, a fraudster may have had planning for the
fraud in the internet, setting up temporary and difficult to trace email accounts, surfing the internet for
images, descriptions and prices. These are activities which exploit the advantages of digital
technologies but nonetheless arise from a conventional and classic form of crime.

4.25.3 The Need for Computer Forensics

As the world becomes more connected digitally, digital evidence for solving crimes is becoming
more relevant every day. A computer forensics investigator’s job is to collect, examine, and
safeguard this evidence to help solve cyber crimes and to recover important compromised data.
Lecture-26
4.26.1 Cyber Forensics and Digital Evidence

Computer forensics, also called digital or cyber forensics, is a field of technology that uses
investigation techniques to help identify, collect, and store evidence from an electronic device. Often
times computer forensics professionals uncover evidence that can be used by law enforcement agencies
or by businesses and individuals to recover lost and damaged data.

4.26.2 Why is Computer Forensics Important?

As the world becomes more connected digitally, digital evidence for solving crimes is becoming more
relevant every day. A computer forensics investigator’s job is to collect, examine, and safeguard this
evidence to help solve cyber crimes and to recover important compromised data.

Types of Computer Forensics

Computer forensics always involves gathering and analysing evidence from digital sources. Some
common types include:

 Database forensics: Retrieval and analysis of data or metadata found in databases

 Email forensics: Retrieval and analysis of messages, contacts, calendars, and other information on
an email platform
 Mobile forensics: Retrieval and analysis of data like messages, photos, videos, audio files, and
contacts from mobile devices
 Memory forensics: Retrieval and analysis of data stored on a computer's RAM (random access
memory) and/or cache
 Network forensics: Use of tools to monitor network traffic like intrusion detection systems and
firewalls.
 Malware forensics: Analysis of code to identify malicious programs like viruses, ransomware, or
Trojan horses

4.26.3 Common Computer Forensics Techniques

When conducting an investigation and analysis of evidence, computer forensics specialists use various
techniques; here are four common ones:
 Deleted file recovery. This technique involves recovering and restoring files or fragments that are
deleted by a person—either accidentally or deliberately—or by a virus or malware.
 Reverse-steganography. The process of attempting to hide data inside a digital message or file is
called steganography. Reverse-steganography happens when computer forensic specialists look at
the hashing of a message or the file contents. A hashing is a string of data, which changes when the
message or file is interfered with.
 Cross-drive analysis. This technique involves analysing data across multiple computer drives.
Strategies like correlation and cross-referencing are used to compare events from computer to
computer and detect anomalies.
 Live analysis. This technique involves analysing a running computer's volatile data stored in RAM
(random access memory) or cache memory. This helps pinpoint the cause of abnormal computer
traffic.
4.26.4 Digital or Electronic Evidence

Digital or Electronic Evidence is any information and data to investigate value that is stored on or
transmitted by an electronic device. Equipment and software are required to make the evidence
visible, testimony may be required to explain the examination process and any process limitations.
Electronic Evidence is accepted as physical evidence, and by its nature is fragile. It can be altered,
damaged, or destroyed by improper handling or improper examination. Thus, special precautions
must be taken to document, collect, preserve, and examine this type of evidence. Methods taken to
collect evidence must preserve the integrity of evidence.
Lecture-27

4.27.1 Forensics Analysis of E-Mail

Email is one of the most popular services used over the internet and has become a primary source of
communication for organizations and the public. Usage of email services in business activities like
banking, messaging and sending file attachments increased at a tremendous rate.
This medium for communication has become vulnerable to different kinds of attacks. Hackers can forge
the email headers and send the email anonymously for their malicious purposes.
Hackers can also exploit open relay servers to carry out massive social engineering. Email is the most
common source of phishing attacks. To mitigate these attacks and catch the people responsible, we use
email forensics and techniques like performing header analysis, server investigation, sender mailer
fingerprints etc. Email forensics is the analysis of source and content of the email message,
identification of sender and receiver, date and time of email and the analysis of all the entities involved.
Email forensics also reforms to the forensics of client or server systems suspected in an email forgery.

Email Architecture :
When a user sends an email, the email doesn’t go directly into the mail server at the recipient’s
end; rather, it passes through different mail servers.

MUA is the program at the client end that is used to read and compose emails. There are different
MUA’s like Gmail, Outlook etc. Whenever MUA sends a message, it goes to MTA which decodes the
message and identifies the location it is meant to be sent by reading header information and modifies its
header by adding data then passes it to MTA at the receiving end. The last MTA present just before the
MUA decodes the message and sends it to MUA at the receiving end. That is why in the email header,
we can find information about multiple servers.
Email Header Analysis:
Email forensics starts with the study of email header as it contains a vast amount of information about
the email message. This analysis consists of both the study of the content body and the email header
containing the info about the given email. Email header analysis helps in identifying most of the email
related crimes like spear phishing, spamming, email spoofing etc. Spoofing is a technique using which
one can pretend to be someone else, and a normal user would think for a moment that it’s his friend or
some person he already knows.
It’s just that someone is sending emails from their friend’s spoofed email address, and it is not that their
account is hacked.
By analyzing email headers, one can know whether the email he received is from a spoofed
email address or a real one. Here is how an email header looks like :

In order to understand the header information, one has to understand the structured set of
fields in the table.
X-apparently to: This field is useful when the email is sent to more than one recipient like
bcc or a mailing list. This field contains an address to TO field, but in case of bcc, the X-
Apparently to the field is different. So, this field tells the address of the recipient despite the
email is sent as either cc, bcc or by some mailing list.
Return path: The Return-path field contains the mail address that the sender specified in the
From field.
Received SPF: This field contains the domain from which mail has come from. In this case
its
Received-SPF: pass (google.com: domain of [email protected] designates
209.85.000.00 as permitted sender) client-ip=209.85.000.00;
X-spam ratio: There is a spam filtering software at the receiving server or MUA that calculates the
spam score. If the spam score exceeds a certain limit, the message is automatically sent to the spam
folder. Several MUA’s use different field names for spam scores like X-spam ratio, X-spam status, X-
spam flag, X-spam level etc.
Received: This field contains the IP address of the last MTA server at sending end which then sends
the email to MTA at the receiving end. In some places, this can be seen under X- originated to field.
X-sieve Header: This field specifies the name and version of the message filtering system.
This refers to the language used to specify conditions for filtering the email messages.
X-spam charsets: This field contains the information about character sets used for filtering emails like
UTF etc. UTF is a good character set that has the ability to be backward compatible with ASCII.
X-resolved to: This field contains the email address of the recipient, or we can say the address of the
mail server to which the MDA of a sender delivers to. Most of the times, X- delivered to, and this field
contains the same address.
Authentication results: This field tells whether the received mail from the given domain has
passed DKIM signatures and Domain keys signature or not. In this case, it does.
Lecture-28

4.28.1 Digital Forensics Life Cycle

The digital forensics process is shown in the following figure. Forensic life cycle phases are:
1. Preparation and identification
2. Collection and recording
3. Storing and transporting
4. Examination/investigation
5. Analysis, interpretation, and attribution
6. Reporting
7. Testifying

4.28.2 Chain of Custody Concept:

A chain of custody is the process of validating how evidences have been gathered, tracked, and
protected on the way to the court of law. Forensic professionals know that if you do not have a chain of
custody, the evidence is worthless.
The chain of custody is a chronological written record of those individuals who have had custody of
the evidence from its initial acquisition to its final disposition. A chain of custody begins when an
evidence is collected and the chain is maintained until it is disposed off. The chain of custody assumes
continuous accountability.

4.28.3 Network Forensics

Network forensics is a subcategory of digital forensics that essentially deals with the examination of the
network and its traffic going across a network that is suspected to be involved in malicious activities,
and its investigation for example a network that is spreading malware for stealing credentials or for the
purpose analyzing the cyber-attacks. As the internet grew cybercrimes also grew along with it and so
did the significance of network forensics, with the development and acceptance of network-based
services such as the World Wide Web, e-mails, and others.
Processes Involved in Network Forensics:
Some processes involved in network forensics are given below:

Identification: In this process, investigators identify and evaluate the incident based on the
network pointers.
Safeguarding: In this process, the investigators preserve and secure the data so that the
tempering can be prevented.
Accumulation: In this step, a detailed report of the crime scene is documented and all the
collected digital shreds of evidence are duplicated.
Observation: In this process, all the visible data is tracked along with the metadata.
Investigation: In this process, a final conclusion is drawn from the collected shreds of
evidence.
Documentation: In this process, all the shreds of evidence, reports, conclusions are documented and
presented in court.
Challenges in Network Forensics:

 The biggest challenge is to manage the data generated during the process.
 Intrinsic anonymity of the IP.
 Address Spoofing.

Advantages:
 Network forensics helps in identifying security threats and vulnerabilities.
 It analyzes and monitors network performance demands.
 Network forensics helps in reducing downtime.
 Network resources can be used in a better way by reporting and better planning.
 It helps in a detailed network search for any trace of evidence left on the network.

Disadvantage:
 The only disadvantage of network forensics is that It is difficult to implement.
Lecture-29

4.29.1 Approaching a Computer Forensics Investigation:

The phases in a computer forensics investigation are:

 Secure the subject system

 Take a copy of hard drive/disk
 Identify and recover all files
 Access/view/copy hidden, protected, and temp files
 Study special areas on the drive
 Investigate the settings and any data from programs on the system
 Consider the system from various perspectives
 Create detailed report containing an assessment of the data and information collected

4.29.2 Relevance of the OSI 7 Layer Model to Computer Forensics:

The steps taken by attackers who hack networks are:

Step 1: Foot Printing
Step 2: Scanning and Probing
Step 3: Gaining Access
Step 4: Privilege
Step 5: Exploit
Step 6: Retracting
Step 7: Installing Backdoors
Lecture-30

4.30.1 Forensics and Social Networking Sites: The Security/Privacy Threats:

Information Security threats can be many like Software attacks, theft of intellectual property, identity
theft, theft of equipment or information, sabotage, and information extortion. Threat can be anything
that can take advantage of a vulnerability to breach security and negatively alter, erase, harm object or
objects of interest.
Software attacks means attack by Viruses, Worms, Trojan Horses etc. Many users believe that malware,
virus, worms, bots are all same things. But they are not same, only similarity is that they all are
malicious software that behaves differently.
Malware is a combination of 2 terms- Malicious and Software. So Malware basically means malicious
software that can be an intrusive program code or anything that is designed to perform malicious
operations on system. Malware can be divided in 2 categories:

1. Infection Methods
2. Malware Actions

Malware on the basis of Infection Method are following:

1. Virus – They have the ability to replicate themselves by hooking them to the program on the host
computer like songs, videos etc and then they travel all over the Internet. The Creeper Virus was first
detected on ARPANET. Examples include File Virus, Macro Virus, Boot Sector Virus, Stealth Virus
etc.

2. Worms – Worms are also self-replicating in nature but they don’t hook themselves to the program
on host computer. Biggest difference between virus and worms is that worms are network-aware. They
can easily travel from one computer to another if network is available and on the target machine they
will not do much harm, they will, for example, consume hard disk space thus slowing down the
computer.

3. Trojan – The Concept of Trojan is completely different from the viruses and worms. The name
Trojan is derived from the ‘Trojan Horse’ tale in Greek mythology, which explains how the Greeks
were able to enter the fortified city of Troy by hiding their soldiers in a big wooden horse given to the
Trojans as a gift. The Trojans were very fond of horses and trusted the gift blindly. In the night, the
soldiers emerged and attacked the city from the inside. Their purpose is to conceal themselves inside
the software that seem legitimate and when that software is executed they will do their task of either
stealing information or any other purpose for which they are designed. They often provide backdoor
gateway for malicious programs or malevolent users to enter
your system and steal your valuable data without your knowledge and permission.
Examples include FTP Trojans, Proxy Trojans, Remote Access Trojans etc.

4. Bots –: can be seen as advanced form of worms. They are automated processes that are designed to
interact over the internet without the need for human interaction. They can be good or bad. Malicious
bot can infect one host and after infecting will create connection to the central server which will
provide commands to all infected hosts attached to that network called Botnet.
Malware on the basis of Actions:

1. Adware – Adware is not exactly malicious but they do breach privacy of the users. They display ads
on a computer’s desktop or inside individual programs. They come attached with free-to-use software,
thus main source of revenue for such developers. They monitor your interests and display relevant ads.
An attacker can embed malicious code inside the software and adware can monitor your system
activities and can even compromise your machine.
2. Spyware – It is a program or we can say software that monitors your activities on computer and
reveal collected information to an interested party. Spyware are generally dropped by Trojans, viruses
or worms. Once dropped they install themselves and sits silently to avoid detection. One of the most
common example of spyware is KEYLOGGER. The basic job of keylogger is to record user keystrokes
with timestamp. Thus capturing interesting information like username, passwords, credit card details
etc.
3. Ransomware – It is type of malware that will either encrypt your files or will lock your computer
making it inaccessible either partially or wholly. Then a screen will be displayed asking for money i.e.
ransom in exchange.
4. Scareware – It masquerades as a tool to help fix your system but when the software is executed it
will infect your system or completely destroy it. The software will display a message to frighten you
and force to take some action like pay them to fix your system.
5. Rootkits – are designed to gain root access or we can say administrative privileges in the user
system. Once gained the root access, the exploiter can do anything from stealing private files to private
data.
6. Zombies – They work similar to Spyware. Infection mechanism is same but they don’t spy and steal
information rather they wait for the command from hackers.

 Theft of intellectual property means violation of intellectual property rights like copyrights,
patents etc. Identity theft means to act someone else to obtain person’s personal information or
to access vital information they have like accessing the computer or social media account of a
person by login into the account by using their login credentials.
 Theft of equipment and information is increasing these days due to the mobile nature of devices
and increasing information capacity.
 Sabotage means destroying company’s website to cause loss of confidence on part of its
customer.
Lecture-31

4.31.1 Challenges in Computer Forensics.

Cyber forensics experts extract data from a variety of sources — any technologies that may be used by
an end-user. These include mobile devices, cloud computing services, IT networks and software
applications.

These technologies are developed and operated by distinct vendors. The technology limitations and
privacy measures tend to restrict investigative capacity of an individual InfoSec expert as they face the
following challenges:

Data recovery. If the data is encrypted, the investigator will not be able to decrypt the information
without access to encryption keys. New storage tools such as SSD devices may not offer immediate
factory access to recover lost data, unlike traditional magnetic tape and hard disk drive systems.

Visibility into cloud system. Investigators may only have access to metadata but not the information
content of the files. The underlying resources may be shared and allocated dynamically. That lack of
access to physical storage systems means that lost data may not be recovered by third party
investigators.

Network log big data. Network log data grows exponentially and requires advanced analytics and AI
tools to connect the dots and find insightful relationships between networking activities.

Multi-jurisdiction data storage. If the data is stored in a different geographic location, cyber forensics
investigators may not have the legal authority to access the required information.

4.31.2 Computer Forensics Expertise Status in Indi:

There is a rise in cybercrimes and in India, computer forensics is a much-needed expertise. At present,
there seems to be a shortage of these skills.

Two-fold problem in India

1. Lack of availability of cyberforensics expertise as well as lack of awareness about

cyberforensics/digital forensics/computer forensics
2. Involvement of cyberforensics in the day-to-day activities of individuals as well as corporations
is going to increase due to the rising rate of cybercrimes in India.

 The reach of computer forensics must be enterprise-wide and ideally, the response time should
be immediate in order to demonstrate that the organizations are utilizing best practices in
managing and controlling their information security compliance.
 Organizations need to have a combination of in-house capability supplemented with external
expert services.

Cyberlaws of India need to be supported by sound cyber security and effective cyber forensics.
A good team of techno-legal experts is needed who to help in the drafting of good laws and in its
amendments and enforcement