101-Concepts
Master Boot Record (MBR)
contained in the boot sector, is used when DOS- or Windows-based computers start up. The MBR contains important information such as a partition table, bootstrap code, and other information.
Identify Crime:An attacker inserts SQL commands into text boxes, often using the username and password text fields on a logon screen.
hacking
An attacker remotely accesses a power plant's computer system and inserts a logic bomb.
hacking non-access computer crime cyberterroris
security log
has both successful and unsuccessful logon events; probably the most important log from a forensic point of view
Ethernet header
has the source and destination MAC address
Transport Layer
he fourth layer of the OSI model. It convert the packets received from network layer into segments and then transfer it to the upper layer. The transport layer ensures that the entire message reaches in order and handles error control and flow control at the source-to-destination level.
live forensic tools: PsLoggedOn
helps you discover users who have logged on both locally and remotely. Of most importance, it tells you who is logged on to shares on the current machine. This is also part of the PsTools suite available from Microsoft TechNet.
Where Recycle Bin is in Win 7 and vista
hidden directory \$Recycle.Bin\%SID, where %SID is the SID of the user that performed the deletion
steganophony
hiding messages in sound files
life span
how long information is valid
The iPhone: Seizing Evidence
iPhone has four-digit pin 10,000 possible combinations of the digits 0-9 Newer phones have six-digit pin and can use passwords as well. Can use automated process to break iPhone passcode, such as XRY Tools specifically for iOS devices: Pwnage Recover My iPod If forensic workstation has iTunes: Plug iPhone (or iPad/iPod) into the workstation Use iTunes to extract information about the device
An attacker dumpster dives to look for a victim's personal information, such as in discarded mail, bills, and bank statements
identify theft
Preserve evidence
important because data can easily be destroyed at a bit-level. Must assume every computer is rigged to destroy evidence.
tracing email
is similar to traditional detective work. Tracing email involves looking at each point through which an email passed and working step by step back to the originating computer and, eventually, the perpetrator. Email header information is typically examined to look for clues about where a message has been. Investigators often use audits or paper trails of email traffic as evidence in court. Many investigators recommend use of the tracert command. However, because of the dynamic nature of the Internet, tracert does not provide reliable, consistent, or accurate routing information for an email. It may also be useful to determine the ownership of the source email server for a message. A number of whois databases are available on the Web that an investigator can use to find out to whom a given IP address is registered.
Global System for Mobile (GSM) communications
is a standard developed by the European Telecommunications Standards Institute (ETSI). Basically, GSM is the 2G network.
file created
is the date the file was "created" on the volume. This does not change when working normally with a file, such as opening, closing, saving, or modifying the file.
Communications Assistance Law Enforcement Act of 1994
is the federal wiretap law for traditional wired telephony. expanded to include wireless, voice over packet, and other forms of electronic communications, including signaling traffic and metadata
live forensic tools: PSInfo
is also from the PsTools suite It can tell you system uptime (time since last reboot), operating system details, and other general information about the system. This is good background information to put into your forensic report.
Universal Disk Format (UDF)
is the file system used by DVD-ROM discs (both video and audio). Like ISO9660, this only guarantees that Mac OS X can read the partition or drive; it does not guarantee that Mac OS X can read the files.
UNIX File System (UFS)
is the file system used by FreeBSD and many other UNIX variants. Being based on FreeBSD, Mac OS X can read UFS volumes.
ISO 96660
is the file system used by compact discs (CDs). ISO9660 is not Macintosh specific, but Apple does have its own set of ISO9660 extensions.
GUID Parition Table (Globally Unique Identifier)
is used primarily with computers that have an Intel-based processor. It requires OS X v10.4 or later. Intel-based Macintosh machines can boot only from drives that use the GUID Partition Table
mv
is used to move a file
Apple Parition Map
is used with any PowerPC-based Mac. Intel-based Macs can mount and use a drive formatted with the Apple Partition Map, but cannot boot from the device. PowerPC-based Macs can both mount and use a drive formatted with the Apple Partition Map, and can also use it as a start-up device.
halts a running process based on the process ID (PID) you provide
kill
collision
occurs when two different inputs to the same hashing algorithm produce the same output (called a hash or digest). Ideally we would like to have no collisions. But the reality is that with a fixed-length output, a collision is possible. The goal is to make it so unlikely as to be something we need not think about.
Email files: .ost
offline outlook storage
Malware
often disguises itself in simliar names to actual important files for example Lsassx.exe instead of Lsass.exe
Tribal Flood Network
one of the most widely used tools to perform DDos attacks. Newer version is TFN2K
Disk Digger
is an easy-to-use tool for Windows. It can be downloaded free of charge and is fully functional. But when recovering files, you have to recover them one at a time. If you pay for the commercial version, you can recover as many files at one time as you want
Computer Security Incidents
is any event that violates an organization's security policies. This includes computer security policies, acceptable use policies, or standard security practices. Includes: denial of service attacks malicious code unauthorized access inappropriate usage
demonstrative evidence
is information that helps explain other evidence, for example a chart that explains a technical concept to the judge and jury.
swapf file/virtual memory
is located in the folder /var/vm/. You can check it with Linux commands like ls (for listing files). The option ls —al gives you a listing of all the files in virtual memory as well as who launched the program and when. You can use the grep search tool to search in the virtual memory folder.
physical analysis
is offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system. includes urls, emails, file formats, damaged sectors, data outside partitions looking for things that may have been overlooked, or are invisible, to the user.
dead drop
one person drops off an item, and then a 2nd person picks it up
Low Orbit Ion Cannon (LOIC)
online tool with GUI used to perpretrate a DoS or DDos attack easily
net sessions command
only shows established network communication sessions, such as someone logging on to that system.
RFC 3227
presents guidelines for evidence collection and archiving. Suggest the following: Volatile data file slack file system registry memory dumps system state backup internet traces
show logging
show router log events
show interfaces
show which interfaces are up
netstat command
shows network statistics and any current connections. Shows even meaningless connections, such as your computer opening a web browser.
file modified
shows there has been a change to the file itself.
carrier
signal or stream or file in which payload is hidden
TRIN00
similar to Tribal Flood Network tool used for denial of service attacks orginally written for UNIX, now available for Windows use trojan horse to infect machines
Network Packet: Payload
the body or information content of a packet Actual content that the packet is delivering to the destination If packet is fixed length, payload may be padded with blank information or a specific pattern to make it the right size
How does cyberstalking affect forensics?
the computer is the vechicle that drives the crime check emails and texts and any devices in suspects posession when arrested
Chain of Custody
the continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collecting and its appearance in court
Important Windows Files: Ntoskrnl.exe
the core of the operating system
USA Patriot Act
the primary law under which a wide variety of internet and communications info. content and metadata is currently collected. (provisions protect identity and privacy of US citizens)
Steganalysis
the process of analyzing a file or files for hidden content Can show a likelihood that a given file has additional information hidden in it Common method for detecting LSB steganography is to examine close-color pairs
Forensics
the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts
Mutation
the process within a genetic algorithm of randomly trying combinations and evaluating the success (or failure) of the outcome
Important Windows Files: Winlogon.exe
the program that logs you on
Data Link Layer
the second layer of the OSI Model. It converts bits received from physical layer into frames and then transfer it to the network layer.
TCP/IP Internet Layer
the second layer of the four layer TCP/IP model. The position of Internet layer is between Network Access Layer and Transport layer. Internet layer pack data into data packets known as IP datagrams, which contain source and destination address (logical address or IP address) information that is used to forward the datagrams between hosts and across networks. The Internet layer is also responsible for routing of IP datagrams. Packet switching network depends upon a connectionless internetwork layer. This layer is known as Internet layer. Its job is to allow hosts to insert packets into any network and have them to deliver independently to the destination. At the destination side data packets may appear in a different order than they were sent. It is the job of the higher layers to rearrange them in order to deliver them to proper network applications operating at the Application layer. The main protocols included at Internet layer are IP (Internet Protocol), ICMP (Internet Control Message Protocol), ARP (Address Resolution Protocol), RARP (Reverse Address Resolution Protocol) and IGMP (Internet Group Management Protoco
Cyberstalking/harassment,
, using electronic communications to harass or threaten another person.
Incremental
- All changes since the last backup of any type
real evidence
- a physical object that someone can touch, hold or directly observe
Anti-forensics
- actions that perpetrators take to hide to conceal their locations, activities or identities, includes data destruction, data hiding, data transformation, file system alteration.
Multipartite
- attack the computer in multiple ways, for example the boot sector and files
documentary evidence
- data stored as written matter, on paper or in electronic files. It includes memory-resident data and computer files
testimonial evidence
- information that forensic specialists use to support or interpret real or documentary evidence.
physical analysis
- looking for things that may have been overlooked, or are Invisible to the user: The swap file/page file - possible to find things here that were live in memory and not stored on the suspect drive Unallocated space -Free space, or the area of a hard drive that has never been allocated for file storage.
steganalysis
- process of analyzing a file or files for hidden content
Cell-phone forensics
- process of searching contents of cell phones
daubert standard
- standard to assess whether the experts testimony is based on reasoning and/or methodology that is scientifically valid and can properly be applied to the facts at issue
Live system forensics
- the process of searching memory in real-time, typically for working with compromised hosts or identify system abuse
Expert Testimony -
- the testimony of an expert witness, one who testifies on the basis of scientific or technical knowledge relevant to a case rather than personal experience.
video steganograpy
Hiding information in video files.
steaganophony
Hiding messages in sound files
Identify Crime: An attacker disseminates a virus from a rogue website that infects many computers
Non-Access Computer Crime
Identify Crime: A denial of service (DoS) attack is an example of this type of this crime.
Non-access computer crime
Prefetch
To speed up the performance of programs, Windows keeps a list of all DLLs a given executable needs. When the executable is launched, all the DLLs are "fetched." \ A side benefit is that the prefetch entry keeps a list of how many times an executable has been run, and the last date/time it was run. Most Windows forensics tools will pull this information for you. OSForensics makes it part of the "Recent Activity."
MP3Stego
Tool used to hide data in MP3 files Combines text with sound file to create new sound file that contains hidden info
Getting Header in Hotmail
Select Inbox from the menu on the left. Right-click the message for which you want to view headers, and select View Message Source. The full headers will appear in a new window.
TCP Header Bits, of Interest:URG (1 bit)—
Traffic is marked as urgent, though this bit is rarely used. It is more common that the IP precedence bits are used for priority when there is a need
How Email Works
Sender uses a mail client to send a message Message travels to multiple mail servers Each mail server sends the message closer to its destination Destination mail server stores the message Receiver uses a mail client to retrieve the message from mail server
HTTP Response Messages 500-599
Server-side errors
Network based firewalls
Span an entire network Filter all traffic passing in and out of network or network segment Incorporate enterprise-grade network services VPN Enterprise-class encryption protocols Enterprise-class security services
Intelligent agent
Special-purpose knowledge-based information system that accomplishes specific tasks on behalf of its users
keyspace
The entire range of values that can be used to construct an individual key.
Creating a Timeline
To reconstruct events that led to corruption of a system, create a timeline Challenges with computers: Clock drift Delayed reporting Different time zones Never change clock on a suspect system Record clock drift and time zone in use
Whaling
a phishing attack that targets high-value individuals
spear fishing
a phishing expedition in which the emails are carefully designed to target a particular person or organization
Cyberterrorism
a politically motivated use of computers and information technology to cause severe disruption or widespread fear in society.
Long Term Evolution (LTE)
a standard for wireless communication of high-speed data for mobile devices. This is what is commonly called 4G.
semi-active state
a state partway between active and quiescent. The state is reached by a timer, which is triggered after a period of inactivity, allowing battery life to be preserved by dimming the display and taking other appropriate actions.
Deep learning (DL)
a subset of machine learning and refers to artificial neural networks that are composed of many layers.
rainbow table
a table of precomputed hashes that contain all possible keystroke combinations that comprise well-known passwords. It is impossible generally to record all combinations due to large size of table. Most attackers limit tables to 8-10 charcters and well known dictionary words. Used to compare hashes to discover passwords. Hashes themselves are one-way functions, meaning they cannot be decrypted only compared.
ophcrack
a tool used to crack local passwords on Windows systems. Intruder must be on local network to use.
How identity theft affects forensics
an investigator should look for spyware and if it exists examine where collected data is being sent. Emails and downloads should also be checked for potential spyware as these are common methods to inject spyware on a victim's computer.
Windows 10
another dramatic change. Features added like Edge Browser, Universal Apps and Cortana changed way user interacted with OS. In some cases changed forensics
EnCase boot disk
boots system to EnCase using DOS mode rather than GUI mode. Copy the suspect drive to a new drive to examine it
Evidence from Cell Phones
call history emails/messages phone information gps information photos videos web history network information
System Memory with OS Forensics
can also capture system memory using OSForensics.
cluster
can be from 1 to 128 sectors
grep
can be used to search for files, contents of files, and just about anything you may want to search for. very flexible and quite popular with Linux users. For example: grep -b 'search-text' /dev/partition > file.txt will search for 'search-text' in a given partition and output the results to file.txt. You can also use this syntax: grep -a -B[size before] -A[size after] 'text' /dev/[your_partition] > file.txt.
Identify Crime: An attacker sends out false emails suggesting the receiver can make a large sum of with very little investment
computer fraud
Neural networks
computing system inspired by biological netural networks. These systems learn to do task by considering examples.
Application Layer
the seventh layer of the OSI model. It provides a means for the user to access information on the network using an application. It also supports services such as electronic mail, remote file access and transfer and shared database management.
Presentation Layer
the sixth layer of the OSI model. This layer deals with syntax and semantics of the data exchanged between two devices. It encrypt data to protect from unauthorized access and also compress to reduce the size of data.
RFC 2822
the standard for email format including headers replaced RFC 822 which was originally designed for text messages over ARPANET, the precursor to the internet allows user to read emails using a variety of programs and operating systems
cryptography
the study of writing secret messages derived from word kryptós, which means hidden, and the verb gráfo, which means write
mobile switching center (MSC)
the switching system for the cellular network. MSCs are used in 1G, 2G, 3G, and Global System for Mobile (GSM) communications networks. You will learn about 3G and GSM networks later in this section. The MSC processes all the connections between mobile devices and between mobile devices and landline phones. The MSC is also responsible for routing calls between base stations and the public switched telephone network (PSTN).
Network Layer
the third layer of the OSI model. It converts the frame received from data link layer into packets and then transfer it to the transport layer.
TCP/IP Transport Layer
the third layer of the four layer TCP/IP model. The position of the Transport layer is between Application layer and Internet layer. The purpose of Transport layer is to permit devices on the source and destination hosts to carry on a conversation. Transport layer defines the level of service and status of the connection used when transporting data. The main protocols included at Transport layer are TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).
TCP/IP: Application Layer
the top most layer of four layer TCP/IP model defines TCP/IP application protocols and how host programs interface with Transport layer services to use the network. includes all the higher-level protocols like DNS (Domain Naming System), HTTP (Hypertext Transfer Protocol), Telnet, SSH, FTP (File Transfer Protocol), TFTP (Trivial File Transfer Protocol), SNMP (Simple Network Management Protocol), SMTP (Simple Mail Transfer Protocol) , DHCP (Dynamic Host Configuration Protocol), X Windows, RDP (Remote Desktop Protocol) etc.
Euler's Totient
the total number of co prime numbers for a number n. Two numbers are considered coprime if they have no common factor's. Used in RSA.
File Slack Searching:
the unused space between the logical end of file and the physical end of file
Computer Forensics
the use of analytical and investigative techniques to identify, collect, examine and preserver evidence/information which is magnetically stored and encoded. Additionally, any device that can store data is potentially a subject for computer forensics
Cyberterrorism
the use of computer and networking technologies against persons or property to intimidate or coerce governments, individuals, or any segment of society to attain political, religious, or ideological goals
Polymorphic
the virus literally changes its form from time to time to avoid detection by antivirus software, a variation is a metamorphic virus which can completely rewrite itself.
dumpster diving
using a person's discarded documents to obtain information about identity or other important information
Social Engineering
using deception to obtain unauthorized access to information resources
Cyberstalking
using electronic communications to harass threaten or track another person
cryptanalysis
using techniques other than brute force to attempt to uncover a key. Frequency Analysis Kasiski examination
Important Windows Files: Hal.dll
an interface for hardware
Email files: .mbx
eudora
encrpytion
obfuscates message so it cannot be read
bourne shell (sh)
This was the original default shell for UNIX. It was first released in 1977.
HTTP Response Messages 200-299
"OK" messages, meaning that whatever the browser requested, the server successfully processed
Slack Space
"The unused space in a disk cluster. The DOS and Windows file systems use fixed-size clusters. Even if the actual data being stored requires less storage than the cluster size, an entire cluster is reserved for the file.
Listing Contents of .Trash
$/. Trash ls -al
Sierra
(Mac OS X v10.12)—The most recent version (as of March 2017). It is meant to be more in synch with the style of other Apple systems, such as iOS and WatchOS
Tiger
(Mac OS X v10.4)—Had built-in support for FireWire, a new dashboard, and updated mail program.
Snow Leopard
(Mac OS X v10.6)—Included mostly performance enhancements, such as support for multicore processors, rather than new features
Neural network
(artificial neural network) a category of AI that attempts to emulate the way the human brain works
Proper Procedure: Handling Evidence- Collecting Data
(in this order) 1. Volatile data a. Swap file b. State of network connections c. State of running processes 2. Temporary data: OS creates and overwrites without user's direct action to save 3. Persistent data
Windows 3.1
(released in 1992) Though earlier versions had been in existence since 1985, this version became widely popular. used Disk Operating System (DOS) used GUI
Technical Information Collection Considerations
Consider the life span of the information Data is volatile Collect information quickly Collect bit-level information
Mathematically Authenticating Data on All Storage Devices
-After imaging drive, create a hash of the original and the copy -Compare the hashes -If they don't match exactly, something was altered -Document hashing algorithm used and results
Shutting Down Computer
-Before you shut the computer down: *Check for running processes In Windows, use Task Manager *Take a picture of the screen for for your records *Check for live connections to system with following cmd's -netstat -net sessions -open files (critical to run)
Preparing System
-For suspect computers: Remove the drive(s) Create an evidence form and/or a chain of custody form -For mobile devices: Remove SIM card, if necessary Some devices let you dock the phone examine it without removing SIM
How to set up a Forensic Lab (slides)
-Identify functions to be performed -Define activities and estimate workload -Determine necessary equipment and software -Determine physcial space requirements -Plan for security
Transporting Computer
-Keep evidence in possession or control at all times -Document movement of evidence between investigators -Secure evidence appropriately so it can't be tampered with or corrupted -Lock in a vehicle -Drive vehicle directly to lab
Gameover ZeuS
-a virus that creates a peer-to-peer botnet -began to spread in 2015 -creates encrypted traffic between infected computer and command and control computer allowing attacker to control infected computers
64-bit
-addresses up to 18,446,744,073,551,616 bytes -referred to as x64
32-bit
-addresses up to 4,294,967,295 bytes -limited to 4GB of RAM -referred to as x86
CopyQM Plus Disk Duplication Software
-also from NTI -turns PC into disk duplicator -useful for specialists who need to preconfigure CD's for specific uses and duplicate them -can create self-extracting executable programs that can be used to duplicate specific disks -can be used to make preconfigured security disk assessment disks -images can be password-protected -supports all DOS formats and many non-DOS formats -does not copy extra sectors that are added to a CD on copy-protected disks; AnaDisk should be used to perform this task
SYN Flood
-attacker would send many SYN packets -would not answer ACK responses from server -eventually server would run out of resources resulting in Denial of Service(DOS)
Rombertik
-began to be seen in 2015 - virus that uses browser to read user credentials to websites -Most often seen as an attachment in an email -can overwrite master boot record making computer unbootable, and/or encrypt users home folders
temporary data
-collected after volatile data -data that an operating system creates and overwrites without the computer user taking a direct action to save this data. afterwards collect persistent data
OS Forensics
-forensic tool widely used since 2010 from Passmark software -less expensive alternative to EnCase FTK -does not have Known File Filter
AnaDisk Disk Analysis Tool
-from New Technologies Incorporated (NTI) -turns a pc into a sophisticated disk analysis tool -originally created to meet needs of U.S. Treasury Dept in 1991 -scans for anomalies that identify odd formats, extra tracks and extra sectors -used to uncover data-hiding technologies -support all DOS formats and many non-DOS formats such as MAC and UNIX TAR
Storage formats
-magnetic media -solid-state drives -digital audio tape (DAT) drives -digital linear tape (DLT) and super DLT -optical media -universial serial bus (USB)
NIST (National Institute of Standaards and Technology) Four Extraction States
-nascent state -active state -semi-active state -quiescent state
Forensic Certifications
-pc hardware: A+ certification basic networking: Network+ or CCNA security:CISSP or Security+ hacking: Offensive Security, Certified Ethical Hacking from EC Council and GIAC Penetration Tester (GPEN) from SANS Encase, Access Data, OS Forensics all offer certifications
Proper Procedure Overview
-shut down computer -transport computer to secure location -prepare system -document the hardware configuration of system -mathematically authenticate data on all storage devices
flame
-targets Windows operating systems -specifically designed for espionage, state-sponsored -first discovered in May 2012 -spyware that can monitor network traffic and take screenshots of infected system -stores data in local database that is heavily encrpyted -able to change behavior based on which antivirus program is running -signed with a fraudulent Microsoft Windows certificate so Windows accepts as legitimate
Forensic Toolkit (FTK)
-widely used forensic analysis tool from Access Data availabe in Windows and Mac -popular with law enforcement -ability to select which hash used to verify suspect copied drive and which features wish to use on drive -especially good at cracking passwords such as password-protected PDF files, excel spreadsheets. -also supplies tools to analyze windows registry and email (which can be arranged in a timeline) -has distributed processing which allows processing and analysis to be distributed across three computers. This lets all three computers to perform three parts of analysis in parallel speeding up forensic process. -Has an Explicit Image Detection add-on that automatically detects pornographic images
Email Server Forensics
. Even if the sender and the recipient have deleted the relevant emails, there is a good chance a copy is still on the email server. Many servers have a retention policy, which may be governed by law in certain industries. There are a variety of email server programs that could be in use. Microsoft Exchange is a very common server. Lotus Notes and Novell GroupWise are also popular email server products.
GroupWise
.db
Exchange Server
.edb
Block Cipher
.literally encrypts the data in groups of bits, also known as blocks . Assuming the actual algorithm is mathematically sound, then the following is true: Larger block sizes increase security. Larger key sizes increase security against brute-force attack methods. If the round function is secure, then more rounds increase security to a point.
Lotus Notes
.nsf
RunLevel 0
/etc/rc.d/r0.d halt
RunLevel1
/etc/rc.d/r1.d single-user mode
RunLevel2
/etc/rc.d/r2.d Not used (user-definied)
RunLevel3
/etc/rc.d/r3.d Full multi-user mode without GUI
RunLevel4
/etc/rc.d/r4.d not used (user-defined)
RunLevel5
/etc/rc.d/r5.d full multi-user mode with GUI
RunLevel6
/etc/rc.d/r6.d reboot
Well-known ports
0-1023
This is a ____AND_____binary operation
1 1 0 1 1 0 0 1 ____________ 1 0 0 1
This is a ______XOR_________ binary operartion (2)
1 1 0 1 1 0 0 1 _____________ 0 1 0 0
This is a ____OR______ binary operation (1)
1 1 0 1 1 0 0 1 _____________ 1 1 0 1
Evidence gathering Measures
1. Avoid changing evidence-take photos, label wires and sockets, transport carefully, avoid touching hard disks and CD's and make exact bit-level copies and store them on write-once CD 2. Determine when evidence was created-create a detailed timeline should mirror chain of custody timeline as well 3. Trust only physical evidence-bit level 4. Search throughout a device 5. Present the evidence well in a logical, compelling, understandable, and persuasive manner
Technical Information Collection Considerations
1. Consider the Life Span of Information 2. Collect Information quickly 3. Collecting Bit-Level Information
How to set up a Forensic Lab
1. Equipment-storage for data, a server with at least RAID 1 redundnacy (mirroring) recommended RAID 5 with backups once a day at minimum. Likely need multiple servers for data storage. Comupters capable of attaching all sorts of drives and usbs as well as all sorts of power connectors for smartphones, laptops, routers, and other digital devices. 2.Security-computers and servers used should not be connected to internet, and is separate from working network. Lab room should be shielded from any electromagnetic interference such as from wireless or cellular signals. Physical security should limit access to lab and be able to account for access (swipe-cards or biometric readers are ideal); room should be difficult to forcibly access; an evidence safe that is fire-resistant should also be used.
Forensic Imaging
1. Forensically wipe the target drive (drive you are copying suspect drive to) a. Use linux dd command: dd if=/dev/zero of=/dev/hdb1 bs=2048 b. Or: fdisk -l to list the partitions of the system 2. Use netcat on the forensic server in prep for data from suspect computer 3. On suspect computer, use the dd command to read the first partition Imaging with Encase Imaging with FTK Imaging with OS Forensics
Forensic Methodologies
1. Handle original data as little as possible 2. Comply with rules of evidence 3. Avoid exceeding your knowledge 4. Create an analysis plan
Example order of volatility:
1. Registers and cache 2. Routing tables 3. ARP cache 4. Process table 5. Kernel stats and modules 6. Main memory 7. Temp file systems 8. Secondary memory 9. Router config 10. Network topology
Recovering Information from Damaged Media: Overview
1. Remove drive/connect to test system 2. Boot test system If the drive is not recognized perform repair and image drive content 3. Copy files from drive to test system
Storing a File in Windows (FAT/FAT32)
1. The cluster number of the next cluster for this file is recorded. 2. If this cluster is the end of a chain, then it has a special end of cluster chain (EOC) entry. 3. Bad clusters have a special entry in the file allocation table. 4. Reserved clusters have a special entry in the file allocation table. 5. Open, or available, clusters are also marked in the file allocation table.
Important iOS items to document if using ITunes extraction technique
1. The iOS version number 2. The phone number (redacted in this figure) 3. The serial number (redacted in this figure)
Ways identity theft is perpetrated
1. phishing 2. spyware 3. discarded information
Order of Volitality From High to Low
1. registers and cache 2. routing tables 3. ARP cache 4. Process table 5. Kernel statistics and modules 6. Main memory 7. Temporary file systems 8. Secondary memory 9. Router configurations 10. Network topology
Roles a computer can play in a crime
1. target of crime 2. instrument of crime 3. an evidence repository that stores valuable information about the crime. In some cases, a computer can have multiple roles. It can be the instrument of a crime and also serve as a file cabinet that stores critical evidence.
Evidence -Handling tasks
1.Find evidence 2. Preserve evidence 3. Prepare evidence
3 criteria for cyberstalking
1.Is it possible? Is threat credible and possible to carry out 2.How frequently does behavior occur; mustbe repetitive 3.How serious? Specific and detailed plans cause alarm more than generalizations Not all 3 need to be present to constitute a crime
Registered ports
1024-49151
The Computer Security Act of 1987
1987 was passed to improve the security and privacy of sensitive information in federal computer systems. The law requires the establishment of minimum acceptable security practices, creation of computer security plans, and training of system users or owners of facilities that house sensitive information.
Windows Mobile Operating systems
1996: Windows CE 2008: Windows Phone; not compatible with many of the previous Windows Mobile apps 2010: Windows Phone 7 2012: Windows 8 2015: Windows 10 Mobile Windows 10 (Windows 10 Mobile) is shipped on PCs, laptops, phones, and tablets. This means that once you are comfortable with the operating system on one device, you are going to be able to conduct forensic examinations on other devices running Windows 8 or Windows 10.
iMac
1998
iphone
2007
HEXIDECIMAL VALUES: PDF
25 50
25 50
What happened to 2DES?
2DES basically does DES two times Was not much more secure than DES Took more time and computer resources to implement Not widely used
Advanced Format
4096-byte sectors used by modern hard drives
HEXIDECIMAL VALUES: BMP
42 4D
bmp
42 4D
GIF
47 49
HEXIDECIMAL VALUES: GIF
47 49
HEXIDECIMAL VALUES: MP3
49 44
MP3
49 44
Dynamic ports
49152-65535
HEXIDECIMAL VALUES: EXE
4D 5A
exe
4D 5A
HEXIDECIMAL VALUES: ZIP
50 4B
zip
50 4B
HEXIDECIMAL VALUES: AVI
52 49
HEXIDECIMAL VALUES: WAV
52 49
WAV, AVI
52 49
HEXIDECIMAL VALUES: PNG
89 50
png
89 50
Functions of Data Link Layer
: Framing - The physical layer delivers raw bits from the Source to destination. During transmission, the value of the bits can change. It is also possible that the number of bits received by the receiver may be different from the number of bits sent by the Sender. To resolve this problem, the data link layer organizes the bits into manageable data units called as frames. Physical Addressing - Data link Layer adds header to the frame which contains the physical address of the sender (MAC Address)or receiver. Flow Control - It may happen that the speed at which the sending and receiving nodes operate may differ. The sending node may transmit data at a faster rate but the receiving node may receive it at a slower rate. The rate of data transmission between two nodes should be controlled to keep both the nodes in synchronization. This process is called flow control. Error Control - Another function of the Data Link layer is error control. Error control detects and corrects errors. During transmission, if a frame is lost or corrupted, the data link layer re transmits that frame. It also prevents duplication of frames.
1991
: Linus Torvalds begins creating Linux
ROT13 cipher
A permutation of the Caesar cipher All characters are rotated 13 characters through the alphabet A CAT becomes N PNG
Virus
A piece of code that is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data
volatile memory: Heap (H)
A process may use a memory allocator such as malloc to request dynamic memory. When this happens, the address space of the process expands. The data in the heap area can exist between function calls. The memory allocator may reuse memory that has been released by the process. Therefore, heap data is less stable than the data in the data segment.
Important Windows Files: Smss.exe
A program that handles services on your system
Important Windows Files: Ntdetect.com
A program that queries the computer for basic device/config data like time/date from CMOS, system bus types, disk drives, ports, and so on
iXImager
A proprietary file format used by the iLook tool Tool was developed by the U.S. Internal Revenue Service (IRS) and is restricted to law enforcement and government use only
Certified Cyber Forensics Professional (CCFP)
A certification from ISC2 for completing the education and work experience and passing the exam
Encase file format
A proprietary format defined by Guidance Software for use in its EnCase tool to store hard drive images and individual files Includes a hash of the file to ensure nothing was changed when it was copied from the source
Android
A Linux-based operating system that is completely open source. Android source code: http://source.android.com/ First released in 2003 Versions of Android named after sweets, such as Version 4.1-4.2 Jelly Bean and Version 7.0 Nougat Differences from version to version usually involved adding new features. If you are comfortable with version 1.6 (Donut), you will be able to do forensic examination on version 4.2 (Jelly Bean). Samsung Galaxy and many other mobile devices run Android Similarity across versions Can perform similar forensic examinations on different versions
logic bomb
A computer program or part of a program that lies dormant until it is triggered by a specific logical event. such as a date and time; often perpertrated by disgruntled employees
consistency checking problems
A consistency check can fail if the file system is highly damaged. The repair program may crash, or it may believe the drive has an invalid file system. The chkdsk utility might automatically delete data files if the files are out of place or unexplainable. The utility does this to ensure that the operating system can run properly. However, the deleted files may be important and irreplaceable user files. The same type of problem occurs with system restore disks that restore the operating system by removing the previous installation. Avoid this problem by installing the operating system on a separate partition from the user data.
Diffie-Hellmen
A cryptographic protocol that allows two parties to establish a shared key over an insecure channel Often used to allow parties to exchange a symmetric key through some insecure medium, such as the Internet Enabled all secure communications between parties that did not have a pre-established relationship, such as e-commerce Groundbreaking research provided the foundation for secure transactions across the Internet E-commerce sites like Amazon.com and Staples.com can provide secure electronic communications, thanks in great part to Diffie and Hellman
Kerchoff Principle
A cryptographic system should be secure even if everything about the system, except the key, is public knowledge.
action:a
A keyword indicating the action that init is to take on the process
The Digital Forensic Research Workshop Framework (DFRWS)
A matrix with 6 classes, Identification, preservation, collection, examination, analysis, and presentation
Digital Forensics Research Workshop Foundation Framework
A matrix with the following six classes: -Identification -Preservation -Collection -Examination -Analysis -Presentation
Maximum Tolerable Downtime (MTD)
A measure of how long a system or systems can be down before it is impossible for the organization to recover Related to: Mean time to repair (MTTR) Mean time to failure (MTTF)
Alternate Data Streams (ADS)
A method of attaching one file to another file, using the NTFS file system A feature of NTFS that contains metadata for locating a specific file by some criterion, like title may be used by clever criminals to hide things on the target computer. are essentially a method of attaching one file to another file, using the NTFS file system. A number of tools are available that will detect whether files are attached via alternate data streams. One of the most widely known is List Alternate Data Streams (a free download).
Kasiski method
A method of attacking polyalphabetic substitution ciphers, such as Vigenère Can be used to deduce the length of the keyword used in a polyalphabetic substitution cipher When length of keyword is discovered, ciphertext is lined up in n columns, where n is keyword length Each column Treated as a monoalphabetic substitution cipher Can be cracked with frequency analysis Involves looking for repeated strings in the ciphertext
High Tech Crime Network (HTCN)
A national organization that provides certification for computer crime investigators and computer forensics technicians.
Ports
A number that identifies a channel in which communication can occur 65,635 possible ports Knowing what port a packet was destined for (or coming from) tells you what protocol it was using
John the Ripper
A password cracker popular with network administrators and hackers Enables user to select text files of word lists to attempt cracking a password Command-line based, no Windows interface thus less convenient to use but been around a long time and is well regarded by both security and hacking communities
OS Forensics
A robust forensics tool that also provides for undeletion Undelete from a mounted image or from a live system
Windows Swap File
A special place on the hard disk where items from memory can be temporarily stored for fast retrieval Used to end in a .swp extension; since Windows XP, called pagefile.sys Typically found in Windows root directory Often referred to as virtual memory
Important Windows Files: Ntbootdd.sys
A storage controller device driver
Business Impact Analysis (BIA)
A study that identifies the effects a disaster would have on business and IT functions Studies include interviews, surveys, meetings, and so on Identifies the priority of different critical systems Considers maximum tolerable downtime (MTD)
three-way handshake
A three-step process in which Transport layer protocols establish a connection between nodes. The three steps are: Node A issues a SYN packet to node B, node B responds with SYN-ACK, and node A responds with ACK.
label
A unique identification label of up to four characters.
Telephony denial of service (TDoS)
A variation of denial of service (DoS) attacks, but launched against traditional and packet-based (VoIP)telephone systems. disrupts an organization's use of its telephone system through a variety of methods.
polymorphic virus
A virus that can change its own code or periodically rewrites itself to avoid detection
Graphical User Interface (GUI)
A visual display on a computer's screen that allows you to interact with your computer more easily by clicking graphical elements.
American Society of Crime Laboratory Directors
ASCLD; accredits crime labs in the US
$I Structure
Always exactly 544 Bytes long Bytes 0-7 file header-always set to 01 followed by 7 sets of 00 Bytes 8-15 Original file size stored in hex in little-endian Bytes 16-23 Deleted date/time stamp represented in number of seconds sincde midnight January 1, 1601. Use a program such as Decode to assist with figuring out exact date and time if do not want to do the math Bytes 24-543-Original file path/name
HKEY_USERS (HKU)
This hive is very critical to forensic investigations. It has profiles for all the users, including their settings.
volatile memory analysis : Step One
Acquire a physical memory dump of the compromised system and transmit it to the data collection system for analysis. VMware allows you to simply suspend the virtual machine and use the .vmem file as a memory image.
File Formats
Advanced Forensic Format (AFF) Encase Generic Forensic Zip (Gfzip) iXImager
file formats
Advanced Forensic Format (AFF) with variations: AFF: stores all data and metadata in single file AFM: stores data and metadata in separate files AFD: stores data and metadata in multiple small files EnCase Generic Forensic Zip IXimager
Mathematically Authentication Data on All Storage Devices
After imaging drive, create a hash of the original and the copy Compare the hashes If they don't match exactly, something was altered Document hashing algorithm used and results
The Post-Recovery Follow-Up
After recovery, find out what happened and why (involves forensics): Was disaster caused by some weakness in the system? Negligence by an individual? A gap in policy? An intentional act?
Differential backup
All changes since the last full backup
logical volume manager (LVM)
An abstraction layer that provides volume management for the Linux kernel On a single system (like a single desktop or server), primary role is to allow: The resizing of partitions The creation of backups by taking snapshots of the logical volumes
Collecting Data
All the traffic going through a firewall is part of a connection. A connection consists of two IP addresses communicating with each other and two port numbers that identify the protocol or service. Attempts on same set of ports from many different Internet sources are usually due to decoy scans Carefully check firewall logs for any sort of connections or attempted connections on those ports Use protocol analysis to determine who attacker is
volatile memory Stack (S)
Allocated based on the last-in, first-out (LIFO) principle. When the program is running, program variables use the memory allocated to the stack area again and again. This segment is the most dynamic area of the memory process. The data within this segment is discrepant and influenced by the program's various function calls.
Nmap/ZenMap
Allows the user to map out what ports are open on a target system and what services are running Is a command-line tool, but has a Windows interface called Zenmap Popular with hackers because it can be configured to operate stealthily and determine all open ports on an individual machine, or for all machines in an entire range of IP addresses Popular with administrators because of its ability to discover open ports on the network
Imaging with OS Forensics
Allows you to mount images created with other tools Also allows you to create an image
Berkley Fast File System
Also known as UNIX File System Developed at UC-Berkeley for Linux Uses a bitmap to track free clusters, indicating availability
Advanced Encryption Standard (AES)
Also known as the Rijndael block cipher Can have three different key sizes: 128, 192, or 256 bits Referred to as AES 128, AES 192, and AES 256
brute force attack
An attack on passwords or encryption that tries every possible password or encryption key.
Smurf Attack
An attack that broadcasts a ping request to computers yet changes the address so that all responses are sent to the victim.
Ping Flood
An attack that uses the Internet Control Message Protocol (ICMP) to flood a victim with packets.
Distributed Denial of Service (DDoS)
An attack where a firm's computer systems are flooded with thousands of seemingly legitimate requests, the sheer volume of which will slow or shut down the site's use. DDoS attacks are often performed via botnets.
Preserving Evidence
An event: Is any observable occurrence within a system or network Includes network activity, such as when a user accesses files on a server or when a firewall blocks network traffic Adverse events have negative results or negative consequences Example: An attack on a system Recovery often performed at the expense of preserving forensic evidence Failure to preserve forensic information: Prevents IT team from effectively evaluating cause of incident Makes it difficult to modify company policies and procedures to reduce risk Forensic data is key to preventing future incidents
Forensic Imaging
An image is an exact bit-by-bit copy of a disk Used for evidence collection without altering original
Advanced Forensic Format (AFF)
An open file standard with three variations: AFF, AFM, and AFD AFF variation stores all data and metadata in a single file AFM variation stores data and metadata in separate files AFD variation stores data and metadata in multiple small files
hard link
An inode that links directly to a specific file. The operating system keeps a count of references to this link. When the reference count reaches zero, the file is deleted. In other words, you can have any number of names referencing a file, but if that number of references reaches zero (i.e., there is no name that references that file), then the file is deleted.
volatile memory analysis: Step Three
Analyze the evidence on the collection system. Unlike live response, you don't need any additional evidence from the compromised system.
Historical Steganography
Ancient Chinese wrapped notes in wax and swallowed them for transport In ancient Greece, message written on slave's shaved head, then hair allowed to grow back During World War II, French Resistance sent messages written on the backs of couriers using invisible ink
1987
Andrew S. Tanenbaum creates Minix, another UNIX variant
Digital Linear tape (DLT)
Another type of magnetic tape storage Relies on a linear recording method Tape as either 128 or 208 total tracks Used primarily to store archived data
"valid" emails
Appears as through mail is from trusted source Message content is suspicious Content may contain URL that points to malicious site
OSI Model
Application Presentation Session Transport Network Data Link Physical
TCP/IP Model
Application Transport Internet Network access
/var/log/apport.log
Application crashes
digital audio tape (DAT) drives
Are among most common type of tape drives Use 4-mm magnetic tape enclosed in a protective plastic shell Tapes wear out just like audio tapes Will most likely contain archived/backup data that you need to analyze Forensically wipe target drive first so you can be sure that there is no residual data on that drive Ten restore it to target hard drive (magnetic or solid state) in order to analyze it
steganography
Art and science of writing hidden messages Most common today: Hide messages in pictures LSB (Least Significant Bit): capacity is 5-15% of vessel data
Denial of Service (DoS)
Attempts to prevent system from performing normal functions usually by flooding a website with fake connections that prevent legitimate connections from forming Cyber equivalent of vandalism
Device Seizure
Available from Paraben Software. There is a license fee associated with this product. Paraben makes a number of forensic products
Evidence-Gathering Measures
Avoid changing evidence Determine when evidence was created Search throughout a device Determine information about encrypted and steganized files Present evidence well
Evidence-Gathering Measures (5)
Avoid changing the evidence: Copy it and study the copy Hash the copy: allows checking for changes Each time you touch digital data, there is some chance of altering it. Determine when evidence was created Trust only physical evidence: the 1s and 0s Search throughout a device: at the 1s and 0s level Present the evidence well Logical Compelling Persuasive
HTTP Commands: UNLINK
Breaks an existing connection between two resources
Linux Boot Process
BIOS-POST MBR: Grub LILO Kernel: Initializes devices and moves from real mode to protected mode Init RunLevels
54320/54321 Important Intruder Ports
BO2K (malware)
31337 Important Intruder Ports
Back Orifice (malware)
Blackberry 10
Based on QRNX operating system Supports major features similar to other mobile phones Drag and drop Gestures
6666Important Intruder Ports
Beast(malware)
TCP Connection Termination
Because a TCP connection is two-way, it needs to be "torn down" in both directions uses four packets. The first system sends a TCP packet with the ACK and FIN flags set requesting termination. The second system sends an ACK response. The second system then sends a packet with ACK and FIN flags set. The first system returns an ACK response.
Documenting Hardware Configuration of System
Before dismantling the computer: Take pictures of computer from all angles Record BIOS system time and date in chain of custody form After restoring power: Eject all removable media and fill out a separate chain of custody form for each
Documenting the Hardware Configuration of the System
Before dismantling the computer: Take pictures of computer from all angles Record BIOS system time and date in chain of custody form After restoring power: Eject all removable media and fill out a separate chain of custody form for each
Linux File System Blocks
Blocks are divided into groups. Each group uses one block as a bitmap to keep track of which block inside that group is allocated (used); thus, there can be at most 4,096 * 8 = 32,768 normal blocks per group. Another block is used as a bitmap for the number of allocated inodes. Inodes are data structures of 128 bytes that are stored in a table, (4,096 / 128 = 32 inodes per block) in each group.
Windows Boot Process: Step Five
Boot sector loads NTLDR (the NT loader). It is the first part of the Windows operating system and responsible for preparing and loading the rest of the operating system.
raid aquisitions
Both FTK and EnCase provide built-in tools for acquiring RAID arrays Okay to acquire RAID 1 disks separately RAID 0, 3, 4, 5 and 6 - data striping: make a forensic image of the entire RAID array
Optical media
CD-ROMs use high and low polarization to set the bits of data; however, CDs have reflective pits that represent the low bit If pit is nonexistent, data is a 1; if pit exists, it's a 0 Laser mechanism detects the distance the light beam has traveled in order to detect the presence or absence of a pit; this is why scratches can be problematic for optical media DVDs and Blu-ray discs are enhancements to original compact discs Still utilize same optical process but have larger capacity Should be forensically copied to a clean, forensically wiped drive for analysis
Functions of Transport Layer
Connection Control: Transport layer provides either connection-oriented or connection-less service. Flow Control - Data link layer provides flow control of data across a single link. Error Control - Transport layer also performs error checking. It confirms that data reached to the destination without an error.
usb drives
Connective (not storage) technology Place in read-only mode to avoid altering data
HTTP Commands: LINK
Connects two existing resources
iOS elements in data partition
Calendar entries Contacts entries Note entries iPod_control directory (hidden) iTunes configuration iTunes music
How cross-site scripting affects forensics
Can be complex to uncover. Look for scripts that are unaccounted for by website programmers. This may be unsuccessful as a sophisticated hacker will remove malicious code in an attempt to cover tracks. A more efficient method is to look in webserver logs for any redirect traffic.(Http messages in the 300 range) and determine if any of these redirects cannot be accounted for via legitimate webcoding.
file carving
Can use file carving on a file that's only partially recovered Works on any file system Is often used to recover data from a disk where there has been some damage or where the file itself is corrupt File carving utilities look for file headers and/or footers, and then pull out data s found between the two boundaries One popular file carving tool is Scalpel
Memory Forensics
Capture the memory from a live machine. Can use: Dump-it, RAM Capturer from Belkasoft, OSForensics, other tools Analyze the captured memory Can use: Volatility, Pslist, Pstree, Psscan, Svcscan, other tools
LSB Method (Least Significant Bit)
Consider 11111111 Change last digit to 0 11111110 = 254 in decimal The last bit or least significant bit is used to store data Colored pixels in a computer stored in bits In Windows, for example, 24 bit is the normal color resolution. If you examine the Windows color palette, you'll find that you define a color by selecting three values between 0 and 255 in the Red, Green, and Blue text boxes. Windows color changed by one bit. If you change the least significant bit in a pixel, the image still looks the same. But a picture is made up of thousands—sometimes millions—of pixels. So by changing the least significant bit of many pixels, you can store data that is hidden in an image. This is the basis for modern image steganography
Windows Directories and Folders
Certain directories in Windows are more likely than others to contain evidence. Although there are many directories on a computer, the following are the most forensically interesting: C:\Windows documents and settings—This folder is the default location to save documents. Even though a criminal can save documents anywhere on the computer, it is a good idea to check this folder. C:\users—This includes user profile information, documents, pictures, and more for all users, not just the one currently logged on. C:\Program Files—By default, programs are installed in subdirectories of this directory. C:\Program Files (x86)—In 64-bit systems, 32-bit programs are installed here. C:\Users\username\Documents—The current user's Documents folder. This is a very important place to look for evidence. It is important to complete a general search of the entire suspect drive—not just these specific folders and directories.
Functions of Physical Layer:
Characteristics of media - Defines the characteristics of the interface which is used for connecting the devices. It also defines the type of the transmission media such as copper wires or fiber optic cables. Encoding - Defines the encoding type. Encoding means changing bit stream. Before transmission, physical layer encodes the signal into electrical or optical form depending upon the media. Transmission Rate - Defines the transmission rate of bits. This provides number of bits transmitted per second. It defines how long will the duration of a bit be. Transmission Mode - Defines the transmission mode between two devices. Transmission mode specifies the direction of signal flow. The different types of transmission modes are simplex, half duplex and full duplex. Topology - It is a pattern which defines how devices are get connected in a network. Different types of network topology are: Single Node, Ring, Bus, Mesh, Tree and Hybrid Topology
Invisible Secrets
Choose whether you want to hide a file or extract a hidden file. For this example, suppose you want to hide a file. You select your chosen option in the Invisible Secrets Select Action dialog box. Select an image you want to use as the carrier file Select the file you want to hide. It can be a text file or another image file. You can also choose to encrypt as well as hide. Select a password for your hidden file. Pick a name for the resulting file that contains your hidden file. That's it!
Recovering Info from Damaged Media
Clean Room Test System
HTTP Response Messages 400-499
Client errors
RAID 6 (Striped Disks with Dual Parity)
Combines four or more disks in a way that protects data against loss of any two disks.
Application filter
Combines stateful packet inspection with scanning for specific application issues Example: Web Application Firewall (WAF) scans for typical web attacks such as SQL injection and cross-site scripting
RAID 3 or 4 (Striped Disks with Dedicated Parity)
Combines three or more disks in a way that protects data against loss of any one disk. Fault tolerance is achieved by adding an extra disk to the array and dedicating it to storing parity information. The storage capacity of the array is reduced by one disk.
RAID 5 (Striped Disks with Distributed Parity)
Combines three or more disks in a way that protects data against the loss of any one disk. It is similar to RAID 3, but the parity is not stored on one dedicated drive; instead, parity information is interspersed across the drive array. The storage capacity of the array is a function of the number of drives minus the space needed to store parity.
volatile memory analysis : Step Two
Compute the hash after you complete the memory capture. You don't need to calculate a hash before data acquisition. Due to the volatile nature of running memory, the imaging process involves taking a snapshot of a "moving target."
Documentation of Methodologies and Findings
Computer evidence processing methodology includes strong evidence-processing documentation and good chain-of-custody procedures
Windows Boot Process: Step Two
Computer reads the master boot record (MBR) and partition table
Expert system
Computerized advisory programs that imitate the reasoning processes of experts in solving difficult problems
Equipment
Computers Server should have RAID 1 at a minimum Hard drives and storage USB, SCSI, etc. Legacy and state-of-the-art Peripherals Networking equipment Cables, adapters, and converters Write blockers Tools
Windows 2000
Considered a major improvement in the Windows line. Rather than separate NT and Windows lines, there were simply different editions of Windows 2000, including those for home users, for professional users, and for servers. The differences among the editions were primarily in the features available and the capacity, such as how much random access memory (RAM) could be addressed. Microsoft began to recommend NTFS over FAT32 as a file system.
Logical Damage Recovery
Consistency Checking Problems Failure Deletion
Incident Response
Containment Eradicatoin Recovery Follow-up
/var
Contains data that is changed during system operation This directory is only useful on a live system. Once you shut down the system, the contents of this directory will be different the next time the system is booted up.
/dev
Contains device files Interfaces to devices All devices should have a device file in /dev Device naming conventions: hd = hard drive fd = floppy drive cd = CD Example: Main hard drive can be /dev/hd0
Network Packet: Trailer
Contains error-checking data to detect errors that occur during transmission May be part of the Ethernet or Point-to-Point Protocol (PPP) frame or other Layer 2 protocol The TCP (OSI model Layer 4) and IP (OSI model Layer 3) portions of a unit of information transfer contain only a header and payload. However, if the Layer 2 portion of a unit of information transfer is analyzed, then in addition to a header and payload, there is also a part at the end called the trailer.
/boot
Contains files critical for booting Boot loader (LILO or GRUB) looks in this directory Kernel images commonly located in /boot
/Volumes
Contains information about mounted devices Includes data regarding: Hard disks External disks CDs Digital video discs (DVDs) Virtual machines (VMs)
/usr
Contains subdirectories for individual users
The payload
Contains the content (data) (variable)
NIST 800-34
Contingency Planning Guide for Information Technology Systems This contains a seven-step process for BCP and DRP projects from the U.S. National Institute for Standards and Technology (NIST).
iOS Four Layers
Core OS layer: The heart of the operating system Core Services layer: Where applications interact with the iOS Media layer: Is responsible for music, video, and so on Cocoa Touch layer: Responds to gestures
Target Disk Mode
Create a forensically sound copy of disk contents -dd and netcat -Imaging tools within EnCase or Forensic Toolkit Begin in Target Disk Mode -Cannot write to disk -No chance of altering source disk -Connect to the suspect computer with via USB or FireWire and image the disk allows you to preview the computer on-site, so you can do a quick inspection before disconnecting and transporting the computer to a forensic lab. This is important because you will want to check running systems' processes before shutting the machine down. You simply have to reboot the machine in Target Disk Mode
Proper Procedure: Mathematically Authenticating Data on All Storage Devices
Create hash of original and copy drives & compare Document hashing algorithms used SHA1 most common SHA2 used increasingly Linux: md5sum /dev/<your partition>
Undeleting data
Criminals who are not very technically savvy think that deleting a file will keep authorities from discovering it Expect that evidence will frequently be deleted from computers you examine
Breaking Encryption
Cryptanalysis is using techniques other than brute force to attempt to uncover a key Also referred to as academic or knowledge-based code breaking Cryptographic techniques may be used to test the efficacy of a cryptographic algorithm Such as to test hash algorithms for collisions
Asymmetric cryptogrpahy
Cryptography wherein two keys are used: One to encrypt the message Another to decrypt it
Windows XP/Windows Server 2003
Marked a return to having a separate server and desktop system. The interface was not very different, but there were structural improvements.
paraben's email examiner
Exclusively for email forensics Works like the more complete forensic suites (Forensic Toolkit and EnCase) in that evidence is grouped by case
Presenting has two forms -
Expert Report and Expert Testimony
Teardrop Attack
Exploits the reassembly of fragmented IP packets in the fragment offset field that indicates the starting position, or offset, of the data contained in a fragmented packet relative to the data of the original unfragmented packet.
live forensic tools
PsList - processes PsInfo - operating system details ListDLLs - loaded DLLs PsLoggedOn - login information netstat - network connections
Linux Files Systems
Extended File System (ext) Current version is 4 ext4 supports volumes up to 1 exabyte and single files up to 16 terabytes ext3 and ext4 support three types of journaling: journal (most secure) ordered writeback (least secure) Reiser FS Berkely Fast File system
DoD forensic standards
DC3 sets standards for digital evidence processing, analysis, and diagnostics.
Issues Pertinent to Forensics
Does the Windows version in question support 64-bit processing? Does it have a firewall? If so, is the firewall automatically on? Does the version of Windows support the Encrypted File System (EFS)?
23476/23477Important Intruder Ports
Donald Dick (malware)
Seizing evidence from a Blackberry
Download and install BlackBerry Desktop Manager Steps to create complete backup image: Open BlackBerry's Desktop Manager. Click Options then Connection Settings. If the Desktop Manager hasn't already done so, select USB-PIN: Device # for connection type. Click OK. Select Backup and Restore. Click the Back Up button for a full backup of the device or use the Advanced section for specific data. Select your destination (such as workstation) and save the .ipd file. Examine data and perform a forensic analysis
Business continuity plan (BCP)
Focuses on keeping an organization functioning as well as possible until a full recovery can be made concerned with maintaining at least minimal operations until organization can be returned to full functionality
Data Encryption Standard (DES)
Data is divided into 64-bit blocks . Data is manipulated by 16 separate steps of encryption involving substitutions, bit-shifting, and logical operations using a 56-bit key. Data is then further scrambled using a swapping algorithm. Data is transposed one last time The idea is to continually scramble the underlying message to make it appear as random as possible. No longer secure
Forensic Certifications
Demonstrates baseline of competence Know the following areas: PC hardware Basic networking Security hacking
Formal Forensic Approaches
Department of Defense Forensic Standards (D3) Digital Foresnic Research Workshop Framework(DFRWS) The Scientific Working Group on Digital Evidence Framework(SWGDE) Event-based digitial forensic investigation framework
iOS
Derived from OS X Interface based on touch and gestures In normal operations, iOS uses HFS+ file system Can use FAT32 when communicating with a PC Originally released in 2007 for the iPod Touch and the iPhone
RSA
Described in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT Perhaps the most widely used public key cryptography algorithm today Is based on relationships of prime numbers Security of RSA derives from fact that it is difficult to factor a large integer composed of two or more large prime factors
Routers in Detail
Determine where to send information from one computer to another Are specialized computers that send your messages and those of every other Internet user to their destinations along thousands of pathways Maintain a routing table to keep track of routes Some routes are programmed manually, many are "learned" automatically by route
initdefault
Determines which run level to enter initially, using the highest number in the run_level field. If there is no initdefault entry in inittab, then init requests an initial run level from the user at boot time.
Functions of Session Layer:
Dialog Control - The session layer is responsible for setting up sessions between devices. It allows two devices to enter into dialog (communication process). These dialogs can take place either in half-duplex or full duplex mode. Synchronization - At the session layer, checkpoints (synchronization bits) are added into a stream of data to synchronize the sessions. For example, if a device is sending a file of 1000 pages, then you can insert checkpoints after every 100 pages to ensure that these 100 pages are received without an error and acknowledged independently. If an error occurs while transmitting page 631, the only pages that should be retransmitted are from 601 to 631. Previous pages need not be resent.
Operating systems
Different operating systems have different file structures. Linux distributions vary and are generally updated more frequently than Windows or Mac OS.
Handling Evidence
Digital forensics specialist is responsible for finding, preserving, and preparing evidence The specialist must: -Collect data -Document filenames, dates, and times -Identify any file, program, and storage anomalies -Gather evidence
Handling Evidence
Digital forensics specialist is responsible for finding, preserving, and preparing evidence The specialist must: Collect data Document filenames, dates, and times Identify any file, program, and storage anomalies Gather evidence
Windows Tools for recovering data files:
DiskDigger WinUndelete FreeUndelete OSForensics
RAID-0 (Disk Striping)
Distributes data across multiple disks in a way that improves data retrieval speed.
List 4 formal forensic approaches
DoD forensic standards The Digital Forensic Research Workshop Framework (DFRWS The Scientific Working Group on Digital Evidence Framework (SWGDE) Event based Digital Forensics Investigation Framework
Documentation of Methodologies and Findings
Documentation of forensic processing is critical to effectively presenting findings and the court allowing evidence into admission The following areas should be completely understood by forensic specialist 1. Disk Structure 2. File Slack Searching
Why 4DES Was Never Implemented
Early simulations indicated it was too scrambled Blocks of original plaintext appeared in the final ciphertext One of the driving factors behind searching for a new algorithm not in the DES line
What an email review can reveal
Email messages related to the investigation Email addresses related to the investigation Sender and recipient information Information about those copied on the email Content of the communications Internet Protocol (IP) addresses Date and time information User information Attachments Passwords Application logs that show evidence of spoofing
FORENSIC SOFTWARE TOOLS
EnCase Forensic Toolkit (FTK) OSForensics Helix Kali Linux AnaDisk disk analysis tool CopyQM Plus disk duplication software The Sleuth Kit Disk Investigator
Common Forensic Software Programs
EnCase Widely used by law enforcement Prevents accidental changes to suspect machine Analyzes header, checksum and data blocks Forensic Toolkit Widely used by law enforcement Password cracking Search and analyze Windows Registry
Forensic Specfic Certifications
Encase Certified Examiner Certification Access Data Certified Examiner OS Forensics ISC2 Certified Cyber Forensics Professional (CCFP) EC-Council Certified Hacking Forensic Investigator (CHFI) High Tech Crime Network certifications SANS Global Information Assurance Certification (GIAC)
Proper Procedure: Identifying File, Program, and Storage Anomalies
Encrypted, compressed, and graphics files store data in binary format. Therefore, they require manual evaluation.
Functions of Presentation Layer
Encryption - Presentation Layer encrypt the data before it passes to the session layer. Encryption is a process of converting a readable data into unreadable format so that it can protects the information from unauthorized access. On the receiver side, presentation layer is going to decrypt data in the readable format and passes it to the application layer. Compression - Presentation layer compress data in less number of bits (reduce the size of data) So that, it can travel in the network fast with consuming less space. It is important while transmitting multimedia information such as text, audio and video.
Scytale Cipher
Encrypts messages by wrapping a leather strip around a cylinder or baton, and writing across the leather Turning cylinder produced different ciphertexts Message decrypted by reading the message once placed over the same leather "key" wrapped around the same size cylinder
How to Set Up a Forensic Lab
Equipment Storage RAID 5 is recommended Back up at least 1x/day Security is paramount Lab Limit access to lab Physical security Fire resistant evidence safe Working network For email and internet use Outside of the lab
stateful packet inspection (SPI) firewall
Examines each and every packet, denying or permitting based on not only the current packet, but also considering previous packets in the conversation Firewall is aware of the context in which a specific packet was sent Are far less susceptible to ping floods, SYN floods, and spoofing
Windows
FAT16 and FAT32 used in pre-Windows 2000 versions NTFS file system in use since Windows 2000 Uses a table to map files to specific clusters where they are stored on the disk
windows
FAT32 (before WIN2000) Deleted files not removed from drive, FAT is updated to reflect the clusters are no longer in use and will be overwritten NTFS (starting with WIN20000 Deleted files not removed from drive,clusters marked as deleted (moved to the Recycle bin) and marked with a special character. Windows XP used INFO2 file Windows 7/Vista use $I structure Clusters and Slack Space - understand this
Hexidecimal values: JPEG
FF D8
Jpeg
FF D8 PDF: 25 50 BMP: 42 4D ZIP: 50 4B EXE: 4D 5A PNG: 89 50 GIF: 47 49 WAV, AVI: 52 49 MP3: 49 44
MAC refers to three critical properties
File modified File accessed File created These date/time stamps can be important forensically. For example, if the modified date for an image is later than the created date, then that image has been edited.
mac
File systems HFS and HFS+
Documenting Filenames, Dates, and Times
Filenames, creation dates, and last modified dates and times can be relevant as evidence Catalog all allocated and "erased" files Sort files based on filename, file size, file content, creation date, and last modified date and time Sorting provides a timeline of computer usage
Dcoumenting Filenames, Dates and Times
Filenames, creation dates, and last modified dates and times can be relevant as evidence Catalog all allocated and "erased" files Sort files based on filename, file size, file content, creation date, and last modified date and time Sorting provides a timeline of computer usage
Unallocated/slack space
Files stored on disk (archives, files, folders, etc.) Host protected area (HPA) or vendor-specific drive space (recovery volumes, etc.) Master boot record (MBR) where empty drive sectors remain Boot sectors in nonbootable partitions To find relevant data only in the unallocated space, search the unallocated space for keywords. Tools such as AccessData's Forensic Toolkit (FTK) allow an investigator to take an entire image and try to identify all of the documents in the file system, including the unallocated space. To search the entire disk many times over, tools such as FTK can help you build a full-text index. Full-text indexing allows you to build a binary tree-based dictionary of all the words that exist in an image, and you can search the entire image for those words in seconds.
Windows Log Files
Files that contain information about events and other activities that occur in Windows Event Viewer used to view log files All versions of Windows support logging, although the method to get to the log can vary from one version to another. With Windows 10 and Windows Server 2012, you find the logs as follows: Click on the Start button in the lower-left corner of the desktop. Click the Control Panel. Select Administrative Tools. Select Event Viewer.
How to fake an email
Find a free public Wi-Fi in an area at least one hour from your home. Spoof both your IP address and MAC address. Send the email through an anonymous email account set up for that purpose. It is, however, very common for criminals to actually send emails from their own computers without even bothering to spoof their IP address or MAC address. Even computer-savvy criminals, who think to spoof their IP addresses, might not think to spoof the MAC address.
Evidence-Handling Tasks (3)
Find evidence Preserve evidence Prepare evidence
Getting Headers for Yahoo Email
First open the message. On the lower right, there is a link named Full Headers. Clicking on that link allows you to see the headers for that email.
Eradication
Fix vulnerabilities Example: Remove the malware Perform comprehensive examination of what occurred and how far it reached Ensure that the issue was completely addressed Forensics begins at this stage
Disaster Recovery Plan (DRP)
Focuses on executing a full recovery to normal operations Sometimes referred to as an incident response plan (IRP) focuses on returning to full functionality
1983
Richard Stallman creates GNU (GNU's Not UNIX
Preparing the System
For suspect computers: Remove the drive(s) Create an evidence form and/or a chain of custody form For mobile devices: Remove SIM card, if necessary Some devices let you dock the phone examine it without removing SIM
Present evidence well
Forensic examiners must present computer evidence in a logical, compelling, and persuasive manner. The evidence should be solid enough that a defense counsel cannot rebut it. A forensic specialist must create a step-by-step reconstruction of actions, with documented dates and times. The specialist's testimony must explain simply and clearly what a suspect did or did not do.
Search throughout a device
Forensic specialists must search at the bit level across a wide range of areas inside a computer, including: Email and temporary files in the operating system and in databases Swap files that hold data temporarily, logical file structures, and slack and free space on the hard drive Software settings and script files that perform preset activities Web browser data caches, bookmarks and history, and session logs that record patterns of usage
Determine when evidence was created
Forensic specialists should not trust a computer's internal clock or activity logs. Before logs disappear, an investigator should capture: The time a document was created The last time it was opened The last time it was changed Trust only physical evidence—The physical level of magnetic materials is where the 1s and 0s of data are recorded. In system forensics, only this physical level is real. A forensic specialist should consider everything else untrustworthy
Imaging with dd and netcat
Forensically wipe the drive: dd if=/dev/zero of=/dev/hdb1 bs=2048 Use netcat to set up the forensic server to listen: # nc -l -p 8888 > evidence.dd Use the dd command to read the first partition: # dd if=/dev/hda1 | nc 192.168.0.2 8888 -w 3
Follow-up
Forensics plays a critical role in this stage as well. The IT team must determine how this incident occurred and what steps can be taken to prevent the incident from reoccurring. Obviously, the results of the forensic examination are instrumental to the follow-up stage
Expert Reports
Format Thoroughness Back up everything you say
Kali Linux
Has a number of forensics tools Can use as quality control tool to complement OSForensics, FTK, or Encase Includes Autopsy, a web-based graphical user interface for the command-line tool Sleuth Kit
Cryptographic Hashes
Hashing is a type of cryptographic algorithm with some specific characteristics It is one-way, not reversible It is a fixed-length output no matter what input is given The algorithm must be collision resistant
Kali Linux
Formerly known as BackTrack Includes a variety of tools and has an easy-to-use KDE interface
invisisble secrets
Free tool that can be used to hide or extract a hidden file.
Linux GUI's
GNOME (GNU Network Object Model Environment) KDE (K Desktop Environment) Plasma Common Desktop Environment (CDE) Originally developed in 1994 for UNIX systems Based on HP's Visual User Environment (VUE) Enlightenment Relatively new Designed for graphics developers
2007
General release of Windows Vista
Email Message Components
Header Addressing information Source and destination Body Contents of the message Attachments External data that travels along with each message
Windows Registry Hives
HKEY_CLASSES_ROOT (HKCR) HKEY_CURRENT_USER (HKCU) HKEY_LOCAL_MACHINE (HKLM) HKEY_USERS (HKU) HKEY_CURRENT_CONFIG (HCU)
Windows Vista and Windows 7
Had feature changes and additional capabilities over XP, but essentially the interface was moderately tweaked with each version. The same can be said of Windows Server 2008. Someone comfortable with Windows Server 2003 would have no problem working with Windows Server 2008.
What are 4 basic principles to consider when dealing with forensic evidence?
Handle the original data as little as possible - you should instead make a bit level copy and do all forensic analysis on that. Comply with the rules of evidence - follow the chain of custody and Daubert principle, and other Rules of evidence (example, Federal Rules of Evidence) Avoid exceeding your knowledge - if you exceed your listed expertise you could miss vital information or at the very lease the other lawyer could claim you have. Create an analysis plan - you should create an standard analysis plan that is customizable by situation, which should include how you will collect evidence, concerns about evidence being changed or destroyed, what tools are appropriate for the specific investigation, type of case, admissibility rules.
magnetic media
Hard drives and floppy drives Data is stored magnetically; drives are susceptible to magnetic interference If drive is demagnetized, there is no way to recover data Transport suspect drives in special transit bags that reduce electrostatic interference to decrease the chance of inadvertent loss of data Magnetic drives have moving parts
Event based Digital Forensics Investigation Framework
Has 5 primary phases, readiness, deployment, physical crime scene investigation, digital crime scene investigation, and presentation
/bin directory
Holds binary or compiled files used by ordinary users Can include malware
/root
Home directory for the root user Contains data for the administrator Linux root user is equivalent to Windows Administrator
both magnetic and solid state drives
Host protected area (HPA) Master boot record (MBR) Volume slack Good blocks marked as bad File slack
Magentic and Solid State Drives
Host protected area (HPA) or vendor-specific drive space Master boot record (MBR) where empty drive sectors remain Volume slack Unallocated space Good blocks marked as bad File slack Files stored on disk (archives, files, folders, etc.) Host protected area (HPA) or vendor-specific drive space (recovery volumes, etc.) Master boot record (MBR) where empty drive sectors remain Boot sectors in non-bootable partitions
2017
Hundreds of Linux distributions are available
Adding Forensics to Incident Response
Identify forensic resources the organization can use in case of an incident Identify an outside party that can respond to incidents with forensically trained personnel Weave forensic methodology into organization's incident response policy Provide appropriate training to staff for preserving evidence
Name 6 types of computer based crime
Identify theft hacking systems for data cyberstalking/harrassment internet fraud non-access computer crimes cyberterrorism
Identify Crime:A criminal uses phishing to trick a victim into giving up personal information
Identity theft
Electronic Communications Privacy Act (ECPA)
If an Internet service provider (ISP) or any other communications network stores an email, retrieval of that evidence must be analyzed under the Electronic Communications Privacy Act (ECPA). The ECPA creates statutory restrictions on government access to such evidence from ISPs or other electronic communications service providers. Requires different Legal processes to obtain specific types of information: Basic subscriber information—This information includes name, address, billing information, telephone number, etc. An investigator can obtain this type of information with a subpoena, court order, or search warrant. Transactional information—This information includes websites visited, email addresses of others with whom the subscriber exchanged email, and buddy lists. An investigator can obtain this type of information with a court order or search warrant. Content information—An investigator who has a search warrant can obtain content information from retrieved email messages and also acquire unretrieved stored emails. Real-time access—To intercept traffic as it is sent or received, an investigator needs to obtain a wiretap order.
How ophcrac affects forensics
If occurs on Windows server 2003 2008 2012 reboot will show in log. If log shows a reboot after a successful logon this can indicate ophcrack or similiar tool used A forensic investigator can also check physical security such as security cameras maybe helpful Finally if user assigned to acct is not present this can also be an indication
Windows Registry: Passwords
If the user tells Internet Explorer to remember passwords, then those passwords are stored in the Registry and you can retrieve them. The following key holds these values: HKCU\Software\Microsoft\Internet Explorer\IntelliForms\SPW
Seizing Evidence from an iPhone
If you have imaged the phone and you then search for information, you may have to look more closely to find some data: Library_CallHistory_call_history.db has the entire call history. If you cannot view that directly on the phone itself, the database file has all call information. Cookies are in the file Library_Cookies_Cookies.plist. This can give you a history of the phone user's Internet activities. These, and other files, are actually copied to a PC during synchronization. Here are a few of those files: Library_Preferences_com.apple.mobileipod.plist Library_Preferences_com.apple.mobileemail.plist Library_Preferences_com.apple.mobilevpn.plist The mobileemail.plist file gives you information about email sent and received from the phone. The mobilevpn.plist file can indicate if the user has used the phone to communicate over a VPN. Deleted files When a file is deleted on iPhone/iPad/iPod, moved to.Trashes\501 folder Data exists until overwritten
Rules For Seizing Evidence from a Mobile Device
If you plug device into a computer, make sure device does not synchronize with the computer Touch evidence as little as possible Document what you do to the device Don't accidentally write data to the mobile device
Multialphabet substitution example
If you select three substitution alphabets (+2, -2, +3) A CAT becomes C ADV
file slack searching
If you write a 1-kilobyte (KB) file to a disk that has a cluster size of 4 KB, the last 3 KB of the cluster are wasted This unused space between the logical end of file and the physical end of file is known as file slack or slack space File slack is a source of potential security leaks involving passwords, network logons, email, database entries, images, and word processing documents
Apple 1
In 1975, Steve Wozniak and Steve Jobs finished the prototype of the first Apple computer. Wozniak worked for Hewlett-Packard (HP) and his employment contract required him to give his employer first right of refusal on any of his inventions. However, HP was not interested and released the technology to Wozniak. Apple Computer was formed in April 1976 by Steve Jobs, Steve Wozniak, and Ronald Wayne. The Apple I, created by Wozniak, had an 8-bit microprocessor running at just below 1 MHz. The Apple I had a built-in video terminal, sockets for 8 kilobytes of onboard RAM, a keyboard, and a cassette board meant to work with regular cassette recorders
Center for Education and Research in Information Assurance and Security (CERIAS)
In 2004 Brian Carrier and Eugene Spafford at Purdue University proposed a forensics model that was more flexible and intuitive. Has five primary phases: -Readiness -Deployment -Physical Crime Scene Investigation -Digital Crime Scene Investigation -Presentation
Incident Response Plan
In place to respond to: Fire Flood Hurricane Tornado Hard drive failure Network outage Malware infection Data theft or deletion Intrusion
var/vm folder
In this folder, you will find a subfolder named app profile, which will contain lists of recently opened applications as well as temporary data used by applications
/var/spool/cups
In this folder, you will find information about printed documents, including the name of the document printed and the user who printed it.
The Scientific Working Group on Digital Evidence Framework (SWGDE)
Includes 4 stages, Collect, preserve, examine, transfer
Recovery PLan
Includes business continutity plan disaster recovery blan based on priorities established in business impact analysis Alternate equipment identified? Alternate facilities identified? Mechanism in place for contacting all affected parties, employees, vendors, customers, and contractors, even if primary means of communication are down? Off-site backup of the data exists? Can backup be readily retrieved and restored?
Sparse Infector
Infects only on certain occasions - for example, it may infect every 10th program executed, or it might wake up once a month and infect. This strategy makes it more difficult to detect the virus.
What is bit level information?
Information at the level of actual 1's and 0's stored in memory or on the storage device, as opposed to going through the file systems interpretation
Network packets
Information that is sent across a network is divided into chunks, called packets. Packets exist in the OSI model at Layer 3 and are typically formatted according to the Internet Protocol—though you may come across many other protocols and their unique formats.
HTTP Response Messages 100-199
Informational; the server is giving your browser some information, most of which will never be displayed to the user
Deleting a File in Linux
Inode hard link is integral Inode links directly to a specific file OS keeps a count of references to each hard link When reference count reaches zero, file is deleted
Scapel Usage
Install tool Verify output directory is empty edit config file: In the configuration file /etc/scalpel/scalpel.conf, uncomment the specific file format you want to recover. run scalpel command: sudo scalpel [device/directory/file name] -o [output directory]
memory resident
Instructions that remain in memory while the computer or mobile device is running.
Playfair Cipher
Invented by Charles Wheatstone in mid 1800s. Lord Playfair pushed use of it. Works by encrypting pairs of letters, also called digraphs, at a time Uses a 5 × 5 table that contains a keyword or key phrase To use , one need only memorize that keyword and four rules Example: "Attack at dawn" becomes "At ta ck at da wn"
How SQL injection affects forensics
Investigator should search firewall logs and database logs
Recovery
Involves returning the affected systems to normal status If malware: Ensure the system is back in full working order with no presence of malware Might need to restore software and data from backup
Universial Serial Bus (USB)
Is actually a connectivity technology, not a storage technology Can be used to connect to external drives that can be either magnetic or solid state Have no moving parts, which means these drives are resilient to shock damage Thumb drives can be easily erased or overwritten. Copy data from USB drive to a target forensic drive for analysis
discarded information
Is another method that allows a hacker to gather information about a person's identity Often referred to as dumpster diving Shred documents before throwing them out to avoid identity thief
What three things should be considered regarding cyberstalking/harassment cases?
Is it possible, if a person make a threat is it credible? How frequent How serious, example specific detailed threats, taking the "I will kill him/her", to the next step including detailing how you might accomplish it
What are three roles can a computer or device play in computer crime
It can be the target of the crime It can be the instrument of the crime It can be an evidence repository that stores valuable information about the crime
Proper Procedure: Transporting the Computer System to a Secure Location:
It is evidence Lock it in the vehicle Drive straight to lab
Attempting Local Repair
It is possible that the data is deemed "lost," and there will be no increased loss if you attempt local repair and fail. If so, you can try the following: a. Remove the printed circuit board and replace it with a matching circuit board from a known healthy drive. b. Change the read/write head assembly with matching parts from a known healthy drive. c. Remove the hard disk platters from the original drive and install them into a known healthy drive.
Windows Registry : Tracking Word Documents
It is possible to track Word documents in the Registry. Many versions of Word store a PID_GUID value in the Registry, for example, something like: { 1 2 3 A 8 B 2 2 - 6 2 2 B - 1 4 C 4 - 8 4 A D - 0 0 D 1 B 6 1 B 0 3 A 4 }. The string 0 0 D 1 B 6 1 B 0 3 A 4 is the MAC address of the machine on which this document was created.
Getting Header in Outlook
It is relatively easy to view the headers using Outlook. With a specific message open, select File and then Info. Then select Properties and you will be able to view the headers. Older versions of Outlook have a different method to get to headers. With Outlook 2000/2003/2007, there are two methods: Method #1—Right-click the message in the folder view, and then choose Options. Method #2—In an open message, choose View and then Options. With either method, you will see the Internet headers portion of the Message Options dialog box.
/var/log/lpr.log
Items that have been printed Useful or corportate espinoage cases
JTAG
Joint Test Action Group An Institute of Electrical and Electronics Engineers (IEEE) standard for testing chips Test access points (TAPs) used to directly access the chip and extract data Forensic examiner takes back off of phone, and then connects wires by soldering or by using some other means to the TAPs of the phone's memory chip Wires also connected to a JTAG device that uses software to extract the data directly from the memory chip
Preventing Logical Damage
Journaling file systems Use a consistency checker Use disk controllers with battery backups
/etc directory
Just as in Linux, this is where configuration files are located. Cybercriminals often adjust the system's configuration. Sometimes this is done in order to facilitate the criminal's return to the system later.
volatile memory analysis: Step Four
Justify the validity of the acquired memory data (essential when producing digital data from a live system as evidence in court). One common approach is to acquire volatile memory data in a dump file for offline examination. You can then analyze the dump electronically or manually in its static state.
transporting the evidence (computer)
Keep evidence in possession or control at all times Document movement of evidence between investigators Secure evidence appropriately so it can't be tampered with or corrupted Lock in a vehicle Drive vehicle directly to lab
volume Shadow copy
Keeps a record or copy of state changes Stores them in blocks of data that are compared daily Changed blocks are copied to Volume Shadow Volume Shadow Copy service runs once per day
Windows Boot Process: Step 13
Kernel initialization begins (screen turns blue
AES Steps
Key Expansion Initial Round: AddRoundKey Rounds: SubBytes ShiftRows MixColumns AddRoundKey Final Round: SubBytes ShiftRows AddRoundKey
linux directories
Key directories are important to the functioning of every operating system Directories are also important places to seek out evidence in an investigation
modern methods
Known Plaintext Chosen Plaintext Ciphertext-only Related-key
Modern Methods of Cracking Encryption
Known plaintext attack Chosen plaintext attack Ciphertext-only Related-key attack
Technical information collection considerations:
Lifespan of information, how long is information valid and accessible for example some evidence resides in storage that must have constant power. It is also frequently not possible or practical to determine who made a change and when.
636
Lightweight Directory Access Protocol Secure (LDAPS) (SSL or TLS)
What are some challenges to System Forensics
Large volume of data, system complexity, distributed crime scenes, growing caseload and limited resources, obscured information and anti-forensics
Sleuth Kit
Library and collection of command-line tools allowing investigation of volume and file system data
Linux shell commands for forensics
Linux has hundreds of shell commands Some can be very useful in forensic investigations
Log Files as Source of Evidence
Log files contain primary records of a person's activities on a system or network Log files can often identify: Source, nature, and time of an attack Specific user account of events related to illicit activities
Types of Logs: Security event
Log files from servers and Windows security event logs on domain controllers, for instance, can attribute activities to a specific user account. This may lead you to the person responsible. Intrusion detection systems (IDSs) record events that match known attack signatures, such as buffer overflows or malicious code execution. Configure an IDS to capture all the network traffic associated with a specific event. In this way, you can discover what commands an attacker ran and what files he or she accessed. You can also determine what files the criminal downloaded, such as malicious code, or uploaded, such as files copied from the system.
Functions of Network Layer
Logical Addressing - The data link layer provides physical addressing which is useful for a local network. When the packet is designed for a device outside the network, we require other addressing scheme to identify source and destination. Network layer adds header to the data that includes the logical address (IP address) of the source and destination. It is a 32-bit address that uniquely identifies the device connected to the network. Routing - It defines the proper path of a packets to reach in its correct destination. Routing can be of two types, static or dynamic. Handling Congestion issues - Any given network has a certain capacity to deliver or handle number of packets. When the packets exceed the handling capacity then the lots congestion occurs. It is the responsibility of the network layer to control such congestion problems. Inter-networking - Inter-networking means connecting two or more computer networks together. The Internet is the best example of inter-networking. There are different types of networks that exist in the real world such as LAN, MAN and WAN.
Identity Theft Forensics
Look for spyware on the victim's machine If spyware exists, search for where the spyware is sending its data Periodic email with an attachment A stream of packets to a server the criminal has access to If phishing, check email history on the victim's computer as well as the web history
Windows Boot Process: Step Three
MBR locates boot partition. This is the partition that has the operating system on it.
Windows Boot Process: Step Four
MBR passes control to boot sector on boot partition
NTFS Fundamental Files
MFT(Master File Table) which describes all files on the volume Cluster bitmap which is a map of all the clusters on the hard drive
New Technology File System (NTFS)
Mac OS X includes read-only support for the New Technology File System (NFTS). This means if you have a portable drive that is NTFS, Mac OS X can read that partition
Microsoft Disk Operating System (MS-DOS)
Mac OS X includes support for Microsoft Disk Operating System (MS-DOS) file systems FAT12, FAT16, and FAT32.
Yosemite
Mac OS X v10.10)—Released in October 2014. The most important part of this release, from a forensics standpoint, is that it allowed users who have iPhones with iOS 8.1 or later to pass certain tasks to their Macintosh computer.
Leopard
Mac OS X v10.5)—Had over 300 new features, support for Intel x86 chips, and support for the new G3 processor
Lion
Mac OS X v10.7)—Included a major interface change that made it more like the iOS interfaces used on iPhone and iPad.
Mountain Lion
Mac OS X v10.8)—Had built-in support for iCloud, to support cloud computing.
1985
MacIntosh Had an 8-MHz Motorola processor, a black-and-white monitor, and a 3.5-inch floppy drive. The operating system was System 1, which eventually led to the Macintosh II running System 7. System 7—Allowed text dragging between applications, viewing and switching applications from a menu, a control panel, and cooperative multitasking. Mac OS for PowerPC—Introduced the System 7.1.2 operating system. AIX for PowerPC—Used a variation of the IBM AIX system. It also used the Common Desktop Environment, a graphical user interface that is popular in the UNIX world. This product did not do well in the market and was discontinued in 1997
Machintosh File System (MFS)
Macintosh File System (MFS) shipped with the first Macintosh in 1984. It has not been used in more than 15 years and you are unlikely to encounter it.
MacIntosh
Macintosh OS X and later versions are based on FreeBSD A UNIX clone, much like Linux Mac OS X uses HFS+, or Hierarchical File System Plus Earlier versions of Macintosh used HFS Therefore, some of the techniques that work for Linux also work with Macintosh. However, there are also some tools you can use that are made specifically for Macintosh
Directories
Macintosh has a number of important directories Some are relevant to a forensic examination of a Macintosh machine
Imaging with Encase
Makes bit-level images and then mounts them for analysis Preview mode allows investigator to use a null modem cable or Ethernet connection to view data on the subject machine safely Doesn't alter evidence
spoofing
Making an email message appear to come from someone or someplace other than the real sender or location First machine to receive spoofed message records machine's real IP address Header contains both the faked IP and the real IP address unless, of course, the perpetrator is clever enough to have also spoofed his or her actual IP address.
Windows Registry: Malware
Malware may be found in the Registry. If you search the Registry and find HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon, it has a value named Shell with default data Explorer.exe. This tells the system to launch Windows Explorer when the logon is completed. Some malware appends the malware executable file to the default values data, so that the malware will load every time the system launches. It is important to check this Registry setting if you suspect malware is an issue. The key HKLM\SYSTEM\CurrentControlSet\Services\ lists system services. Several types of malware install as a service, particularly backdoor software. Be sure to also check this key if you suspect malware is an issue.
linux shells
Many Linux administrators work entirely in the shell without ever using a graphical user interface (GUI). Linux offers many different shells
/mnt
Many devices are mounted in /mnt Drives must be mounted prior to use Checking this directory lets you know what is currently mounted on system
How to Examine a Mac
Many forensics tools are less effective in extracting data on a Macintosh than in Windows. One technique is to create a copy of the forensic image and then mount it as a read-only virtual machine (VM). Mount it as read only.
RFC 2822 Specifications for Email Headers
Message header must include From field-the email address and optionally the name of the sender Date field-the local time and date when the message was written Message header should include: (not required) Message-ID field-an automatically generated field in-Reply-To field- the message-ID of the message that is a reply to which is used to link related messages together
/var/log/kern.log
Messages from the operating system's kernel less interesting forensically but can be used to rule out malware
Windows 8 phone
Microsoft Mobile Nokia
Recovering After Logical Damage
Microsoft Windows: chkdsk Linux: fsck Mac OS X: Disk Utility The Sleuth Kit TestDisk
RAID 1 (mirroring)
Mirrors the contents of the disks creating an identical copy of the drive running on the machine.
Wi-Fi
Most cellular phones and other mobile devices can connect to Wi-Fi networks Free Wi-Fi hotspots in restaurants, coffee shops, hotels, homes, and many other locations
solid state drives
Most use Negated AND (NAND) gate-based flash memory NAND retains memory without power
Recovering a file in linux
Move system to single-user mode with init 1 command Use grep to search for and recover files Example: # grep -i -a -B10 -A100 'forensics' /dev/sda2 > file.txt
Windows Boot Process : Step 11
NTLDR loads hal.dll (hardware abstraction layer).
Windows Boot Process: Step 12
NTLDR loads the system hive (i.e., the Registry) and reads in settings from it.
Windows Boot Process: Step 9
NTLDR reads boot.ini and displays the boot loader menu. If there are multiple operating systems, they will be displayed.
Windows Boot Process: Step 8
NTLDR starts minimal file system drivers (FAT, FAT32, NTFS).
Windows Boot Process: Step 7
NTLDR switches from real mode 32-bit memory or 64-bit depending on the system. Real mode is the default for x86 systems. It provides no support for memory protection, multitasking, or code privilege levels.
Wireless Network Discovery Tools
NetStumbler MacStumbler iStumbler
Network Traffic Analysis
Network Monitoring-the big picture of what is happening on a network Network Analysis-discovers the details of what is happening on a network
Function of Application Layer
Network Virtual Terminal - It is a software version of physical terminal. It allows the user to login to the computer remotely connected in the network. File Transfer Access and Management (FTAM) - It helps user to access files in a remote computer and make changes. User can directly edit the file in the remote computer or they can download it into their local computer. Mail Services - It helps in e-mails forwarding to another device over the internet.
Security
Network and electronic security Lab network should not be attached to the Internet Includes physical security Access to the lab Ways of securing evidence
Wireshark
Network protocol analyzer Captures Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and other packets Analyzes real-time and saved data Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and others Supports IPv4 and IPv6 Allows Voice over IP (VoIP) analysis Freely available
stateless
No information about the exchange is permanently retained by the server without help (i.e. cookies) ; applies to normal web traffic
/proc
Not stored on hard disk Is created in memory and keeps information about currently running processes Contains subdirectories that can be used to recover files and evidence EX:Assume that an intruder has downloaded a password cracker and is attempting to crack system passwords. The tool is attempting a number of passwords in a text file called pass. The intruder subsequently deletes both the executable and the text file, but the process is still running in memory. You can use ps or pstree to find the running processes and get the process ID. Assume the process ID is 3201. Now in the /proc directory, you can find /proc/3201. If you simply copy the executable from /proc to some other directory, it recovers that deleted executable. Of course, this works only on a live system, prior to shutting it down
Windows Boot Process: Step 6
Note that if instead of being shut down, Windows has been put in the hibernation state, the contents of hiberfil.sys are loaded into memory and the system resumes at the previous state
Windows Boot Process: Step 10
Ntldr loads NTOSKRNL and passes hardware information. The NTOSKRNL is the actual kernel for the Windows operating system. This is the end of the boot phase and the beginning of the load phase
Packet Mistreating
Occurs when a compromised router mishandles packets Results in congestion in a part of the network
crytographic hashes
One -way, not reversibile Fixed-length output regardless of input Must be collision resistant
Getting Header in Apple Mail
Open Apple Mail. Click on the message for which you want to view headers. Go to the View menu. Select Message, then Long Headers. The full headers will appear in the window below your Inbox.
Linux Distributions
Open source operating system Popular distributions: Ubuntu Red Hat Enterprise Linux (RHEL) OpenSUSE Debian Slackware
Generic Forensic Zip (Gfzip)
Open-source file format used to store evidence from a forensic examination
Types of Logs: Operating system event
Operating systems log certain events, such as the use of devices, errors, and reboots. Operating system logs can be analyzed to identify patterns of activity and unusual events
Other symmetric algorithms
Other symmetric algorithms: Blowfish Serpent Skipjack
DoS:
Overwhelming a system with requests
Certifications
PC Hardware: Comp TIA A + Basic Networking: Network+ or Cisco Certified Network Associate (CCNA) Security: Comp TIA Security + or ISC2 CISSP Hacking: EC-Council Certified Ethical Hacker
995
POP3 Secure encrypted POP3
SAM file
Password hashes are stored in a SAM file in Windows. It's in c:\windows\system32\config\SAM. There is a backup of this file in the repair folder. It's encrypted with Syskey which is 128 bit. Windows locks this file when it boots but ophcrack boots to linux live cd and scans hash during this process
Hacking via Cross-Site Scripting
Perpetrator seeks out someplace on target website that allows end users to post text that other users will see, such as product reviews Instead of posting a review or other text, the attacker posts JavaScript If website does not filter user input before displaying, other users navigate to this review and script executes
Avoid Changing evidence
Photograph equipment in place before removing it Label wires and sockets so computers and peripherals can be reassembled in a laboratory exactly as they were in the original location Transport computers, peripherals, and media carefully to avoid heat damage or jostling Avoid touching original computer hard disks and CDs Make exact bit-by-bit copies and store the copies on a medium that cannot be altered, such as a CD-ROM
Snort
Primarily used as an open source intrusion detection system Can function as a robust packet sniffer with a lot of configuration options
Wardriving
Process of driving around an area while a passenger in the vehicle scans for insecure, or weakly secured, wireless networks Participants then attempt to breach the targets they find
show version
Provides a significant amount of hardware and software detail about the router. It displays the platform, operating system version, system image file, any interfaces, the amount of RAM the router has, and the number of network and voice interfaces there are.
American Society of Crime Laboratory Directors (ASCLD) (slides)
Provides guidelines for: Managing a forensics lab Acquiring crime lab and forensic lab certification A lab must meet about 400 criteria to achieve accreditation TEMPEST
Types of RAID
RAID 0, 1, 3, 4, 5, 6, 1+0
Raid Aquisitions
RAID 0, 1, 3, 4, 5, 6, 1+0 Can acquire RAID 1 disks separately RAID 0, 3, 4, 5, and 6 use data striping across multiple disks Make a forensic image of the entire RAID array
password cracking tools
Rainbow Tables John the Ripper
431888 Important Intruder Ports
Reachout (malware)
Four types of Evidence -
Real, Documentary, Testimonial and Demonstrative
Data Doctor
Recovers all Inbox and Outbox data and all contact data, and has an easy-to-use interface. It has a free trial version, but there is a cost for the full version. Data Doctor retrieves Inbox and sent message data as well as contact data.
MacKeeper
Recovers deleted files on Macintosh computers Free, fully functional trial version available
HTTP Response Messages 300-399
Redirect messages telling the browser to go to another URL
caesar cipher
Referred to as the substitution cipher A simple method of encryption and very easy to crack Choose some number by which to shift each letter of a text Substitute the new alphabetic letter for the letter being encrypted used by the ancient Romans
3389 Important Intruder Ports
Remote Desktop
Proper Procedure: Preparing the System
Remove all drives Create chain of custody form (for each) Or, leave in system and acquire with forensically safe boot disks, CD-ROMs, or thumb drives
HTTP Commands: DELETE
Remove the webpage
HTTP Commands: POST
Request to append to a webpage
HTTP Commands: GET
Request to read a webpage
HTTP Commands: HEAD
Request to read just the head section of a webpage
ISO 27001
Requirements for Information Security Management Systems Section 14 addresses business continuity management.
Router Forensics
Router is hardware or software device that forwards data packets across a network to a destination network May contain: Read-only memory (ROM) with power-on self test code Flash memory containing the router's operating system Nonvolatile random access memory (RAM) containing configuration information Volatile RAM containing routing tables and log information
Federal Rules of Evidence (FRE)
Rules established by the US Supreme Court guiding the introduction and use of evidence in federal court proceedings that are an important benchmark for state and other courts. FRE governs what and how electronic records may be used, and the roles of record custodianship Uses rules 901 and 902
Where windows password hashes are stored
SAM file in Windows\System32 directory
integrated circuit card identifier (ICCID).
SIM is identified by this These numbers are engraved on the SIM during manufacturing. This number has subsections that are very important for forensics. This number starts with the issuer identification number (IIN), which is a seven-digit number that identifies the country code and issuer, followed by a variable-length individual account identification number to identify the specific phone, and a check digit.
Hacking systems for data,
SQL injection, Cross-Site scripting, Ophcrack, Tricking tech support
993
Secure IMAP or Encrypted IMAP
Types of Windows Log Files
Security Application- System Forwarded Events Applications and Services
Proper Procedure:Shutting Down the Computer: Windows
See what is currently running - but touch as little as possible 1. Ctrl+Alt+Del to check a. Task Manager b. Process Tab c. Take a photo with a camera 2. Check for live connections to the system: run each of the following commands and photograph the results before shutting down the machine a. netstat b. net sessions c. Openfiles 3. Capture memory using a forensic tool from a USB device a. OSForensics b. Access Data's FTK 4. Shut down by pulling the plug
Windows Boot Process: Step 14
Services load phase begins
/etcinittab File
Sets boot-up process and operation includes: label run_level action:a process boot bootwait initdefault sysinit
/sbin directory
Similar to /bin Contains binary files not intended for the average computer user EX: mke2fs command, a file system utility that is usually utilized by administrators, is in this directory.
Deleting Files on Macintosh
Similar to Windows, when file is deleted, references to file are gone and clusters might be used and overwritten Even if data is overwritten, data might exist in unallocated space and in index nodes Deleted files moved to the trash folder, similar to Recycle Bin in Windows Macintosh trash folder is .Trash, a hidden folder on the root directory of file system Recover deleted files from .Trash by copying or moving to other location or Use tools to recover files, even after trash bin has been emptied Mac Undelete Free Undelete MacKeeper
artificial intelligence (AI)
Simulates human intelligence such as the ability to reason and learn
How denial of service attacks affect forensics
Single machine-trace packets (common for attackers to spoof IP addresses, less common to spoof MAC addresses) Seek commonalities of zombie computers
history of encryption
Single-alphabet ciphers - Caesar Cipher Multi-alphabet Substitution ciphers
Sniffer
Software or hardware that can intercept and log traffic passing over a digital network Extracts network packets and performs a statistical analysis on the dumped information Commonly applied sniffers include Tcpdump (UNIX platforms and) WinDump
Percentage of computers suspected of having some type of spyware
Some estimates as high as 80%. Spyware can be legal such as parents monitoring children, cookies (at a base level are spyware) or employer's monitoring employees. Illegal spyware often tranferred via trojans through a link or email.
FIN Scan
Sometimes a host may need to terminate a connection quickly, due to a port being unreachable or a timeout, for example. Can send a Reset (RST) packet. Initial SYN packet should never have FIN or RST associated with it. Indicates an attack/malicious attempt to get by your firewall. A packet is sent with the FIN flag turned on. If port is open, this generates an error message. Because there was no prior communication, an error is generated telling the hacker the port is open and in use.
NFPA 1600:
Standard on Disaster/Emergency Management and Business Continuity Programs This is from the U.S. National Fire Protection Association.
boot
Starts the process and continues to the next entry without waiting for the process to complete. When the process dies, init does not restart the process.
bootwait
Starts the process once and waits for it to terminate before going on to the next inittab entry
sysinit
Starts the process the first time init reads the table and waits for it to terminate before going on to the next inittab entry
What Is Disaster Recovery?
Steps taken after an information technology-related disaster to restore operations Forensic techniques may be best method for determining what caused the disaster and for avoiding a repeat of it Forensic process begins once an incident has been discovered Is not fully underway until after the disaster or incident is contained
RAID 1+0 - A Stripe of Mirrors
Stripe file blocks across mirrored drives High disk space utilization High redundancy Minimum of 4 drives
documentation
Strong evidence-processing documentation Good chain-of-custody procedures A systems forensics specialist should have a good understanding of: Computer hard disks and CDs, and know how to find hidden data in obscure places The techniques and automated tools used to capture and evaluate file slack or slack space
Hierarchical File System Plus (HFS+) and Forensics
Supports aliases Performs defragmentation on a per-file basis
Reiser File System
Supports journaling Performs well when hard disk has large number of smaller files
Features HFS+
Supports journaling Supports disk quotas Has hard and soft links Uses 32 bits for allocation blocks rather than 16 bits Supports long filenames, up to 255 characters Uses Unicode rather than ASCII
Intrusion detection system logs
Suspicious traffic
Searching Virtual Memory
Swap file/virtual memory is in /var/vm/ Check it with Linux commands: ls returns list of files ls -al returns list of all files in virtual memory, who launched program and when grep lets you search in virtual memory folder
substitution and transposition
Swapping of blocks of ciphertext All modern block-cipher algorithms use substitution and transposition Combination of substitution and transposition increases security of resultant ciphertext by making cryptanalysis more complex
Evidence-Gathering Measures
Take following measures: Avoid changing evidence Determine when evidence was created Search throughout device (level of 1s and 0s) Determine info about encrypted and steganized files, without decoding Present evidence well
Proper Procedure: Documenting the Hardware Configuration of the System (before dismantling)
Take pictures of computer from all angles Label each wire Record BIOS/UEFI information
Imaging with Forensic Toolkit (FTK)
Takes snapshot of entire disk, makes bit-level copy for analysis Inexpensive, easy to use, good all-in-one forensic tool Offers Registry viewing, in-depth logging, standalone disk imaging, direct email and zip file analysis
MacIntosh Forensic Techniques
Target Disk Mode Searching Virtual Memory Shell Commands
Narrow al
Technologies that can perform specific tasks as well as, or better than humans.
viewing logs in linux
Text editor in GUI Any of these commands work from the shell: dmesg | lpr # tail -f /var/log/lpr.log # less /var/log/ lpr.log # more -f /var/log/ lpr.log
caesar cipher example:
Text is: A CAT You choose to shift by two letters, then A replaces C, E replaces C, C replaces A, and V replaces T; encrypted message is: C ECV If shift by three letters, message is: D FDW
Identifying File, Program, and Storage Anomalies
Text search programs can't identify text data stored in binary format They require manual evaluation Evaluate hidden partitions for evidence and document their existence In Windows, also evaluate files in the Recycle Bin If you find relevant files, thoroughly document the issues involved. Those issues can include the following: • How did you find the files? • What condition were they in (i.e., did you recover the entire file or just part of the file)? • When was the file originally saved? Remember that the more information you document about evidence, the better.
Identifying File, Program, and Storage Anomalies (slides)
Text search programs can't identify text data stored in binary format They require manual evaluation Evaluate hidden partitions for evidence and document their existence In Windows, also evaluate files in the Recycle Bin
plaintext
Text you want to encrypt
Windows Boot Process: Step One
The BIOS conducts the power-on self test (POST). This is when the system's BIOS checks to see if the drives, keyboard, and other key items are present and working. This occurs before any operating system components are loaded.
Windows Registry: Uninstalled software
The HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall key lets you see all the software that has been uninstalled from this machine.
Hierarchial File System (HFS)
The Hierarchical File System (HFS) was used on the Macintosh Plus. Apple introduced this file system in 1985, specifically to support its new Apple hard drive. It replaced the earlier Macintosh File System.
Windows Registry: USB Devices
The Registry key HKEY_LOCAL_MACHINE\System\ControlSet\Enum\UBSTOR lists USB devices that have been connected to the machine. It is often the case that a criminal will move evidence or exfiltrate other information to an external device and take it with him or her. This Registry setting tells you about the external drives that have been connected to this system.
Windows Registry: Wireless Networks
The Registry stores passphrases for accessing wireless networks. When an individual connects to a wireless network, the service set identifier (SSID) is logged as a preferred network connection. This information can be found in the Registry in the HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces key.
Triple DES (3DES)
The U.S. federal government began a contest seeking a replacement cryptography algorithm. In the meantime, Triple Des (3DES) was created as an interim solution. Essentially, it does DES three times, with three different keys. More secure variant of DES
Mean time to failure (MTTF)
The amount of time, on average, before a given device is likely to fail through normal use
Steganography
The art and science of writing hidden messages Goal is to hide information so that even if it is intercepted, it is not clear that information is hidden there Most common method today is to hide messages in pictures using the least significant bit (LSB) method
Chosen plaintext attack
The attacker obtains the ciphertexts corresponding to a set of plaintexts of his own choosing. This can allow the attacker to attempt to derive the key used and thus decrypt other messages encrypted with that key.
Mean time to repair (MTTR)
The average time it takes to repair an item
Storing a file in Windows (NTFS)
The cluster bitmap file map is an array of bit entries where each bit indicates whether its corresponding cluster is allocated/used or free/unused. MFT contains one base file record for each file and directory MFT serves same purpose as FAT Cluster bitmap file maps all clusters on disk
grep flags
The flags used are defined as follows: -i—Ignore case distinctions in both the PATTERN and the input files; that is, match both uppercase and lowercase characters. -a—Process a binary file as if it were text. -B—Print number lines/size of leading context before matching lines. -A—Print number lines/size of trailing context after matching lines.
payload
The information to be covertly communicated; the message the user wants to hide
run_level
The init level at which the entry is executed
Deleting a File in Windows (FAT/FAT32)
The more recently a file was deleted, the more likely you will be able to recover the file. Over time, it becomes more likely that clusters marked as unused have had other information saved in them. A cluster may have been deleted and saved over several times. Recovering a deleted file is not always an all-or-nothing procedure. It is possible to recover When a file is deleted, data not removed from disk FAT is updated to reflect clusters no longer in use New data saved to those clusters may overwrite old information
Packet Filter Firewall
The most basic type of firewall Filters incoming packets and either allows them entrance or denies them passage based on a set of rules Also referred to as a screened firewall Can filter packets based on packet size, protocol used, source IP address, and so on Many routers offer this type of firewall option in addition to their normal routing functions
Cellabrite
The most widely known phone forensics tool. Used heavily by federal law enforcement. It is a very robust and effective tool. Downside: the high cost. It is the most expensive phone forensics tool on the market.
Important Windows Files: Crss.exe
The program that handles tasks like creating threads, console windows, and so forth
HKEY_CURRENT_USER (HKCU)
This hive is very important to any forensic investigation. It stores information about the currently logged-on user, including desktop settings, user folders, and so forth.
Email headers contain:
The sender, the application, and any servers it passed through. Header keeps record of the message's journey networks and mail servers Each server adds information to the header Each network device has an Internet Protocol (IP) address Identifies device Can be resolved to a location address
Order of Volatility
The sequence of volatile data that must be preserved in a computer forensic investigation.
carrier
The signal, stream, or file in which the payload is hidden
email client
The software program used to compose and read email messages
Super DLT (SDLT)
The successor to Digital Linear Tape (DLT). (4)
Rainbow tables
The time of cryptanalysis can be reduced by using precalculated data stored in memory. Essentially, these types of password crackers work with precalculated hashes of all passwords available within a certain character space. These files are called rainbow tables because they contain every letter combination "under the rainbow." They are particularly useful when trying to crack hashes. Popular hacking tools like Ophcrack depend on rainbow tables. Ophcrack is usually very successful at cracking Windows local machine passwords
channel
The type of medium used. It can be a passive channel such as photos, video, or sound files. It can also be an active channel such as a streaming video connection.
Windows 95
The underlying operating system and the graphical user interface were fused into one single, coherent product.
Wireless Networking: 802.11g
There are still many of these wireless networks in operation, but you can no longer purchase new Wi-Fi access points that use it. This standard has an indoor range of 125 feet and a bandwidth of 54 Mbps. It includes backward compatibility with 802.11b
HKEY_CLASSES_ROOT (HKCR)
This hive stores information about drag-and-drop rules, program shortcuts, the user interface, and related items
MobileEdit
There are several variations of this product. MobileEdit Lite is the most forensically advanced version of MobileEdit. This is a very easy-to-use tool that can aid a forensic examiner in extracting data from cell phones
Foreign Intelligence Surveillance Act (FISA)
This U.S. law prescribes procedures for the physical and electronic surveillance and collection of "foreign intelligence information" between foreign powers and agents of foreign powers, which may include American citizens and permanent residents suspected of espionage or terrorism. The law does not apply outside the United States but may be encountered by a forensic investigator in researching intelligence even if it does not specifically regard espionage or terrorism. The law is an important part of many agencies' approaches to information gathering. It has been amended frequently so it is important to stay current on the latest revisions and court cases
Related-key attack
This attack is similar to a chosen plaintext attack, except the attacker can obtain ciphertexts encrypted under two different keys. This is actually a very useful attack if you can obtain the plaintext and matching ciphertext.
Apple II
This computer was based on the same microprocessor but came in a plastic case with the keyboard built in. It was also the first personal computer with color graphics. Apple II was followed by a series of enhancements, including the Apple IIGS in 1986, which was 16-bit rather than 8-bit. There were multiple operating systems for the Apple II.
/Users directory
This directory contains all the user accounts and associated files.
/Network directory
This directory contains information about servers, network libraries, and network properties.
/var/log
This directory has many logs in it. The /var/log/daily.out contains data on all mounted volumes, including the dates they were mounted. This is very important in cases involving stolen data. You can see what devices have been attached and potentially get data from them. This folder includes data on removable media, including serial numbers.
/Applications directory
This directory is where all applications are stored. It can hold important information about any malware.
Windows Registry: ShellBag
This entry can be found at HKCU\Software\Microsoft\Shell\Bags. ShellBag entries indicate a given folder was accessed, not a specific file. This Windows Registry key is of particular interest in child pornography investigations
/Library/Receipts
This folder contains information about system and software updates. Though less useful for a forensic investigation than some of the other folders, it does include information about if and when a given patch was applied, which might be of some interest in investigating malware crimes.
/Users/<user>/Library/Preferences/ folder
This folder contains user preferences, including the preferences of programs that have been deleted. This could be a valuable place to get clues about programs that have been deleted from the system.
HKEY_LOCAL_MACHINE (HKLM)
This hive can also be important to a forensic investigation. It contains those settings common to the entire machine, regardless of the individual user.
HKEY_CURRENT_CONFIG (HCU)
This hive contains the current system configuration. This might also prove useful in your forensic examinations
Korn shell (ksh)
This is a popular shell developed by David Korn in the 1980s. The Korn shell is meant to be compatible with the Bourne shell, but to also incorporate true programming language capabilities.
Hierarchical File System Plus (HFS +)
This is an enhancement of the HFS file system. HFS+ is the preferred file system on Mac OS X.
file accessed
This is the date the file was last accessed. An access can be a move, an open, or any other simple access. It can also be tripped by antivirus scanners or Windows system processes.
bourne-again shell (Bash)
This is the most commonly used shell in Linux. It was released in 1989.
18 U.S.C. 2252B
This law is about perpetrators who attempt to hide the pornographic nature of their website, often to make it more accessible to minors. This is a very serious concern, and one that sometimes arises in child predator cases.
/Users/<user>/.bash_history log
This log will show you a variety of commands, such as rm (removing or deleting something) and dd (indicating the user might have tried to make an image of the drive).
C shell (csh)
This shell derives its name from the fact that it uses very C-like syntax. Linux users who are familiar with C will like this shell. It was first released for UNIX in 1978.
NIST 800-61
This standard also will help guide you in forming an incident response plan
ISO 27035
This standard guides you in how to formulate an incident response plan. It requires a structured and planned approach to detect, report, and assess information security incidents; respond to and manage information security incidents; detect, assess, and manage information security vulnerabilities; and continuously improve information security and incident management as a result of managing incidents
Wireless Networking: 802.11b
This standard operated at 2.4 GHz and had an indoor range of 125 feet with a bandwidth of 11 megabits per second (Mbps).
Wireless Networking: 802.11n
This standard was a tremendous improvement over preceding wireless networks. It obtained a bandwidth of 100 to 140 Mbps. It operates at frequencies of 2.4 or 5.0 GHz, and has an indoor range of up to 230 feet.
Wireless Networking: 802.11ac
This standard was approved in January 2014. It has throughput of up to 1 Gbps with at least 500 Mbps. It uses up to eight MIMO.
Wireless Networking: 802.11n-2009
This technology gets bandwidth of up to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz. It uses multiple-input multiple-output (MIMO), which uses multiple antennas to coherently resolve more information than possible using a single antenna.
Forensic SIM Cloner
This tool is used to clone SIM cards, allowing you to perform forensic analysis of the SIM card.
live forensic tools:netstat
This utility is important in checking live system data is a command-line tool that displays both incoming and outgoing network connections. It also displays routing tables and a number of network interface statistics. It is available on UNIX, UNIX-like, and Windows-based operating systems.
Wireless Networking: 802.11a
This was the first widely used Wi-Fi standard. It operated at 5 GHz and was relatively slow.
RSA NetWitness
Threat analysis software/protocol analyzer Captures raw packets from wired and wireless interfaces Analyzes real-time data throughout the seven layers Filters by Media Access Control (MAC) address, Internet Protocol (IP) address, user, and more Freely available and threat analysis software
Collecting Data
Three primary types of data that a forensic investigator must collect, in this order: Volatile data Temporary data Persistent data
Collecting data
Three primary types of data that a forensic investigator must collect, in this order: Volatile data Temporary data Persistent data
Important Intruder Ports: 407
Timbuktu has any legitimate use. Timbuktu is an open source alternative to PC Anywhere. It allows program users to log on to a remote system and work just like they were sitting in front of the desktop. It is possible that technical support personnel are using Timbuktu to make support calls more efficient. But it is also possible that an intruder is logging on and taking over the system.
Modern cryptography
Two main types: Symmetric and asymmetric Used every day by millions of consumers on the World Wide Web to buy products and services securely "https" at beginning of Web address or a padlock symbol indicates a secure protocol such as Transport Layer Security (TLS) is at work Cryptography also used in: Antivirus software Wireless security (WPA and WPA2 encryption) Hard disk encryption using Microsoft Encrypting File System (EFS) is a form of cryptography Did you know your mobile phone transmissions are encrypted, as are your ATM and credit cards?
SYN Flood Attack
Type of DoS attack in which the attacker sends multiple SYN messages initializing TCP connections with a target host attacker sends SYN server replies with SYN/ACK attacker sends another SYN server replies with SYN/ACK and continues this pattern taking up all server resources
Hacking via SQL Injection
Typical SQL statement SELECT * FROM tblUsers WHERE USERNAME = '" + txtUsername.Text +' AND PASSWORD = '" + txtPassword.Text +" ' Specific username and password: SELECT * FROM tblUsers WHERE USERNAME = 'thisuser' AND PASSWORD = 'letmein' SQL injection example: SELECT * FROM tblUsers WHERE USERNAME = '' or '1' = '1' AND PASSWORD = '' or '1' = '1'
1969
UNIX created at Bell Laboratories
1972
UNIX operating system released
Solid-state drives (SSD)
Use microchips that retain data in non-volatile memory chips Contain no moving parts Drives are usually less susceptible to physical damage than magnetic drives If internal, SSDs can use same interfaces as magnetic drives, including SCSI and SATA If external, it is most common for them to have a universal serial bus (USB) connection
index.dat
Used by Microsoft Internet Explorer Stores: Web addresses Search queries Recently opened files Even if the suspect's browsing history has been erased, it is still possible to retrieve it if he or she was using Microsoft Internet Explorer. Internet Explorer uses index.dat to store Web addresses, search queries, and recently opened files. So if a file is on a universal serial bus (USB) device but was opened on the suspect machine, index.dat would contain a record of that file. You can download a number of tools from the Internet that will allow you to retrieve and review the index.dat file.
Email Protocols: Post Office Protocol version 3 (POP3)
Used to receive email Operates on port 110, or 995 (secure) Designed to delete email on server as soon as user downloads email
Email Protocols: Internet Message Access Protocol (IMAP)
Used to receive email Operates on port 143 User views email on the server, decides whether to download the mail; email is retained on server allows client to only view headers so user can decide which message to download
Email Protocols:Simple Mail Transfer Protocol (SMTP)
Used to send email from a client to a mail server, and between servers Typically operates on port 25 SMTPS (secure) operates on port 465
Multialphabet substitution
Uses multiple numbers by which letters in plaintext are shifted Multiple substitution alphabets are created Represents a slight improvement on the Caesar cipher but is still easily cracked
symmetric cryptography
Uses same key to encrypt and decrypt plaintext May have one encryption key sender to receiver & different key for receiver to Sender
Getting Header for Gmail
Viewing email headers in Gmail is fairly simple. Follow these steps: 1. Log on to Gmail. 2. Open the message for which you want to view headers. 3. Click the down arrow next to Reply, at the top of the message pane. 4. Select Show Original. The headers appear in a separate window.
Windows 8
Was a radical change. Even though the desktop looks much like Windows 7, the operating system is meant to be more like that of a tablet.
Wireless Storage Devices
Wireless digital and video cameras Wireless printers with storage capacity Wireless network-attached storage (NAS) devices Tablets and smartphones Wireless digital video recorders (DVRs) Wireless game consoles
advanced steganography
With BPCS (Bit-plan complexity segmentation), carrier is often an image that stores colors in 24 bits, and this fact can be used to increase storage area for payload. The complex areas on the bit planes are replaced with the payload
Deleting Files in Windows (NTFS)
When a file is deleted, data not removed from disk Clusters are marked as deleted and "moved" to Recycle Bin When Recycle Bin is emptied, clusters marked as fully available Filename in the MFT is marked with a special character that means the file has been deleted In NTFS prior to Vista, the Recycle Bin resides in a hidden directory called RECYCLER. In Vista and Windows 7, the name of the directory was changed to $recycle.bin. Just as with FAT systems, clusters in an NTFS system are more likely to be overwritten as more time elapses after deletion.
Windows Files and Permissions
When copying and pasting on the same partition, files and folders inherit the rights of the folder they are being copied to. When cutting and pasting (moving), files and folders retain the original permissions if they are on the same partition.
Usiing Paraben
When you first start Paraben, you select New and then create a new case. Paraben will associate information about the investigator along with the case information. Next, select the type of email database you are going to be working with. The major email clients are all represented. At this point, you select the database you want to work with, and it is added to the case. From within Paraben, you can sort, search, scan, and otherwise work with the email data.
dmesg command
When your system boots up, you see a lot of information telling you what processes are starting, what processes failed, what hardware is being initialized, and more. This can be invaluable information to a forensic investigation. You can use the dmesg command to view all the messages that were displayed during the boot process. The command dmesg displays the messages for you. However, it does tend to fill up multiple screens. It is recommended that you simply pipe the output to some file (for example, dmesg>myfile.txt) and then search that file.
1998
Windows 98
1996
Windows NT 4.0
2013
Windows Server 2012 R1
2016
Windows Server 2016
2008
Windows Vista Home Basic, Home Premium, Business, Ultimate, Windows Server 2008
2001
Windows XP (first 64 bit version)
2003
Windows XP with Server 2003
Legacy
Windows XP, 2000 MAC OS 8 or earlier
Wireless Networking: 802.11ad
Wireless Gigabyte Alliance—This supports data transmission rates up to 7 Gbps—more than 10 times faster than the highest 802.11n rate.
types of crimes involving computers
White-collar crimes Violent crimes—murder, terrorism Counterintelligence Economic espionage Counterfeiting Child pornography Drug dealing
Windows Boot Process : Step 15
Win32 subsystem start phase begins
1985
Windows 1.0 opened
2015
Windows 10
current OS
Windows 10, 8, 7 Windows Server 2016, 2012 2008 Mac os 9 10
2000
Windows 2000
2009
Windows 7 and Server 2008 R2
2012
Windows 8 and Server 2012
1995
Windows 95
Scalpel
Works with Linux and Mac OS Possible to compile source code to work in Windows
extundelete
Works with both ext3 and ext4 partitions in Linux Uses shell commands Example: To restore all deleted files from sda1 partition: extundelete /dev/sda4 --restore-all
Enigma Machine
World War II by Germans-electromechanical rotor-based cipher system Is a multialphabet substitution cipher using machinery to accomplish the encryption When operator pressed a key, encrypted ciphertext for plaintext was altered each time
Universal Mobile Telecommunications System (UMTS)
a 3G standard based on GSM. It is essentially an improvement of GSM
fraud
a broad category of crime that is an attempt to gain financial reward through deception. Two subclasses are investment offers and data piracy
personal unlocking code (PUK)
a code used to reset a forgotten PIN. Using the code returns the phone to its original state, causing loss of most forensic data. If the code is entered incorrectly 10 times in a row, the device becomes permanently blocked and unrecoverable.
dd
a common UNIX program whose primary purpose is the low-level copying and conversion of raw data at the bit level. If you do your copy through the file system/operating system, then you can see only the data that the operating system sees. You won't get deleted files or slack space, so a basic file system copy is inadequate for forensic analysis. You must get a bit-level copy, and the dd utility is perfect for that
Feistel Function
a cryptographic function that splits blocks of data into two parts. Uses XOR one of the most influential developments in symmetric block ciphers
inode
a data structure in the file system that stores all the information about a file except its name and its actual data
Windows Registry
a database in Windows that stores user preferences, file locations, program configuration settings, startup information, hardware settings, and more. This includes viruses, worms, Trojan horses, hidden programs, and spyware. The ability to effectively scan registry for evidence is critical
home location register (HLR)
a database used by the MSC that contains subscriber data and service information. It is related to the visitor location register (VLR), which is used for roaming phones.
Quiescent State
a dormant mode that conserves battery life while maintaining user data and performing other background functions. Context information for the device is preserved in memory to allow a quick resumption of processing when returning to the active state.
User Assist
a feature of Windows 2000 and later that tracks what happens on the computer, including programs launched. Unless it is disabled there will be a record of everything done on that computer. This information is encrypted and stored in the Registry. The free UserAssist tool allows you to find out more.
Expert report
a formal document that details expert's findings. Often filed prior to trial. Can be used in a deposition. Considerations include: -format of report -throughness -back up everything you say
test system
a functional system compatible with the hard drive from which someone is trying to recover data
shielding
a high-cost approach to preventing EMR detection includes: -lining wall, ceiling, floor and doors with specially conductive metal sheeting -installing filters that prevent power cables from transmitting computer emanations -installing special baffles in heating and ventilation ducts to trap emanations -installing line filters on telephone lines -installing special features at entrances and exits that prevent facility from being open to outside at any time
Volitile Memory Analysis
a live system forensic technique in which you collect a memory dump and perform analysis in an isolated enviornment Must establish A trusted command shell A data collection system and a method for transmitting the data
fuzzy logic
a mathematical method of handling imprecise or subjective information
DoD 5220.22-M
a matrix of how to sanitize different types of media Department of Defense standards most people inaccurately believe seven over-writes ensures data is completely wiped really depends on type of medium data is stored on or in.
subscriber identity module (SIM)
a memory chip that stores the International Mobile Subscriber Identity (IMSI). It is intended to be unique for each phone and is what you use to identify the phone. Many modern phones have removable SIMs, which means you could change out the SIM and essentially have a different phone with a different number.
Digital Forensic Research Workshop Foundation
a nonprofit volunteer organization with the goal of enhancing the sharing of knowledge and ideas about digital forensics research
Window Washer
an example of one tool that enables you to retrieve and review the index.dat file.
Cross-Site Scripting (XSS)
a vulnerability in dynamic web pages that allows an attacker to bypass a browser's security mechanisms and instruct the victim's browser to execute code, thinking it came from the desired website
TCP Header Bits, of Interest:ACK (1 bit
acknowledges the attempt to synchronize communications
EnCase data blocks
actual data copied from the suspect machine
XOR
affects the study of encryption the most checks to see whether there is a 1 in a number in a given place, but not in both numbers at the same place. If not, the resultant number is 0. is reversible if you XOR the resultant number with the second number you get back the first number, and if you XOR the resultant number with the first number you get back the second number
soft link
aka symbolic link Is not actually a file itself, but rather a pointer to another file or directory.
Proper Procedure: Documenting Filenames Dates and Times
all allocated and "erased" files
Full Backup
all changes restore just the last backup
FISA) the foreign intelligence surveillance act of 1978
allows for collection of "foreign intelligence information" between foreign powers and agents of foreign powers using physical and electronic surveillance. Warrant necessary
Wireless Communications and Public Safety Act of 1999
allows for the collection and use of empty communication which means nonverbal and non-text communications such as GPS
disk quotas
allows the administrator to limit the amount of disk space a given user can use, keeping that user from taking up all the space
live forensic tools: ListDLLs
allows you to view the currently loaded dynamic-link libraries (DLLs) for a process. ListDLLs lists the DLLs loaded by all running processes. cannot show the DLLs loaded for hidden processes. A common attack involves using a Trojan horse to compromise a program or system DLL. So this tool can be important to your forensic investigation. It is available online for free.
Cyclical Redundancy Check (CRC)
almost always in trailer not header Ethernet uses a 32-bit cyclic redundancy check (CRC). The sender calculates the CRC using a very complex calculation on the source address, destination address, length, payload, and pad, if any. The four-octet (32-bit) result is stored in the trailer by the sender and the frame is transmitted. The receiving device repeats the exact same calculation as the sender and compares the result with the value stored in the trailer. If the values match, the frame is good and the frame is processed. But if the values do not match, the receiving device has a decision to make. The decision is made consistently based upon the protocol involved. In the case of Ethernet, the receiver discards the errored frame and sends no indication whatsoever that the frame has been discarded. The receiver usually does, however, update some internal counter, which can be queried to say how many frames were discarded. There is also a counter that says how many frames arrived and passed the CRC check.
AES
also known as Rijndael block cipher 1. Key expansion 2. Initial round 3. Rounds 4. Final round
Natural language processing
an AI technique using software to interpret natural languages (the languages spoken by people, such as English, French, Chinese and others). These techniques deal with speech recognition, understanding and generation.
genetic algorithm
an artificial intelligence system that mimics the evolutionary, survival-of-the-fittest process to generate increasingly better solutions to a problem
Router Attacks-Router table poisoning
an attacker alters the routing data update packets that the routing protocols need, resulting in incorrect entries in the routing table Incorrect router table entries can result in: Artificial congestion The router becoming overwhelmed An attacker being allowed access to data in the compromised network
anonymous remailing
an attempt to throw tracing or tracking attempts off the trail Suspect sends an email message to an anonymizer To find out who sent remailed email, must examine logs maintained by remailer or anonymizer companies however most of these services usually do not maintain logs can also closely analyze the message for embedded information that might give clues to the user or system that sent the message . Often the remailing servers are outside of the jurisdiction of U.S. law enforcement and may even be on another continent.
Phishing
an attempt to trick a victim into giving up personal information
clean room
an environment that has a controlled level of contamination such as from dust, microbes, and other particles
Internet fraud,
any attempt to gain financial reward through deception. Two major subclasses of fraud are; Investment offers and Data piracy
Identity theft
any crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain
Discarded information
any documents that are thrown out without being shredded
process
any program or daemon
Spyware
any software that monitor your activity on a computer.
/var/log/apache2/*
apache web server activity
sectors
are contiguous on a disk and are defined by two radii on the platter
journaling file systems
are fault tolerant because the file system logs all changes to files, directories, or file structures.
aliases
are like symbolic links; they allow you to have multiple references to a single file or directory.
active state
are powered on, performing tasks, and able to be customized by the user and have their filesystems populated with data.
Electronic serial numbers (ESNs
are unique identification numbers developed by the United States Federal Communications Commission (FCC) to identify cell phones. They are now used only in code division multiple access (CDMA) phones, whereas GSM and later phones use the International Mobile Equipment Identity (IMEI) number. The first 8 bits of the ESN identify the manufacturer, and the subsequent 24 bits uniquely identify the phone. The IMEI is used with GSM and Long Term Evolution (LTE) as well as other types of phones.
Chi-square analysis
assesses how closely the observed frequencies fit the pattern of the expected frequencies and is referred to as a "goodness-of-fit" test
Digital Steganography
at one time, was only used by computer professionals because it required writing specific computer program code to manipulate the bits in an image. That is not the case today. There are a number of tools readily available on the Internet that will enable a user to hide information in an image or detect steganography
multipartie virus
attack the computer in multiple ways including infecting the boot sector of the hard disk and one or more file
Remote-to-local:
attacker does not have a user account but exploits a vulnerability to gain access
Banner grabbing
attempts to connect to a web server on port 23 (Telnet) is evidence of a well-known old hacker trick, which is to attempt to telnet into a web server and grab the server's banner or banners. This allows the hacker to determine the exact operating system and web server running unless the system administrator has modified the banner to avoid this hacker trick.
Sparse Infector
attempts to elude detection by performing its malicious activities only sporadically.
Known plaintext attack
based on having a sample of known plaintexts and their resulting ciphertexts, and then using this information to try and ascertain something about the key used.
Frequency Analysis
basic tool for breaking most classical ciphers such as the Caesar cipher, the Vigenère cipher, etc. In natural languages, certain letters of the alphabet appear more frequently than others. By examining those frequencies, you can derive some information about the key that was used. While this method is effective against classic ciphers, it is not effective against modern methods of cryptography
file command
can tell you exactly what a file is regardless of whether or not it has been renamed or had its extension changed. This can be very important in a forensic investigation will help you in situations where the criminal has changed the file extension to make the file appear to be something other than what it is.
TEMPEST
certifies equipment that sheilds from EMR detection
consistency checking
checking involves scanning a disk's logical structure to ensure that it is consistent with its specification. In most file systems, a directory must have at least two entries: a dot (.) entry that points to itself and a dot-dot (..) entry that points to its parent. A file system repair program reads each directory to ensure that these entries exist and point to the correct directories. If they do not, the program displays an error message, and you can correct the problem. Both chkdsk and fsck work in this fashion.
OR
checks to see whether there is a 1 in either or both numbers in a given place. If so, then the resultant number is 1. If not the resultant number is 0.
sweeper or scrubber
clean unallocated space by writing over the unallocated old fragments to remove evidence most write over once or twice DoD standard 7 times
The /hdiutil partition /dev/disk0
command lists the partition table for the boot drive. It is important to know the partitions the machine recognizes upon boot-up.
fdisk
command lists various paritions
Email files: .emi
common to several email clients
A person from Nigeria emails you, asking to use your bank account to "park" some money temporarily.
computer fraud
Data piracy is an example of this type of crime.
computer fraud
/etc
contains configuration files. Most applications require some configuration when they start up . The web servers, boot loaders (LILO and GRUB), and many other applications have configuration files. Obviously, an intruder into a system may want to change how a given application behaves. web server, boot loader, and security software configuration files would be attractive targets for any hacker.
system log
contains events logged by Windows system components, including events like driver failures; Not as interesting from a forensic perspective as the other logs are
The Sarbanes-Oxley Act of 2002
contains many provisions about record keeping and destruction of electronic records relating to the management and operation of publicly held companies.
Center for Education and Research in Information Assurance and Security (CERIAS): Readiness Phase
contains sub-phases called Operations Readiness which involves training people and testing investigative tools and the Infrastructure Readiness phase which involves configuring equipment.
Library/Preferences/System Configuration/dom.apple.preferences. plist
contains the network configuration data for each network card. This is important information to document before beginning your search for evidence
/varspool
contains the print queue, so it can be very important if something is currently in the print queue
The IP header
contains the source IP address, the destination IP address, and the protocol number of the protocol in the IP packet's payload. These are critical pieces of information. l
The TCP header
contains the source port, destination port, a sequence number, and several other fields. The sequence number is very important to network traffic; for example, knowing this is packet 4 of 10 is important. The TCP header also has synchronization bits that are used to establish and terminate communications between both communicating parties.
application log
contains various events logged by applications or programs; Many applications record their errors here
cp
copies one file to another directorye
mkdir
creates a new directory
non-access computer crimes
crimes that do not involve an attempt to access a target examples are viruses logic bombs and denisl of service attacks
Non-access computer crimes,
crimes that do not involve an attempt to actually access the target. Examples include DDoS, viruses, and logic bombs.
Helix
customized Linux Live Cd used for computer forensics
A suspicious person in a chat room asks for your home address every time you are both online together.
cyberstalking/harassment
Logical damage
damage to how the data is stored for example file system corruption May prevent host operating system from mounting or using the file system May cause system crashes and data loss May be caused by power outages, or turning off a machine while it is booting or shutting down
data encryption standard (DES)
ex of Feistel cipher
process (/etcinit file)
executes upon entering the specified run level
Electronic Communications Privacy Act of 1986
governs privacy and disclosure, access, and interception f content and traffic data related to electronic communications
RFC 3864
describes message header field names. Common header fields for email include: • To—The email address and, optionally, name of the message's primary recipient(s) • Subject—A brief summary of the topic of the message • Cc—Carbon copy; a copy is sent to secondary recipients • Bcc—Blind carbon copy; a copy is sent to addresses added to the SMTP delivery list while the Bcc address remains invisible to other recipients • Content-Type—Information about how the message is to be displayed, usually a Multipurpose Internet Mail Extensions (MIME) type • Precedence—Commonly with values "bulk," "junk," or "list"; used to indicate that automated "vacation" or "out of office" responses should not be returned for this mail, for example, to prevent vacation notices from being sent to all other subscribers of a mailing list • Received—Tracking information generated by mail servers that have previously handled a message, in reverse order (last handler first) • References—Message-ID of the message to which this is a reply • Reply-To—Address that should be used to reply to the message • Sender—Address of the actual sender acting on behalf of the author listed in the From field
Communications Decency Act of 1996
designed to protect persons 18 and under from downloading or viewing material considered indecent.
Nascent State
devices are in this state when received from the manufacturer—the device contains no user data and has its original factory configuration settings.
-What are 7 types of Digital system Forensics?
disk forensics email forensics network forensics internet forensics software forensics live system forensics cell phone forensics
EnCase View pane
displays selected item
Enhanced Data Rates for GSM Evolution (EDGE
does not fit neatly into the 2G-3G-4G continuum. It is technically considered 2G, but was an improvement on GSM (2G), so it can be considered a bridge between 2G and 3G technologies.
secure emails
each email protocol has secured version which is encrypted with Tranport Layer Security (TLS).
How virus affect forensics
easy to locate, but difficult to trace back to creator first step is to document the particulars of virus, its behavior, file characteristics etc see if there is a commanlity between infected computers
WinUndelete
easy to use wizard driven
/var/log/mail.*
email activity useful for cyberstalking cases as well as many other types of forensic cases
Anonymizer
email server that strips identifying information from message before forwarding it with anonymous mailing computer's IP address
Stream Cipher
encrypts data as a stream, one bit at a time
EnCase checksum
ensures no error in copying of data and subsequently no information is modified by verifying before transfer and after transfer checksums
The Privacy Act of 1974
establishes a standard of information-handling practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by U.S. federal agencies.
Linux File Systems
ext3 ext4 Linux stores files in contiguous blocks which are normally large enough to accommodate the content, so defragmentation is not required. In rare cases, the blocks need to be extended. The exact size of these blocks depends on the parameters used with the command to create that partition. There are prepackaged tools and some built-in commands for recovering deleted files from Linux operating systems.
linux utilites
extundelete scalpel
/var/log/faillog
failed user logins tracks attempt to break into the system
zero-knowledge analysis
few assumptions are made about the state of the file system. The file system is rebuilt from scratch using knowledge of an undamaged file system structure. In this process, scan the drive of the affected computer noting all file system structures and possible file boundaries. Then match the results to the specifications of a working file system. usually much slower than consistency checking. You can use it, however, to recover data even when the logical structures are almost completely destroyed. This technique generally does not repair the damaged file system but allows you to extract the data to another storage device.
A criminal changes a file extension. This command can identify the file
file
both physical and logical analysis
file residue ambient data
fsck
files system check. can check to see whether a given parition is in good working condition
provides information about a specific user
finger
iPod_control\device\sysinfo
folder contains model number and serial number
allocation unit
formal definition of cluster
Expert Report
formal document that lists what tests you conducted, what you found and your conclusions, it also includes your CV(similar to resume)
FreeUndelete
free Windows tool for personal use commerical version available
Disk Investigator
free utility that comes as a GUI for use with Windows OS -presents a cluster-by-cluster view of hard drive in hexidecimal -from view menu can view directories and root -tools menu allows search for specific file or to recover deleted files
EnCase
from Guidance Software; widely used forensic toolkit. Prevents examiner from making accidental changes to suspect machine. Organizes information into cases. Based on evidence file which contains header, checksum and data blocks.
Oxygen Forensics
full forensic tool capable of imaging and examining iPhones and Android phones. It provides a number of user-friendly tools for extracting specific data such as contacts, social media data, and the like.
EC Council Computer Hacking Forensic Investigator (CHFI)
good general forensic certification covers general principles and techniques rather than specific software
rules of evidence
govern whether, when, how and why proof of a legal case can be placed before a judge and jury
Center for Education and Research in Information Assurance and Security (CERIAS): Deployment Phase
includes the Detection and Notification sub-phase, in which someone detects and incident and alerts investigators and the Confirmation and Authorization sub-phase which investigators receive authorization to conduct an investigation
TCP Header Bits, of Interest:FIN (1 bit)—
indicates there is no more data from the sender
Macro
infect the macros in office documents
macro virus
infect the macros in office documents by writing the macros as mini-virus scripts
Bit-level information
information at the level of actual 1s and 0s stored in memory or on the storage device
Obscured information
information that is encrypted, hidden via steganography, compressed, or proprietary formatted
SQL injection
inserting Structured Language Query commands into text boxes such as username and password fields to gain unauthorized data.
Memory resident
installs itself and remains in RAM from the time the computer is booted to the time it is shut down
Important Windows Files: Explorer.exe
interface the user interacts with such as the desktop, Windows Explorer, etc.
logical analysis
involves using the native operating system, on the evidence disk or a forensic duplicate, to peruse the data. looking for things that are visible, known about, and possibly controlled by the user. includes partitions, file metadata, context of data and file paths
iOS
iphone ipad ipod
Communication Assistance for Law Enforcement Act (CALEA)
is a U.S. wiretapping law. Its purpose is to allow law enforcement and intelligence agencies to lawfully conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband Internet, and VoIP traffic in real time.
live forensic tools: FPort
is a free tool that is now distributed by McAfee. FPort allows you to view all open TCP and UDP ports and maps those to specific processes. This lets you know which process is using which port. This tool is similar in function to running netstat -an.
Windows Registry
is a repository of all the information on a Windows system. For example, the configuration settings for a newly installed program are stored in the Registry. Among other things, the Registry: Includes information about the computer's hardware configuration Allows the operating system to keep multiple hardware configurations Allows multiple users with individual preferences Includes program shortcut menus and property sheets Supports remote administration through the network The usual way to get to the Registry is through the tool regedit. In Windows 10 and Server 2012, you select Start, then Run, then type in regedit. In Windows 8, you need to go to the applications list and select All Apps then find regedit.
INFO2
legacy Windows stores deleted files from Recycle Bin in D%DriveLetter%_%IndexNumber%_%FileExtension% D stands for drive %DriveLetter% is drive that the file was on before deletion %IndexNumber% a number assigned to each file or directory that is sent to Recycle Bin and indicates order of deletion %FileExtension% is the original file extension. If it is a folder there will be no extension
/var/log/lighttpd/*
lighttpd web server activity
EnCase Tree pane
like windows explorer. Lists all folders and can expand any element in the tree.
Containment
limit the impact of the incident. This means keeping it from affecting more systems. In the case of a virus, the strategy is to keep the virus from spreading. Have a policy in place that instructs users to disconnect their computers from the network and then call tech support if they suspect they have a virus. This contains the virus and prevents it from spreading further. The containment path may not be as clear for other incidents. For example, how would you contain a situation where an intruder is getting into the web server? First, you would isolate the web server from the rest of the network. Then you would attempt to prevent further intrusion, perhaps by changing passwords throughout the organization, on the assumption that the intruder might have compromised passwords. Although the specifics of containment might vary, the goal does not. Limit the spread of the incident as much as possible. This phase must occur first.
ps
lists all currently running processes that the user has started.
top
lists all currently running processes whether the user started them or not. It also lists more detail on the processes
ls
lists contents of current directory
EnCase Table pane
lists subfolders and files contained within the folder selected in Tree pane
ls /dev/disk? command
lists the current device files that are in use. You should document this information before shutting the system down for transport to the forensic lab.
Techniques of forensic analysis
live analysis physical analysis logical analysis Create a timeline
Types of Logs: Application
logs record the time, date, and application identifier. When someone uses an application, it produces a text file on the desktop system containing the application identifier, the date and time the user started the application, and how long that person used the application.
Types of Logs: Authentication
logs show accounts related to a particular event and the authenticated user's IP address. They contain date and timestamps as well as the username and IP address of the requestor.
Types of Logs: Network device
logs, such as firewall and router logs, provide information about the activities that take place on the network. You can also coordinate and synchronize them with logs provided by other systems to create a more complete picture of an attack. For example, a firewall log may show access attempts that the firewall blocked. These attempts may indicate an attack. Log files can show how an attacker entered a network. They can also help find the source of illicit activities.
Linux EMail Server
logs/var/log/mail.*
File systems
look at clusters not sectors
logical analysis
looking for things that are visible, known about, and possibly controlled by the user
General Al
machine that have all the sense (maybe more), all the reason, and think just like people do.
mac tools
mackeeper
Viruses can be divided into 6 distinct categories;
macro memory resident multipartite armored sparse infector polymorphic
storage formats
magnetic media solid state drives digital audio tape drives digital linear tape and super DLT optical media usb drives
payload
message to be hidden
Machine Learning
method of data analysis that automates data building. ML uses algorithms that learn interactively from data and can find insights without explicit programming
Find evidence
more than data recovery; finding and isolating evidence to prove or disprove allegations. Often must search through thousands of deleted files and fragments. Examiners work in secure labs to check for viruses in suspect machines and isolate data to avoid contamination. Work with verifiable copies of disks not actual disks, thus advisable to make more than one copy of the evidence depending on tests need to run and copies need to present.
mount
mounts a partition, allowing you to work with it
Undeleting Linux Files: Manually(Recovering Deleted Files)
move to single user mode (init 1) use grep of similar command (i.e. grep -b 'search-text' /dev/partitiion > file.txt use command-line editor to view file
Prepare evidence
must be able to withstand judicial scrutiny; thus through documentation of all tests conducted and all results must be accounted for. Failing to document and ruin a case.
/var/log/mysql.*
my SQL database useful for SQL injection attacks and other hacking crimes
Clusters
need not consist of contiguous sectors; for example, a 10-sector cluster may have sectors from many different locations.
net user trick to gain domain admin privilege
net user /domain /add localaccountname password net group /domain "Domain Admins" /addlocalaccount saves script to all users startup folder and waits for domain admin to logon which usually occurs in tech support dept so breaking a machine can have tech support login
Blackberry
new versions use android
hacking
orginally meant experimenting with a system, now generally means to break into a system
Email files: .pst
outlook
Email files: .mbx or .dbx
outlook express
Ping of Death
packets in excess of 65535 bytes sent targeted machine
Basic steganography terms
payload carrier channel
cmp
performs a textual comparison of two files and tells you the difference between the two
diff
perfroms a byte-by-byte comparison of two files and tells you the difference between the two
takes the name you provide and returns ID for that process; can work with paritial names
pgrep
ciphertext
plaintext subjected to an algorithm and key
switch
prevents traffic jams by ensuring that data goes straight from its origin to its proper destination. Switches remember the address of every node on the network and anticipate where data needs to go. A switch operates only with the computers on the same LAN because it operates based on the MAC address in a packet, which is not routable. It cannot send data out to the Internet or across a wide area network (WAN). These functions require a router.
Exchange Private folder
priv.edb
Streaming Data
priv.stm
Disk forensics
process of acquiring and analyzing information stored on physical storage media, includes recovery of deleted and hidden information as well as identifying who created the file.
Software forensics -
process of examining malicious computer code, also knows as malware forensics
Network forensics
process of examining network traffic, including transaction logs and real-time monitoring using sniffers and tracing
Internet forensics
process of piecing together where and when a user has been on the internet.
Important Windows Files: Lsass.exe
program that handles security and logon policies
Scientific Working Group on Digital Evidence (SWGDE)
promotes a framework process that include the following four stages: -Collect -Preserve -Examine -Transfer
Children's Online Privacy Protection Act of 1998 COPPA
protects children under 13 from the collection and use of their personal info. by websites. (replaces the 1988 COPA
Privacy Protection Act of 1980
protects journalists from being required to turn over to law enforcement any work product and documentary material, including sources, before it is disseminated to the public.
Federal Standards on BCP's
provide a good overview of what should be covered in any business continuity plan, and some, like NIST 800-34, are also applicable to disaster recovery plans. For the purposes of forensic examination, you don't need to be an expert in disaster recovery—just a basic overview of the process is sufficient.
Hierarchical storage management (HSM)
provides continuous online backup by using optical or tape "jukeboxes." It appears as an infinite disk to the system, and can be configured to provide the closest version of an available, real-time backup.
American Society of Crime Laboratory Directors (ASCLD)
provides guidelines for managing a forensic lab, for acquiring crime lab and forensic lab certification.
Telecommunications Act of 1996
provisions relative to the privacy and disclosure of info. in motion through and across telephony and computer networks
shows all the processes in the form of a tree structure
pstree
Exchange Public Folders
pub.edb
Locky
ransomware virus that encrypts sensitive files and demands payment for encryption key -first appeared 2016
The system_profiler SPSoftwareDataType command
related to system_profiler SPHardwareDataType. returns information about the operating system. This is also important for documenting the system prior to starting the forensic examination.
Windows N.T. 4.0
released shortly after Windows 95 for servers and professionals
The Child Protection and Sexual Predator Punishment Act of 1998
requires service providers that become aware of the storage or transmission of child pornography to report it to law enforcement
TCP Header Bits, of Interest:RST (1 bit)—
resets the connection
date command
returns the current date and time zone. It is good for documenting when exactly you begin your forensic examination. If you need the date in Coordinated Universal Time (UTC), then use date −u.
system_profiler SPHardwareDataType command
returns the hardware information for the host system. This provides information useful for the basic documentation of the system prior to beginning your forensic examination. There are related commands, such as system_profiler SPSerialATADataType. This command gives information on all the attached Serial Advanced Technology Attachment (SATA) devices.
android
samsung galaxy many many types
What are the 5 guidelines required by the Daubert Ruling for scientific evidence to be admissible in court?
scientific theory/technique has been tested • it has been subjected to peer review or publication • the known or potential error rate must be known • the technique must follow set standards so it can be replicated (existence and maintenance of standards controlling its operation) • it can be explained so that the court and jury understand it.(it has attracted widespread acceptance within the scientific community)
how netuser trick affects forensics
search system for unrecognized scripts esp in startup folders check account usage for odd behavior forensic investigator dhould be familiar with hacking techniques and tools
hard drives store data as a _______________
sector
Christmas Tree Scan
sends a TCP packet to target with the URG, PUSH, and FIN flags set alternates bits turned on and off in the flags byte server sends a rst flag
DOD Cyber Crime Center (DC3)
sets standards for digital evidence processing, analysis, and diagnostics. Require computer forensics support to detect, enhance, or recover digtial media. Involved with both law enforcement and counterintelligence
Global Information Assurance Certification (GIAC)
several levels of certification that include security, hacking, and forensics
router
similar to a switch, but it can also connect different logical networks or subnets and enable traffic that is destined for the networks on the other side of the router to pass through. Routers utilize the IP address to determine the path of outgoing packets and work at the Network Layer of the OSI model. Modern routers are complex devices. They handle packets, often have firewall and Dynamic Host Configuration Protocol (DHCP) capabilities, are programmable, and maintain logs.
pstree command
similar to the ps command, except it shows all the processes in the form of a tree structure. The tree format gives more information particular to a given forensic investigation. Not only will you know what processes are running, but also which process initiated those processes.
how cyberterrorism affects forensics
since cyberterrorism often uses multiple layers of attacks; each layer must be investigated. usually state-sponsored so difficult tedious investigation due to sophistication and monies spent on attack
Spyware
software that can monitor a user's activity on a computer
Three ways to fake emails
spoofing anonymous remailing "valid" emails
encrypgion vs steganography
steganography: message hidden encryption: message present but obfuscated and not easily deciphered
UDP header
still has a source and destination port number, but it lacks a sequence number and synchronization bits.
linux
stores files in contiguous blocks Inode (hard links and soft links) Manual recovery with grep and >
Email forensics
study of the source and content of email as evidence, includes identifying sender, recipient, date, time, and origination location of email.
invokes super user mode
su
TCP Header Bits, of Interest:SYN (1 bit
synchronizes sequence numbers.
AND
take two binary numbers and compare them one place at a time. If both numbers have a 1 in both places then the resultant number is 1. If not then the resultant number is 0.
TCP/IP VS OSI
tcp/ip application layer = osi model application/presentation/session tcp/ip transport layer=osi model transport tcp/ip internet layer= osi model network tcp/ip network access layer=osi data link and physical
open files command
tells you if any shared files or folders are open and who has them open.
Ciphertext-only attack
the easist attack to defend against The attacker only has access to a collection of ciphertexts. This is much more likely than known plaintext, but also the most difficult. The attack is successful if the corresponding plaintexts or, even better, the key can be deduced. However, obtaining any information at all about the underlying plaintext in this situation is considered a success.
Frye Standard
the evidence in question must be "generally accepted" by the scientific community
Session Layer
the fifth layer of the OSI model. This layer establishes, manages, synchronizes and terminates connection between the computers. It provides either half duplex or full duplex service.
CAN-SPAM Act (2003)
the first law meant to curtail unsolicited email, referred to as spam. However, the law has loopholes. You do not need permission before sending email. This means that unsolicited email is not prohibited. It applies only to commercial emails—emails that are trying to sell some product or service. Therefore, mass emailings for political, religious, or ideological purposes are not covered by the Act. The only requirement of CAN-SPAM is that the sender must provide some mechanism whereby the receiver can opt out of future emails and that method cannot require the receiver to pay in order to opt out. Restrictions on how the sender can acquire the recipient's email address and how the sender can actually transmit the email: A message cannot be sent through an open relay. A message cannot be sent to a harvested email address. A message cannot contain a false header. These methods are often used by people who send spam email. Tracking down the original sender of the email is the first step in investigating spam. Unfortunately, the email is sometimes sent from offshore sites or relayed through an innocent third party's servers. This makes prosecuting spam very difficult and enforcing a judgment almost impossible in most cases.
TCP/IP Network Access Layer
the first layer of the four layer TCP/IP model. Network Access Layer defines details of how data is physically sent through the network, including how bits are electrically or optically signaled by hardware devices that interface directly with a network medium, such as coaxial cable, optical fiber, or twisted pair copper wire. The protocols included in Network Access Layer are Ethernet, Token Ring, FDDI, X.25, Frame Relay etc. The most popular LAN architecture among those listed above is Ethernet. Ethernet uses an Access Method called CSMA/CD (Carrier Sense Multiple Access/Collision Detection) to access the media, when Ethernet operates in a shared media. An Access Method determines how a host will place data on the medium. IN CSMA/CD Access Method, every host has equal access to the medium and can place data on the wire when the wire is free from network traffic. When a host wants to place data on the wire, it will check the wire to find whether another host is already using the medium. If there is traffic already in the medium, the host will wait and if there is no traffic, it will place the data in the medium. But, if two systems place data on the medium at the same instance, they will collide with each other, destroying the data. If the data is destroyed during transmission, the data will need to be retransmitted. After collision, each host will wait for a small interval of time and again the data will be retransmitted.
Physical Layer
the first or the bottom most layer of the OSI model where all the physical connectivity of devices takes place in a network. It also defines the electrical and mechanical specifications like cables, connectors and signaling options of the medium. It converts the data into binary bits and then transfer to data link layer.
defragmentation
the following conditions are checked, and if met, the file is defragmented when it is opened: • The file is less than 20 megabytes in size. • The file is not already in use. • The file is not read-only. • The file is fragmented. • The system uptime is at least three minutes.
identity theft
the fraudulent acquisition and use of a person's private identifying information, usually for financial gain.
Phishing
the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. Usually done in mass email campaigns that yield a 1-3% success rate.
how logic bombs affect forensics
the nature of the logic bomb will give clues to creator usually an employee with access to system and programming background so relatively straightforward to investigate follow same parameters as investigating viruse if delivered by trojan
base transceiver station (BTS)
the part of the cellular network responsible for communications between the mobile phone and the network switching system. The base station system (BSS) is a set of radio transceiver equipment that communicates with cellular devices. It consists of a BTS and a base station controller (BSC). The BSC is a central controller coordinating the other pieces of the BSS.
Email Laws: Fourth Amendment to U.S. Constiution
this as well as state requirements govern the seizure and collection of any email messages that reside on a sender's or recipient's computer or other device. Does the person on whose computer the evidence resides have a reasonable expectation of privacy on that computer? If so, requires a search warrant or one of the recognized exceptions to the search warrant requirements, such as consent from the device owner.
state of running processes
this data is captured before system is shutdown
state of network connections
this data is captured before the system is shutdown
>
this is a redirect command, instead of displaying the output of a command like ls to the screen, it redirects the file
lists the processes in the order of how much CPU time the process is utlilizing
top
how fraud affects forensics
trace communications the more sophisticated an attack the less evidence there is follow the money trace owners of websites
Null Scan
turns off all flags creating a lack of TCP flags in packet (0000000)This would never happen in normal communications results in an error packet being sent again server sends a rst flag
channel
type of medium used
BPCS Bit Plane complexity segmentation
up to 50% of vessel data
live forensic tools: PSList
use to to view process and thread statistics on a system lists all running processes on the system. However, it does not reveal the presence of the rootkit or the other processes that the rootkit has hidden is a part of a suite of tools, PsTools, available as a free download.
Atbash Cipher
used by Hebrew scholars copying the book of Jeremiah Reverses the alphabet—substituting the first letter of the alphabet for the last letter, the second letter for the second-to-last letter, and so on Is primitive and easy to break
TCP Three-Way Handshake
used by TCP establishes a session between two systems. The first system sends a packet with the SYN flag set. The second system responds with a packet that has the SYN and ACK flags set. The first system responds with a packet with the ACK flag set. The two systems have now started a session.
LinEn boot disk
used to aquire contents of a Linux machine.
cd
used to change directories
rm
used to delete or remove a file
Swap file
used to optimize the use of random access memory (RAM). Data is frequently found in the swap file. The details on how to extract data from the swap file vary depending on the installed operating system.
rmdir
used to remove or delete entire directories
Forwarded Events log
used to store events collected from remote computers; Has data in it only if event forwarding has been configured
Applications and Services log
used to store events from a single application or component rather than events that might have systemwide impact
Windows Boot Process: Step 16
user logs on
GroupWise User Databases
userxxx.db
Vigenere Cipher
uses a table and a selected keyword to encrypt a message. Match the letter of your keyword on the top with the letter of your plaintext on the left to find the ciphertext. This type of multialphabet cipher is more secure than a single-alphabet substitution cipher but is still easily cracked by computers. Example: if you are encrypting the word cat and your keyword is horse, then the ciphertext is jok.
Asymmetric Cryptography
uses different keys to encrypt and decrypt plaintext
asymmetric crytography
uses different keys to encrypt and decrypt plaintext RSA Diffie-Hellman
Armoured virus
uses techniques that make it hard to analyze by compressing the code or encrypting it with a weak encryption method
Armored
uses techniques that make it hard to analyze, this is done by compressing it or encrypting it
Symmetric Cryptography
uses the same key to encrypt and decrypt plaintext Can use two different encryption keys, one from sender to receiver and one from receiver to sender Same key is still used for encryption and decryption Having different keys in both directions provides additional security if keys are learned or disclosed
Foresnic Network Analysis
uses tools and techniques of the network trade. Network monitoring helps get the "big picture" perspective, an insight into how networks and systems behave. Network analysis takes a deeper look at the traces between systems, networks, and intruders. Also referred to as "network forensic analysis." Analysis of network data to reconstruct network activity over a specific period of time Commonly used to: Reconstruct the sequence of events that took place during a network-based security incident Discover the source of security policy violations, vulnerabilities, or information assurance breaches Investigate individuals suspected of crimes
Format of expert report
usually list all items, documents, and evidence considered; detail tests performed and analysis done, and conclusion. Should also list entire curriculum vitae (CV)-documentation that details your experience and qualifications in an appendix. CV should include every publication, award and credential earned and very detailed work and education history. In most jurisdictions if it is not in the report, it cannot be presented during trial so thoroughness is essential. Be able to back up everything that you say with well-respected references to support claims.
2017
v 10.12 ( Sierra)
2001
v10.0 (Cheetah)
2011
v10.7 (Lion)
EnCase Network boot disk
very similar to Encase boot disk but allows you to perform process over a crossover cable between investigator's computer and suspect computer
FakeAV:86
virus that purports to be a free antivirus scan but is a Trojan first appeared in 2012
USA Patriot Act (2001)
was passed into law as a response to the terrorist attacks of September 11, 2001. The Act: Reduced restrictions on law enforcement agencies' intelligence gathering within the United States Expanded the Secretary of the Treasury's authority to regulate financial transactions Broadened the discretion of law enforcement and immigration authorities in detaining and/or deporting immigrants suspected of terrorism and related acts Expanded the definition of terrorism to include domestic terrorism, thus enlarging the number of activities to which the PATRIOT Act's extended law enforcement powers can be applied In May of 2011, President Barack Obama signed a four-year extension of three key provisions in the USA PATRIOT Act: roving wiretaps, searches of business records, and conducting surveillance of individuals suspected of terrorist-related activities not linked to terrorist groups. gives law enforcement dramatically enhanced powers for information gathering and should be a part of the knowledge base for any forensic investigator.
fyre standard
what was the requirement for evidence to be admissible in court? - Scientific evidence must be "generally accepted" by experts in the particular field of study.
$I AND $R
when files are moved to Recycle Bin, the original file is renamed starting with $R, followed by a series of random characters but maintain original file extension. a new file is also created beginning with $I
1990
windows 3.0
1992
windows 3.1 released
GroupWise Post Office Database
wphost.db
If the forensic workstation is a Windows machine
you can use the Windows Registry to prevent the workstation from writing to the mobile device. Before connecting to a Windows machine, find the Registry key HKEY_LOCAL_MACHINE\System\CurrentControlset\StorageDevicePolicies, set the value to 0x00000001, and restart the computer. This prevents that computer from writing to mobile devices that are connected to it.
steganalysis tools
• StegSecret • StegSpy • Invisible Secrets • MP3Stego
