101-Concepts

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Master Boot Record (MBR)

contained in the boot sector, is used when DOS- or Windows-based computers start up. The MBR contains important information such as a partition table, bootstrap code, and other information.

Identify Crime:An attacker inserts SQL commands into text boxes, often using the username and password text fields on a logon screen.

hacking

An attacker remotely accesses a power plant's computer system and inserts a logic bomb.

hacking non-access computer crime cyberterroris

security log

has both successful and unsuccessful logon events; probably the most important log from a forensic point of view

Ethernet header

has the source and destination MAC address

Transport Layer

he fourth layer of the OSI model. It convert the packets received from network layer into segments and then transfer it to the upper layer. The transport layer ensures that the entire message reaches in order and handles error control and flow control at the source-to-destination level.

live forensic tools: PsLoggedOn

helps you discover users who have logged on both locally and remotely. Of most importance, it tells you who is logged on to shares on the current machine. This is also part of the PsTools suite available from Microsoft TechNet.

Where Recycle Bin is in Win 7 and vista

hidden directory \$Recycle.Bin\%SID, where %SID is the SID of the user that performed the deletion

steganophony

hiding messages in sound files

life span

how long information is valid

The iPhone: Seizing Evidence

iPhone has four-digit pin 10,000 possible combinations of the digits 0-9 Newer phones have six-digit pin and can use passwords as well. Can use automated process to break iPhone passcode, such as XRY Tools specifically for iOS devices: Pwnage Recover My iPod If forensic workstation has iTunes: Plug iPhone (or iPad/iPod) into the workstation Use iTunes to extract information about the device

An attacker dumpster dives to look for a victim's personal information, such as in discarded mail, bills, and bank statements

identify theft

Preserve evidence

important because data can easily be destroyed at a bit-level. Must assume every computer is rigged to destroy evidence.

tracing email

is similar to traditional detective work. Tracing email involves looking at each point through which an email passed and working step by step back to the originating computer and, eventually, the perpetrator. Email header information is typically examined to look for clues about where a message has been. Investigators often use audits or paper trails of email traffic as evidence in court. Many investigators recommend use of the tracert command. However, because of the dynamic nature of the Internet, tracert does not provide reliable, consistent, or accurate routing information for an email. It may also be useful to determine the ownership of the source email server for a message. A number of whois databases are available on the Web that an investigator can use to find out to whom a given IP address is registered.

Global System for Mobile (GSM) communications

is a standard developed by the European Telecommunications Standards Institute (ETSI). Basically, GSM is the 2G network.

file created

is the date the file was "created" on the volume. This does not change when working normally with a file, such as opening, closing, saving, or modifying the file.

Communications Assistance Law Enforcement Act of 1994

is the federal wiretap law for traditional wired telephony. expanded to include wireless, voice over packet, and other forms of electronic communications, including signaling traffic and metadata

live forensic tools: PSInfo

is also from the PsTools suite It can tell you system uptime (time since last reboot), operating system details, and other general information about the system. This is good background information to put into your forensic report.

Universal Disk Format (UDF)

is the file system used by DVD-ROM discs (both video and audio). Like ISO9660, this only guarantees that Mac OS X can read the partition or drive; it does not guarantee that Mac OS X can read the files.

UNIX File System (UFS)

is the file system used by FreeBSD and many other UNIX variants. Being based on FreeBSD, Mac OS X can read UFS volumes.

ISO 96660

is the file system used by compact discs (CDs). ISO9660 is not Macintosh specific, but Apple does have its own set of ISO9660 extensions.

GUID Parition Table (Globally Unique Identifier)

is used primarily with computers that have an Intel-based processor. It requires OS X v10.4 or later. Intel-based Macintosh machines can boot only from drives that use the GUID Partition Table

mv

is used to move a file

Apple Parition Map

is used with any PowerPC-based Mac. Intel-based Macs can mount and use a drive formatted with the Apple Partition Map, but cannot boot from the device. PowerPC-based Macs can both mount and use a drive formatted with the Apple Partition Map, and can also use it as a start-up device.

halts a running process based on the process ID (PID) you provide

kill

collision

occurs when two different inputs to the same hashing algorithm produce the same output (called a hash or digest). Ideally we would like to have no collisions. But the reality is that with a fixed-length output, a collision is possible. The goal is to make it so unlikely as to be something we need not think about.

Email files: .ost

offline outlook storage

Malware

often disguises itself in simliar names to actual important files for example Lsassx.exe instead of Lsass.exe

Tribal Flood Network

one of the most widely used tools to perform DDos attacks. Newer version is TFN2K

Disk Digger

is an easy-to-use tool for Windows. It can be downloaded free of charge and is fully functional. But when recovering files, you have to recover them one at a time. If you pay for the commercial version, you can recover as many files at one time as you want

Computer Security Incidents

is any event that violates an organization's security policies. This includes computer security policies, acceptable use policies, or standard security practices. Includes: denial of service attacks malicious code unauthorized access inappropriate usage

demonstrative evidence

is information that helps explain other evidence, for example a chart that explains a technical concept to the judge and jury.

swapf file/virtual memory

is located in the folder /var/vm/. You can check it with Linux commands like ls (for listing files). The option ls —al gives you a listing of all the files in virtual memory as well as who launched the program and when. You can use the grep search tool to search in the virtual memory folder.

physical analysis

is offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system. includes urls, emails, file formats, damaged sectors, data outside partitions looking for things that may have been overlooked, or are invisible, to the user.

dead drop

one person drops off an item, and then a 2nd person picks it up

Low Orbit Ion Cannon (LOIC)

online tool with GUI used to perpretrate a DoS or DDos attack easily

net sessions command

only shows established network communication sessions, such as someone logging on to that system.

RFC 3227

presents guidelines for evidence collection and archiving. Suggest the following: Volatile data file slack file system registry memory dumps system state backup internet traces

show logging

show router log events

show interfaces

show which interfaces are up

netstat command

shows network statistics and any current connections. Shows even meaningless connections, such as your computer opening a web browser.

file modified

shows there has been a change to the file itself.

carrier

signal or stream or file in which payload is hidden

TRIN00

similar to Tribal Flood Network tool used for denial of service attacks orginally written for UNIX, now available for Windows use trojan horse to infect machines

Network Packet: Payload

the body or information content of a packet Actual content that the packet is delivering to the destination If packet is fixed length, payload may be padded with blank information or a specific pattern to make it the right size

How does cyberstalking affect forensics?

the computer is the vechicle that drives the crime check emails and texts and any devices in suspects posession when arrested

Chain of Custody

the continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collecting and its appearance in court

Important Windows Files: Ntoskrnl.exe

the core of the operating system

USA Patriot Act

the primary law under which a wide variety of internet and communications info. content and metadata is currently collected. (provisions protect identity and privacy of US citizens)

Steganalysis

the process of analyzing a file or files for hidden content Can show a likelihood that a given file has additional information hidden in it Common method for detecting LSB steganography is to examine close-color pairs

Forensics

the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts

Mutation

the process within a genetic algorithm of randomly trying combinations and evaluating the success (or failure) of the outcome

Important Windows Files: Winlogon.exe

the program that logs you on

Data Link Layer

the second layer of the OSI Model. It converts bits received from physical layer into frames and then transfer it to the network layer.

TCP/IP Internet Layer

the second layer of the four layer TCP/IP model. The position of Internet layer is between Network Access Layer and Transport layer. Internet layer pack data into data packets known as IP datagrams, which contain source and destination address (logical address or IP address) information that is used to forward the datagrams between hosts and across networks. The Internet layer is also responsible for routing of IP datagrams. Packet switching network depends upon a connectionless internetwork layer. This layer is known as Internet layer. Its job is to allow hosts to insert packets into any network and have them to deliver independently to the destination. At the destination side data packets may appear in a different order than they were sent. It is the job of the higher layers to rearrange them in order to deliver them to proper network applications operating at the Application layer. The main protocols included at Internet layer are IP (Internet Protocol), ICMP (Internet Control Message Protocol), ARP (Address Resolution Protocol), RARP (Reverse Address Resolution Protocol) and IGMP (Internet Group Management Protoco

Cyberstalking/harassment,

, using electronic communications to harass or threaten another person.

Incremental

- All changes since the last backup of any type

real evidence

- a physical object that someone can touch, hold or directly observe

Anti-forensics

- actions that perpetrators take to hide to conceal their locations, activities or identities, includes data destruction, data hiding, data transformation, file system alteration.

Multipartite

- attack the computer in multiple ways, for example the boot sector and files

documentary evidence

- data stored as written matter, on paper or in electronic files. It includes memory-resident data and computer files

testimonial evidence

- information that forensic specialists use to support or interpret real or documentary evidence.

physical analysis

- looking for things that may have been overlooked, or are Invisible to the user: The swap file/page file - possible to find things here that were live in memory and not stored on the suspect drive Unallocated space -Free space, or the area of a hard drive that has never been allocated for file storage.

steganalysis

- process of analyzing a file or files for hidden content

Cell-phone forensics

- process of searching contents of cell phones

daubert standard

- standard to assess whether the experts testimony is based on reasoning and/or methodology that is scientifically valid and can properly be applied to the facts at issue

Live system forensics

- the process of searching memory in real-time, typically for working with compromised hosts or identify system abuse

Expert Testimony -

- the testimony of an expert witness, one who testifies on the basis of scientific or technical knowledge relevant to a case rather than personal experience.

video steganograpy

Hiding information in video files.

steaganophony

Hiding messages in sound files

Identify Crime: An attacker disseminates a virus from a rogue website that infects many computers

Non-Access Computer Crime

Identify Crime: A denial of service (DoS) attack is an example of this type of this crime.

Non-access computer crime

Prefetch

To speed up the performance of programs, Windows keeps a list of all DLLs a given executable needs. When the executable is launched, all the DLLs are "fetched." \ A side benefit is that the prefetch entry keeps a list of how many times an executable has been run, and the last date/time it was run. Most Windows forensics tools will pull this information for you. OSForensics makes it part of the "Recent Activity."

MP3Stego

Tool used to hide data in MP3 files Combines text with sound file to create new sound file that contains hidden info

Getting Header in Hotmail

Select Inbox from the menu on the left. Right-click the message for which you want to view headers, and select View Message Source. The full headers will appear in a new window.

TCP Header Bits, of Interest:URG (1 bit)—

Traffic is marked as urgent, though this bit is rarely used. It is more common that the IP precedence bits are used for priority when there is a need

How Email Works

Sender uses a mail client to send a message Message travels to multiple mail servers Each mail server sends the message closer to its destination Destination mail server stores the message Receiver uses a mail client to retrieve the message from mail server

HTTP Response Messages 500-599

Server-side errors

Network based firewalls

Span an entire network Filter all traffic passing in and out of network or network segment Incorporate enterprise-grade network services VPN Enterprise-class encryption protocols Enterprise-class security services

Intelligent agent

Special-purpose knowledge-based information system that accomplishes specific tasks on behalf of its users

keyspace

The entire range of values that can be used to construct an individual key.

Creating a Timeline

To reconstruct events that led to corruption of a system, create a timeline Challenges with computers: Clock drift Delayed reporting Different time zones Never change clock on a suspect system Record clock drift and time zone in use

Whaling

a phishing attack that targets high-value individuals

spear fishing

a phishing expedition in which the emails are carefully designed to target a particular person or organization

Cyberterrorism

a politically motivated use of computers and information technology to cause severe disruption or widespread fear in society.

Long Term Evolution (LTE)

a standard for wireless communication of high-speed data for mobile devices. This is what is commonly called 4G.

semi-active state

a state partway between active and quiescent. The state is reached by a timer, which is triggered after a period of inactivity, allowing battery life to be preserved by dimming the display and taking other appropriate actions.

Deep learning (DL)

a subset of machine learning and refers to artificial neural networks that are composed of many layers.

rainbow table

a table of precomputed hashes that contain all possible keystroke combinations that comprise well-known passwords. It is impossible generally to record all combinations due to large size of table. Most attackers limit tables to 8-10 charcters and well known dictionary words. Used to compare hashes to discover passwords. Hashes themselves are one-way functions, meaning they cannot be decrypted only compared.

ophcrack

a tool used to crack local passwords on Windows systems. Intruder must be on local network to use.

How identity theft affects forensics

an investigator should look for spyware and if it exists examine where collected data is being sent. Emails and downloads should also be checked for potential spyware as these are common methods to inject spyware on a victim's computer.

Windows 10

another dramatic change. Features added like Edge Browser, Universal Apps and Cortana changed way user interacted with OS. In some cases changed forensics

EnCase boot disk

boots system to EnCase using DOS mode rather than GUI mode. Copy the suspect drive to a new drive to examine it

Evidence from Cell Phones

call history emails/messages phone information gps information photos videos web history network information

System Memory with OS Forensics

can also capture system memory using OSForensics.

cluster

can be from 1 to 128 sectors

grep

can be used to search for files, contents of files, and just about anything you may want to search for. very flexible and quite popular with Linux users. For example: grep -b 'search-text' /dev/partition > file.txt will search for 'search-text' in a given partition and output the results to file.txt. You can also use this syntax: grep -a -B[size before] -A[size after] 'text' /dev/[your_partition] > file.txt.

Identify Crime: An attacker sends out false emails suggesting the receiver can make a large sum of with very little investment

computer fraud

Neural networks

computing system inspired by biological netural networks. These systems learn to do task by considering examples.

Application Layer

the seventh layer of the OSI model. It provides a means for the user to access information on the network using an application. It also supports services such as electronic mail, remote file access and transfer and shared database management.

Presentation Layer

the sixth layer of the OSI model. This layer deals with syntax and semantics of the data exchanged between two devices. It encrypt data to protect from unauthorized access and also compress to reduce the size of data.

RFC 2822

the standard for email format including headers replaced RFC 822 which was originally designed for text messages over ARPANET, the precursor to the internet allows user to read emails using a variety of programs and operating systems

cryptography

the study of writing secret messages derived from word kryptós, which means hidden, and the verb gráfo, which means write

mobile switching center (MSC)

the switching system for the cellular network. MSCs are used in 1G, 2G, 3G, and Global System for Mobile (GSM) communications networks. You will learn about 3G and GSM networks later in this section. The MSC processes all the connections between mobile devices and between mobile devices and landline phones. The MSC is also responsible for routing calls between base stations and the public switched telephone network (PSTN).

Network Layer

the third layer of the OSI model. It converts the frame received from data link layer into packets and then transfer it to the transport layer.

TCP/IP Transport Layer

the third layer of the four layer TCP/IP model. The position of the Transport layer is between Application layer and Internet layer. The purpose of Transport layer is to permit devices on the source and destination hosts to carry on a conversation. Transport layer defines the level of service and status of the connection used when transporting data. The main protocols included at Transport layer are TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).

TCP/IP: Application Layer

the top most layer of four layer TCP/IP model defines TCP/IP application protocols and how host programs interface with Transport layer services to use the network. includes all the higher-level protocols like DNS (Domain Naming System), HTTP (Hypertext Transfer Protocol), Telnet, SSH, FTP (File Transfer Protocol), TFTP (Trivial File Transfer Protocol), SNMP (Simple Network Management Protocol), SMTP (Simple Mail Transfer Protocol) , DHCP (Dynamic Host Configuration Protocol), X Windows, RDP (Remote Desktop Protocol) etc.

Euler's Totient

the total number of co prime numbers for a number n. Two numbers are considered coprime if they have no common factor's. Used in RSA.

File Slack Searching:

the unused space between the logical end of file and the physical end of file

Computer Forensics

the use of analytical and investigative techniques to identify, collect, examine and preserver evidence/information which is magnetically stored and encoded. Additionally, any device that can store data is potentially a subject for computer forensics

Cyberterrorism

the use of computer and networking technologies against persons or property to intimidate or coerce governments, individuals, or any segment of society to attain political, religious, or ideological goals

Polymorphic

the virus literally changes its form from time to time to avoid detection by antivirus software, a variation is a metamorphic virus which can completely rewrite itself.

dumpster diving

using a person's discarded documents to obtain information about identity or other important information

Social Engineering

using deception to obtain unauthorized access to information resources

Cyberstalking

using electronic communications to harass threaten or track another person

cryptanalysis

using techniques other than brute force to attempt to uncover a key. Frequency Analysis Kasiski examination

Important Windows Files: Hal.dll

an interface for hardware

Email files: .mbx

eudora

encrpytion

obfuscates message so it cannot be read

bourne shell (sh)

This was the original default shell for UNIX. It was first released in 1977.

HTTP Response Messages 200-299

"OK" messages, meaning that whatever the browser requested, the server successfully processed

Slack Space

"The unused space in a disk cluster. The DOS and Windows file systems use fixed-size clusters. Even if the actual data being stored requires less storage than the cluster size, an entire cluster is reserved for the file.

Listing Contents of .Trash

$/. Trash ls -al

Sierra

(Mac OS X v10.12)—The most recent version (as of March 2017). It is meant to be more in synch with the style of other Apple systems, such as iOS and WatchOS

Tiger

(Mac OS X v10.4)—Had built-in support for FireWire, a new dashboard, and updated mail program.

Snow Leopard

(Mac OS X v10.6)—Included mostly performance enhancements, such as support for multicore processors, rather than new features

Neural network

(artificial neural network) a category of AI that attempts to emulate the way the human brain works

Proper Procedure: Handling Evidence- Collecting Data

(in this order) 1. Volatile data a. Swap file b. State of network connections c. State of running processes 2. Temporary data: OS creates and overwrites without user's direct action to save 3. Persistent data

Windows 3.1

(released in 1992) Though earlier versions had been in existence since 1985, this version became widely popular. used Disk Operating System (DOS) used GUI

Technical Information Collection Considerations

Consider the life span of the information Data is volatile Collect information quickly Collect bit-level information

Mathematically Authenticating Data on All Storage Devices

-After imaging drive, create a hash of the original and the copy -Compare the hashes -If they don't match exactly, something was altered -Document hashing algorithm used and results

Shutting Down Computer

-Before you shut the computer down: *Check for running processes In Windows, use Task Manager *Take a picture of the screen for for your records *Check for live connections to system with following cmd's -netstat -net sessions -open files (critical to run)

Preparing System

-For suspect computers: Remove the drive(s) Create an evidence form and/or a chain of custody form -For mobile devices: Remove SIM card, if necessary Some devices let you dock the phone examine it without removing SIM

How to set up a Forensic Lab (slides)

-Identify functions to be performed -Define activities and estimate workload -Determine necessary equipment and software -Determine physcial space requirements -Plan for security

Transporting Computer

-Keep evidence in possession or control at all times -Document movement of evidence between investigators -Secure evidence appropriately so it can't be tampered with or corrupted -Lock in a vehicle -Drive vehicle directly to lab

Gameover ZeuS

-a virus that creates a peer-to-peer botnet -began to spread in 2015 -creates encrypted traffic between infected computer and command and control computer allowing attacker to control infected computers

64-bit

-addresses up to 18,446,744,073,551,616 bytes -referred to as x64

32-bit

-addresses up to 4,294,967,295 bytes -limited to 4GB of RAM -referred to as x86

CopyQM Plus Disk Duplication Software

-also from NTI -turns PC into disk duplicator -useful for specialists who need to preconfigure CD's for specific uses and duplicate them -can create self-extracting executable programs that can be used to duplicate specific disks -can be used to make preconfigured security disk assessment disks -images can be password-protected -supports all DOS formats and many non-DOS formats -does not copy extra sectors that are added to a CD on copy-protected disks; AnaDisk should be used to perform this task

SYN Flood

-attacker would send many SYN packets -would not answer ACK responses from server -eventually server would run out of resources resulting in Denial of Service(DOS)

Rombertik

-began to be seen in 2015 - virus that uses browser to read user credentials to websites -Most often seen as an attachment in an email -can overwrite master boot record making computer unbootable, and/or encrypt users home folders

temporary data

-collected after volatile data -data that an operating system creates and overwrites without the computer user taking a direct action to save this data. afterwards collect persistent data

OS Forensics

-forensic tool widely used since 2010 from Passmark software -less expensive alternative to EnCase FTK -does not have Known File Filter

AnaDisk Disk Analysis Tool

-from New Technologies Incorporated (NTI) -turns a pc into a sophisticated disk analysis tool -originally created to meet needs of U.S. Treasury Dept in 1991 -scans for anomalies that identify odd formats, extra tracks and extra sectors -used to uncover data-hiding technologies -support all DOS formats and many non-DOS formats such as MAC and UNIX TAR

Storage formats

-magnetic media -solid-state drives -digital audio tape (DAT) drives -digital linear tape (DLT) and super DLT -optical media -universial serial bus (USB)

NIST (National Institute of Standaards and Technology) Four Extraction States

-nascent state -active state -semi-active state -quiescent state

Forensic Certifications

-pc hardware: A+ certification basic networking: Network+ or CCNA security:CISSP or Security+ hacking: Offensive Security, Certified Ethical Hacking from EC Council and GIAC Penetration Tester (GPEN) from SANS Encase, Access Data, OS Forensics all offer certifications

Proper Procedure Overview

-shut down computer -transport computer to secure location -prepare system -document the hardware configuration of system -mathematically authenticate data on all storage devices

flame

-targets Windows operating systems -specifically designed for espionage, state-sponsored -first discovered in May 2012 -spyware that can monitor network traffic and take screenshots of infected system -stores data in local database that is heavily encrpyted -able to change behavior based on which antivirus program is running -signed with a fraudulent Microsoft Windows certificate so Windows accepts as legitimate

Forensic Toolkit (FTK)

-widely used forensic analysis tool from Access Data availabe in Windows and Mac -popular with law enforcement -ability to select which hash used to verify suspect copied drive and which features wish to use on drive -especially good at cracking passwords such as password-protected PDF files, excel spreadsheets. -also supplies tools to analyze windows registry and email (which can be arranged in a timeline) -has distributed processing which allows processing and analysis to be distributed across three computers. This lets all three computers to perform three parts of analysis in parallel speeding up forensic process. -Has an Explicit Image Detection add-on that automatically detects pornographic images

Email Server Forensics

. Even if the sender and the recipient have deleted the relevant emails, there is a good chance a copy is still on the email server. Many servers have a retention policy, which may be governed by law in certain industries. There are a variety of email server programs that could be in use. Microsoft Exchange is a very common server. Lotus Notes and Novell GroupWise are also popular email server products.

GroupWise

.db

Exchange Server

.edb

Block Cipher

.literally encrypts the data in groups of bits, also known as blocks . Assuming the actual algorithm is mathematically sound, then the following is true: Larger block sizes increase security. Larger key sizes increase security against brute-force attack methods. If the round function is secure, then more rounds increase security to a point.

Lotus Notes

.nsf

RunLevel 0

/etc/rc.d/r0.d halt

RunLevel1

/etc/rc.d/r1.d single-user mode

RunLevel2

/etc/rc.d/r2.d Not used (user-definied)

RunLevel3

/etc/rc.d/r3.d Full multi-user mode without GUI

RunLevel4

/etc/rc.d/r4.d not used (user-defined)

RunLevel5

/etc/rc.d/r5.d full multi-user mode with GUI

RunLevel6

/etc/rc.d/r6.d reboot

Well-known ports

0-1023

This is a ____AND_____binary operation

1 1 0 1 1 0 0 1 ____________ 1 0 0 1

This is a ______XOR_________ binary operartion (2)

1 1 0 1 1 0 0 1 _____________ 0 1 0 0

This is a ____OR______ binary operation (1)

1 1 0 1 1 0 0 1 _____________ 1 1 0 1

Evidence gathering Measures

1. Avoid changing evidence-take photos, label wires and sockets, transport carefully, avoid touching hard disks and CD's and make exact bit-level copies and store them on write-once CD 2. Determine when evidence was created-create a detailed timeline should mirror chain of custody timeline as well 3. Trust only physical evidence-bit level 4. Search throughout a device 5. Present the evidence well in a logical, compelling, understandable, and persuasive manner

Technical Information Collection Considerations

1. Consider the Life Span of Information 2. Collect Information quickly 3. Collecting Bit-Level Information

How to set up a Forensic Lab

1. Equipment-storage for data, a server with at least RAID 1 redundnacy (mirroring) recommended RAID 5 with backups once a day at minimum. Likely need multiple servers for data storage. Comupters capable of attaching all sorts of drives and usbs as well as all sorts of power connectors for smartphones, laptops, routers, and other digital devices. 2.Security-computers and servers used should not be connected to internet, and is separate from working network. Lab room should be shielded from any electromagnetic interference such as from wireless or cellular signals. Physical security should limit access to lab and be able to account for access (swipe-cards or biometric readers are ideal); room should be difficult to forcibly access; an evidence safe that is fire-resistant should also be used.

Forensic Imaging

1. Forensically wipe the target drive (drive you are copying suspect drive to) a. Use linux dd command: dd if=/dev/zero of=/dev/hdb1 bs=2048 b. Or: fdisk -l to list the partitions of the system 2. Use netcat on the forensic server in prep for data from suspect computer 3. On suspect computer, use the dd command to read the first partition Imaging with Encase Imaging with FTK Imaging with OS Forensics

Forensic Methodologies

1. Handle original data as little as possible 2. Comply with rules of evidence 3. Avoid exceeding your knowledge 4. Create an analysis plan

Example order of volatility:

1. Registers and cache 2. Routing tables 3. ARP cache 4. Process table 5. Kernel stats and modules 6. Main memory 7. Temp file systems 8. Secondary memory 9. Router config 10. Network topology

Recovering Information from Damaged Media: Overview

1. Remove drive/connect to test system 2. Boot test system If the drive is not recognized perform repair and image drive content 3. Copy files from drive to test system

Storing a File in Windows (FAT/FAT32)

1. The cluster number of the next cluster for this file is recorded. 2. If this cluster is the end of a chain, then it has a special end of cluster chain (EOC) entry. 3. Bad clusters have a special entry in the file allocation table. 4. Reserved clusters have a special entry in the file allocation table. 5. Open, or available, clusters are also marked in the file allocation table.

Important iOS items to document if using ITunes extraction technique

1. The iOS version number 2. The phone number (redacted in this figure) 3. The serial number (redacted in this figure)

Ways identity theft is perpetrated

1. phishing 2. spyware 3. discarded information

Order of Volitality From High to Low

1. registers and cache 2. routing tables 3. ARP cache 4. Process table 5. Kernel statistics and modules 6. Main memory 7. Temporary file systems 8. Secondary memory 9. Router configurations 10. Network topology

Roles a computer can play in a crime

1. target of crime 2. instrument of crime 3. an evidence repository that stores valuable information about the crime. In some cases, a computer can have multiple roles. It can be the instrument of a crime and also serve as a file cabinet that stores critical evidence.

Evidence -Handling tasks

1.Find evidence 2. Preserve evidence 3. Prepare evidence

3 criteria for cyberstalking

1.Is it possible? Is threat credible and possible to carry out 2.How frequently does behavior occur; mustbe repetitive 3.How serious? Specific and detailed plans cause alarm more than generalizations Not all 3 need to be present to constitute a crime

Registered ports

1024-49151

The Computer Security Act of 1987

1987 was passed to improve the security and privacy of sensitive information in federal computer systems. The law requires the establishment of minimum acceptable security practices, creation of computer security plans, and training of system users or owners of facilities that house sensitive information.

Windows Mobile Operating systems

1996: Windows CE 2008: Windows Phone; not compatible with many of the previous Windows Mobile apps 2010: Windows Phone 7 2012: Windows 8 2015: Windows 10 Mobile Windows 10 (Windows 10 Mobile) is shipped on PCs, laptops, phones, and tablets. This means that once you are comfortable with the operating system on one device, you are going to be able to conduct forensic examinations on other devices running Windows 8 or Windows 10.

iMac

1998

iphone

2007

HEXIDECIMAL VALUES: PDF

25 50

pdf

25 50

What happened to 2DES?

2DES basically does DES two times Was not much more secure than DES Took more time and computer resources to implement Not widely used

Advanced Format

4096-byte sectors used by modern hard drives

HEXIDECIMAL VALUES: BMP

42 4D

bmp

42 4D

GIF

47 49

HEXIDECIMAL VALUES: GIF

47 49

HEXIDECIMAL VALUES: MP3

49 44

MP3

49 44

Dynamic ports

49152-65535

HEXIDECIMAL VALUES: EXE

4D 5A

exe

4D 5A

HEXIDECIMAL VALUES: ZIP

50 4B

zip

50 4B

HEXIDECIMAL VALUES: AVI

52 49

HEXIDECIMAL VALUES: WAV

52 49

WAV, AVI

52 49

HEXIDECIMAL VALUES: PNG

89 50

png

89 50

Functions of Data Link Layer

: Framing - The physical layer delivers raw bits from the Source to destination. During transmission, the value of the bits can change. It is also possible that the number of bits received by the receiver may be different from the number of bits sent by the Sender. To resolve this problem, the data link layer organizes the bits into manageable data units called as frames. Physical Addressing - Data link Layer adds header to the frame which contains the physical address of the sender (MAC Address)or receiver. Flow Control - It may happen that the speed at which the sending and receiving nodes operate may differ. The sending node may transmit data at a faster rate but the receiving node may receive it at a slower rate. The rate of data transmission between two nodes should be controlled to keep both the nodes in synchronization. This process is called flow control. Error Control - Another function of the Data Link layer is error control. Error control detects and corrects errors. During transmission, if a frame is lost or corrupted, the data link layer re transmits that frame. It also prevents duplication of frames.

1991

: Linus Torvalds begins creating Linux

ROT13 cipher

A permutation of the Caesar cipher All characters are rotated 13 characters through the alphabet A CAT becomes N PNG

Virus

A piece of code that is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data

volatile memory: Heap (H)

A process may use a memory allocator such as malloc to request dynamic memory. When this happens, the address space of the process expands. The data in the heap area can exist between function calls. The memory allocator may reuse memory that has been released by the process. Therefore, heap data is less stable than the data in the data segment.

Important Windows Files: Smss.exe

A program that handles services on your system

Important Windows Files: Ntdetect.com

A program that queries the computer for basic device/config data like time/date from CMOS, system bus types, disk drives, ports, and so on

iXImager

A proprietary file format used by the iLook tool Tool was developed by the U.S. Internal Revenue Service (IRS) and is restricted to law enforcement and government use only

Certified Cyber Forensics Professional (CCFP)

A certification from ISC2 for completing the education and work experience and passing the exam

Encase file format

A proprietary format defined by Guidance Software for use in its EnCase tool to store hard drive images and individual files Includes a hash of the file to ensure nothing was changed when it was copied from the source

Android

A Linux-based operating system that is completely open source. Android source code: http://source.android.com/ First released in 2003 Versions of Android named after sweets, such as Version 4.1-4.2 Jelly Bean and Version 7.0 Nougat Differences from version to version usually involved adding new features. If you are comfortable with version 1.6 (Donut), you will be able to do forensic examination on version 4.2 (Jelly Bean). Samsung Galaxy and many other mobile devices run Android Similarity across versions Can perform similar forensic examinations on different versions

logic bomb

A computer program or part of a program that lies dormant until it is triggered by a specific logical event. such as a date and time; often perpertrated by disgruntled employees

consistency checking problems

A consistency check can fail if the file system is highly damaged. The repair program may crash, or it may believe the drive has an invalid file system. The chkdsk utility might automatically delete data files if the files are out of place or unexplainable. The utility does this to ensure that the operating system can run properly. However, the deleted files may be important and irreplaceable user files. The same type of problem occurs with system restore disks that restore the operating system by removing the previous installation. Avoid this problem by installing the operating system on a separate partition from the user data.

Diffie-Hellmen

A cryptographic protocol that allows two parties to establish a shared key over an insecure channel Often used to allow parties to exchange a symmetric key through some insecure medium, such as the Internet Enabled all secure communications between parties that did not have a pre-established relationship, such as e-commerce Groundbreaking research provided the foundation for secure transactions across the Internet E-commerce sites like Amazon.com and Staples.com can provide secure electronic communications, thanks in great part to Diffie and Hellman

Kerchoff Principle

A cryptographic system should be secure even if everything about the system, except the key, is public knowledge.

action:a

A keyword indicating the action that init is to take on the process

The Digital Forensic Research Workshop Framework (DFRWS)

A matrix with 6 classes, Identification, preservation, collection, examination, analysis, and presentation

Digital Forensics Research Workshop Foundation Framework

A matrix with the following six classes: -Identification -Preservation -Collection -Examination -Analysis -Presentation

Maximum Tolerable Downtime (MTD)

A measure of how long a system or systems can be down before it is impossible for the organization to recover Related to: Mean time to repair (MTTR) Mean time to failure (MTTF)

Alternate Data Streams (ADS)

A method of attaching one file to another file, using the NTFS file system A feature of NTFS that contains metadata for locating a specific file by some criterion, like title may be used by clever criminals to hide things on the target computer. are essentially a method of attaching one file to another file, using the NTFS file system. A number of tools are available that will detect whether files are attached via alternate data streams. One of the most widely known is List Alternate Data Streams (a free download).

Kasiski method

A method of attacking polyalphabetic substitution ciphers, such as Vigenère Can be used to deduce the length of the keyword used in a polyalphabetic substitution cipher When length of keyword is discovered, ciphertext is lined up in n columns, where n is keyword length Each column Treated as a monoalphabetic substitution cipher Can be cracked with frequency analysis Involves looking for repeated strings in the ciphertext

High Tech Crime Network (HTCN)

A national organization that provides certification for computer crime investigators and computer forensics technicians.

Ports

A number that identifies a channel in which communication can occur 65,635 possible ports Knowing what port a packet was destined for (or coming from) tells you what protocol it was using

John the Ripper

A password cracker popular with network administrators and hackers Enables user to select text files of word lists to attempt cracking a password Command-line based, no Windows interface thus less convenient to use but been around a long time and is well regarded by both security and hacking communities

OS Forensics

A robust forensics tool that also provides for undeletion Undelete from a mounted image or from a live system

Windows Swap File

A special place on the hard disk where items from memory can be temporarily stored for fast retrieval Used to end in a .swp extension; since Windows XP, called pagefile.sys Typically found in Windows root directory Often referred to as virtual memory

Important Windows Files: Ntbootdd.sys

A storage controller device driver

Business Impact Analysis (BIA)

A study that identifies the effects a disaster would have on business and IT functions Studies include interviews, surveys, meetings, and so on Identifies the priority of different critical systems Considers maximum tolerable downtime (MTD)

three-way handshake

A three-step process in which Transport layer protocols establish a connection between nodes. The three steps are: Node A issues a SYN packet to node B, node B responds with SYN-ACK, and node A responds with ACK.

label

A unique identification label of up to four characters.

Telephony denial of service (TDoS)

A variation of denial of service (DoS) attacks, but launched against traditional and packet-based (VoIP)telephone systems. disrupts an organization's use of its telephone system through a variety of methods.

polymorphic virus

A virus that can change its own code or periodically rewrites itself to avoid detection

Graphical User Interface (GUI)

A visual display on a computer's screen that allows you to interact with your computer more easily by clicking graphical elements.

American Society of Crime Laboratory Directors

ASCLD; accredits crime labs in the US

$I Structure

Always exactly 544 Bytes long Bytes 0-7 file header-always set to 01 followed by 7 sets of 00 Bytes 8-15 Original file size stored in hex in little-endian Bytes 16-23 Deleted date/time stamp represented in number of seconds sincde midnight January 1, 1601. Use a program such as Decode to assist with figuring out exact date and time if do not want to do the math Bytes 24-543-Original file path/name

HKEY_USERS (HKU)

This hive is very critical to forensic investigations. It has profiles for all the users, including their settings.

volatile memory analysis : Step One

Acquire a physical memory dump of the compromised system and transmit it to the data collection system for analysis. VMware allows you to simply suspend the virtual machine and use the .vmem file as a memory image.

File Formats

Advanced Forensic Format (AFF) Encase Generic Forensic Zip (Gfzip) iXImager

file formats

Advanced Forensic Format (AFF) with variations: AFF: stores all data and metadata in single file AFM: stores data and metadata in separate files AFD: stores data and metadata in multiple small files EnCase Generic Forensic Zip IXimager

Mathematically Authentication Data on All Storage Devices

After imaging drive, create a hash of the original and the copy Compare the hashes If they don't match exactly, something was altered Document hashing algorithm used and results

The Post-Recovery Follow-Up

After recovery, find out what happened and why (involves forensics): Was disaster caused by some weakness in the system? Negligence by an individual? A gap in policy? An intentional act?

Differential backup

All changes since the last full backup

logical volume manager (LVM)

An abstraction layer that provides volume management for the Linux kernel On a single system (like a single desktop or server), primary role is to allow: The resizing of partitions The creation of backups by taking snapshots of the logical volumes

Collecting Data

All the traffic going through a firewall is part of a connection. A connection consists of two IP addresses communicating with each other and two port numbers that identify the protocol or service. Attempts on same set of ports from many different Internet sources are usually due to decoy scans Carefully check firewall logs for any sort of connections or attempted connections on those ports Use protocol analysis to determine who attacker is

volatile memory Stack (S)

Allocated based on the last-in, first-out (LIFO) principle. When the program is running, program variables use the memory allocated to the stack area again and again. This segment is the most dynamic area of the memory process. The data within this segment is discrepant and influenced by the program's various function calls.

Nmap/ZenMap

Allows the user to map out what ports are open on a target system and what services are running Is a command-line tool, but has a Windows interface called Zenmap Popular with hackers because it can be configured to operate stealthily and determine all open ports on an individual machine, or for all machines in an entire range of IP addresses Popular with administrators because of its ability to discover open ports on the network

Imaging with OS Forensics

Allows you to mount images created with other tools Also allows you to create an image

Berkley Fast File System

Also known as UNIX File System Developed at UC-Berkeley for Linux Uses a bitmap to track free clusters, indicating availability

Advanced Encryption Standard (AES)

Also known as the Rijndael block cipher Can have three different key sizes: 128, 192, or 256 bits Referred to as AES 128, AES 192, and AES 256

brute force attack

An attack on passwords or encryption that tries every possible password or encryption key.

Smurf Attack

An attack that broadcasts a ping request to computers yet changes the address so that all responses are sent to the victim.

Ping Flood

An attack that uses the Internet Control Message Protocol (ICMP) to flood a victim with packets.

Distributed Denial of Service (DDoS)

An attack where a firm's computer systems are flooded with thousands of seemingly legitimate requests, the sheer volume of which will slow or shut down the site's use. DDoS attacks are often performed via botnets.

Preserving Evidence

An event: Is any observable occurrence within a system or network Includes network activity, such as when a user accesses files on a server or when a firewall blocks network traffic Adverse events have negative results or negative consequences Example: An attack on a system Recovery often performed at the expense of preserving forensic evidence Failure to preserve forensic information: Prevents IT team from effectively evaluating cause of incident Makes it difficult to modify company policies and procedures to reduce risk Forensic data is key to preventing future incidents

Forensic Imaging

An image is an exact bit-by-bit copy of a disk Used for evidence collection without altering original

Advanced Forensic Format (AFF)

An open file standard with three variations: AFF, AFM, and AFD AFF variation stores all data and metadata in a single file AFM variation stores data and metadata in separate files AFD variation stores data and metadata in multiple small files

hard link

An inode that links directly to a specific file. The operating system keeps a count of references to this link. When the reference count reaches zero, the file is deleted. In other words, you can have any number of names referencing a file, but if that number of references reaches zero (i.e., there is no name that references that file), then the file is deleted.

volatile memory analysis: Step Three

Analyze the evidence on the collection system. Unlike live response, you don't need any additional evidence from the compromised system.

Historical Steganography

Ancient Chinese wrapped notes in wax and swallowed them for transport In ancient Greece, message written on slave's shaved head, then hair allowed to grow back During World War II, French Resistance sent messages written on the backs of couriers using invisible ink

1987

Andrew S. Tanenbaum creates Minix, another UNIX variant

Digital Linear tape (DLT)

Another type of magnetic tape storage Relies on a linear recording method Tape as either 128 or 208 total tracks Used primarily to store archived data

"valid" emails

Appears as through mail is from trusted source Message content is suspicious Content may contain URL that points to malicious site

OSI Model

Application Presentation Session Transport Network Data Link Physical

TCP/IP Model

Application Transport Internet Network access

/var/log/apport.log

Application crashes

digital audio tape (DAT) drives

Are among most common type of tape drives Use 4-mm magnetic tape enclosed in a protective plastic shell Tapes wear out just like audio tapes Will most likely contain archived/backup data that you need to analyze Forensically wipe target drive first so you can be sure that there is no residual data on that drive Ten restore it to target hard drive (magnetic or solid state) in order to analyze it

steganography

Art and science of writing hidden messages Most common today: Hide messages in pictures LSB (Least Significant Bit): capacity is 5-15% of vessel data

Denial of Service (DoS)

Attempts to prevent system from performing normal functions usually by flooding a website with fake connections that prevent legitimate connections from forming Cyber equivalent of vandalism

Device Seizure

Available from Paraben Software. There is a license fee associated with this product. Paraben makes a number of forensic products

Evidence-Gathering Measures

Avoid changing evidence Determine when evidence was created Search throughout a device Determine information about encrypted and steganized files Present evidence well

Evidence-Gathering Measures (5)

Avoid changing the evidence: Copy it and study the copy Hash the copy: allows checking for changes Each time you touch digital data, there is some chance of altering it. Determine when evidence was created Trust only physical evidence: the 1s and 0s Search throughout a device: at the 1s and 0s level Present the evidence well Logical Compelling Persuasive

HTTP Commands: UNLINK

Breaks an existing connection between two resources

Linux Boot Process

BIOS-POST MBR: Grub LILO Kernel: Initializes devices and moves from real mode to protected mode Init RunLevels

54320/54321 Important Intruder Ports

BO2K (malware)

31337 Important Intruder Ports

Back Orifice (malware)

Blackberry 10

Based on QRNX operating system Supports major features similar to other mobile phones Drag and drop Gestures

6666Important Intruder Ports

Beast(malware)

TCP Connection Termination

Because a TCP connection is two-way, it needs to be "torn down" in both directions uses four packets. The first system sends a TCP packet with the ACK and FIN flags set requesting termination. The second system sends an ACK response. The second system then sends a packet with ACK and FIN flags set. The first system returns an ACK response.

Documenting Hardware Configuration of System

Before dismantling the computer: Take pictures of computer from all angles Record BIOS system time and date in chain of custody form After restoring power: Eject all removable media and fill out a separate chain of custody form for each

Documenting the Hardware Configuration of the System

Before dismantling the computer: Take pictures of computer from all angles Record BIOS system time and date in chain of custody form After restoring power: Eject all removable media and fill out a separate chain of custody form for each

Linux File System Blocks

Blocks are divided into groups. Each group uses one block as a bitmap to keep track of which block inside that group is allocated (used); thus, there can be at most 4,096 * 8 = 32,768 normal blocks per group. Another block is used as a bitmap for the number of allocated inodes. Inodes are data structures of 128 bytes that are stored in a table, (4,096 / 128 = 32 inodes per block) in each group.

Windows Boot Process: Step Five

Boot sector loads NTLDR (the NT loader). It is the first part of the Windows operating system and responsible for preparing and loading the rest of the operating system.

raid aquisitions

Both FTK and EnCase provide built-in tools for acquiring RAID arrays Okay to acquire RAID 1 disks separately RAID 0, 3, 4, 5 and 6 - data striping: make a forensic image of the entire RAID array

Optical media

CD-ROMs use high and low polarization to set the bits of data; however, CDs have reflective pits that represent the low bit If pit is nonexistent, data is a 1; if pit exists, it's a 0 Laser mechanism detects the distance the light beam has traveled in order to detect the presence or absence of a pit; this is why scratches can be problematic for optical media DVDs and Blu-ray discs are enhancements to original compact discs Still utilize same optical process but have larger capacity Should be forensically copied to a clean, forensically wiped drive for analysis

Functions of Transport Layer

Connection Control: Transport layer provides either connection-oriented or connection-less service. Flow Control - Data link layer provides flow control of data across a single link. Error Control - Transport layer also performs error checking. It confirms that data reached to the destination without an error.

usb drives

Connective (not storage) technology Place in read-only mode to avoid altering data

HTTP Commands: LINK

Connects two existing resources

iOS elements in data partition

Calendar entries Contacts entries Note entries iPod_control directory (hidden) iTunes configuration iTunes music

How cross-site scripting affects forensics

Can be complex to uncover. Look for scripts that are unaccounted for by website programmers. This may be unsuccessful as a sophisticated hacker will remove malicious code in an attempt to cover tracks. A more efficient method is to look in webserver logs for any redirect traffic.(Http messages in the 300 range) and determine if any of these redirects cannot be accounted for via legitimate webcoding.

file carving

Can use file carving on a file that's only partially recovered Works on any file system Is often used to recover data from a disk where there has been some damage or where the file itself is corrupt File carving utilities look for file headers and/or footers, and then pull out data s found between the two boundaries One popular file carving tool is Scalpel

Memory Forensics

Capture the memory from a live machine. Can use: Dump-it, RAM Capturer from Belkasoft, OSForensics, other tools Analyze the captured memory Can use: Volatility, Pslist, Pstree, Psscan, Svcscan, other tools

LSB Method (Least Significant Bit)

Consider 11111111 Change last digit to 0 11111110 = 254 in decimal The last bit or least significant bit is used to store data Colored pixels in a computer stored in bits In Windows, for example, 24 bit is the normal color resolution. If you examine the Windows color palette, you'll find that you define a color by selecting three values between 0 and 255 in the Red, Green, and Blue text boxes. Windows color changed by one bit. If you change the least significant bit in a pixel, the image still looks the same. But a picture is made up of thousands—sometimes millions—of pixels. So by changing the least significant bit of many pixels, you can store data that is hidden in an image. This is the basis for modern image steganography

Windows Directories and Folders

Certain directories in Windows are more likely than others to contain evidence. Although there are many directories on a computer, the following are the most forensically interesting: C:\Windows documents and settings—This folder is the default location to save documents. Even though a criminal can save documents anywhere on the computer, it is a good idea to check this folder. C:\users—This includes user profile information, documents, pictures, and more for all users, not just the one currently logged on. C:\Program Files—By default, programs are installed in subdirectories of this directory. C:\Program Files (x86)—In 64-bit systems, 32-bit programs are installed here. C:\Users\username\Documents—The current user's Documents folder. This is a very important place to look for evidence. It is important to complete a general search of the entire suspect drive—not just these specific folders and directories.

Functions of Physical Layer:

Characteristics of media - Defines the characteristics of the interface which is used for connecting the devices. It also defines the type of the transmission media such as copper wires or fiber optic cables. Encoding - Defines the encoding type. Encoding means changing bit stream. Before transmission, physical layer encodes the signal into electrical or optical form depending upon the media. Transmission Rate - Defines the transmission rate of bits. This provides number of bits transmitted per second. It defines how long will the duration of a bit be. Transmission Mode - Defines the transmission mode between two devices. Transmission mode specifies the direction of signal flow. The different types of transmission modes are simplex, half duplex and full duplex. Topology - It is a pattern which defines how devices are get connected in a network. Different types of network topology are: Single Node, Ring, Bus, Mesh, Tree and Hybrid Topology

Invisible Secrets

Choose whether you want to hide a file or extract a hidden file. For this example, suppose you want to hide a file. You select your chosen option in the Invisible Secrets Select Action dialog box. Select an image you want to use as the carrier file Select the file you want to hide. It can be a text file or another image file. You can also choose to encrypt as well as hide. Select a password for your hidden file. Pick a name for the resulting file that contains your hidden file. That's it!

Recovering Info from Damaged Media

Clean Room Test System

HTTP Response Messages 400-499

Client errors

RAID 6 (Striped Disks with Dual Parity)

Combines four or more disks in a way that protects data against loss of any two disks.

Application filter

Combines stateful packet inspection with scanning for specific application issues Example: Web Application Firewall (WAF) scans for typical web attacks such as SQL injection and cross-site scripting

RAID 3 or 4 (Striped Disks with Dedicated Parity)

Combines three or more disks in a way that protects data against loss of any one disk. Fault tolerance is achieved by adding an extra disk to the array and dedicating it to storing parity information. The storage capacity of the array is reduced by one disk.

RAID 5 (Striped Disks with Distributed Parity)

Combines three or more disks in a way that protects data against the loss of any one disk. It is similar to RAID 3, but the parity is not stored on one dedicated drive; instead, parity information is interspersed across the drive array. The storage capacity of the array is a function of the number of drives minus the space needed to store parity.

volatile memory analysis : Step Two

Compute the hash after you complete the memory capture. You don't need to calculate a hash before data acquisition. Due to the volatile nature of running memory, the imaging process involves taking a snapshot of a "moving target."

Documentation of Methodologies and Findings

Computer evidence processing methodology includes strong evidence-processing documentation and good chain-of-custody procedures

Windows Boot Process: Step Two

Computer reads the master boot record (MBR) and partition table

Expert system

Computerized advisory programs that imitate the reasoning processes of experts in solving difficult problems

Equipment

Computers Server should have RAID 1 at a minimum Hard drives and storage USB, SCSI, etc. Legacy and state-of-the-art Peripherals Networking equipment Cables, adapters, and converters Write blockers Tools

Windows 2000

Considered a major improvement in the Windows line. Rather than separate NT and Windows lines, there were simply different editions of Windows 2000, including those for home users, for professional users, and for servers. The differences among the editions were primarily in the features available and the capacity, such as how much random access memory (RAM) could be addressed. Microsoft began to recommend NTFS over FAT32 as a file system.

Logical Damage Recovery

Consistency Checking Problems Failure Deletion

Incident Response

Containment Eradicatoin Recovery Follow-up

/var

Contains data that is changed during system operation This directory is only useful on a live system. Once you shut down the system, the contents of this directory will be different the next time the system is booted up.

/dev

Contains device files Interfaces to devices All devices should have a device file in /dev Device naming conventions: hd = hard drive fd = floppy drive cd = CD Example: Main hard drive can be /dev/hd0

Network Packet: Trailer

Contains error-checking data to detect errors that occur during transmission May be part of the Ethernet or Point-to-Point Protocol (PPP) frame or other Layer 2 protocol The TCP (OSI model Layer 4) and IP (OSI model Layer 3) portions of a unit of information transfer contain only a header and payload. However, if the Layer 2 portion of a unit of information transfer is analyzed, then in addition to a header and payload, there is also a part at the end called the trailer.

/boot

Contains files critical for booting Boot loader (LILO or GRUB) looks in this directory Kernel images commonly located in /boot

/Volumes

Contains information about mounted devices Includes data regarding: Hard disks External disks CDs Digital video discs (DVDs) Virtual machines (VMs)

/usr

Contains subdirectories for individual users

The payload

Contains the content (data) (variable)

NIST 800-34

Contingency Planning Guide for Information Technology Systems This contains a seven-step process for BCP and DRP projects from the U.S. National Institute for Standards and Technology (NIST).

iOS Four Layers

Core OS layer: The heart of the operating system Core Services layer: Where applications interact with the iOS Media layer: Is responsible for music, video, and so on Cocoa Touch layer: Responds to gestures

Target Disk Mode

Create a forensically sound copy of disk contents -dd and netcat -Imaging tools within EnCase or Forensic Toolkit Begin in Target Disk Mode -Cannot write to disk -No chance of altering source disk -Connect to the suspect computer with via USB or FireWire and image the disk allows you to preview the computer on-site, so you can do a quick inspection before disconnecting and transporting the computer to a forensic lab. This is important because you will want to check running systems' processes before shutting the machine down. You simply have to reboot the machine in Target Disk Mode

Proper Procedure: Mathematically Authenticating Data on All Storage Devices

Create hash of original and copy drives & compare Document hashing algorithms used SHA1 most common SHA2 used increasingly Linux: md5sum /dev/<your partition>

Undeleting data

Criminals who are not very technically savvy think that deleting a file will keep authorities from discovering it Expect that evidence will frequently be deleted from computers you examine

Breaking Encryption

Cryptanalysis is using techniques other than brute force to attempt to uncover a key Also referred to as academic or knowledge-based code breaking Cryptographic techniques may be used to test the efficacy of a cryptographic algorithm Such as to test hash algorithms for collisions

Asymmetric cryptogrpahy

Cryptography wherein two keys are used: One to encrypt the message Another to decrypt it

Windows XP/Windows Server 2003

Marked a return to having a separate server and desktop system. The interface was not very different, but there were structural improvements.

paraben's email examiner

Exclusively for email forensics Works like the more complete forensic suites (Forensic Toolkit and EnCase) in that evidence is grouped by case

Presenting has two forms -

Expert Report and Expert Testimony

Teardrop Attack

Exploits the reassembly of fragmented IP packets in the fragment offset field that indicates the starting position, or offset, of the data contained in a fragmented packet relative to the data of the original unfragmented packet.

live forensic tools

PsList - processes PsInfo - operating system details ListDLLs - loaded DLLs PsLoggedOn - login information netstat - network connections

Linux Files Systems

Extended File System (ext) Current version is 4 ext4 supports volumes up to 1 exabyte and single files up to 16 terabytes ext3 and ext4 support three types of journaling: journal (most secure) ordered writeback (least secure) Reiser FS Berkely Fast File system

DoD forensic standards

DC3 sets standards for digital evidence processing, analysis, and diagnostics.

Issues Pertinent to Forensics

Does the Windows version in question support 64-bit processing? Does it have a firewall? If so, is the firewall automatically on? Does the version of Windows support the Encrypted File System (EFS)?

23476/23477Important Intruder Ports

Donald Dick (malware)

Seizing evidence from a Blackberry

Download and install BlackBerry Desktop Manager Steps to create complete backup image: Open BlackBerry's Desktop Manager. Click Options then Connection Settings. If the Desktop Manager hasn't already done so, select USB-PIN: Device # for connection type. Click OK. Select Backup and Restore. Click the Back Up button for a full backup of the device or use the Advanced section for specific data. Select your destination (such as workstation) and save the .ipd file. Examine data and perform a forensic analysis

Business continuity plan (BCP)

Focuses on keeping an organization functioning as well as possible until a full recovery can be made concerned with maintaining at least minimal operations until organization can be returned to full functionality

Data Encryption Standard (DES)

Data is divided into 64-bit blocks . Data is manipulated by 16 separate steps of encryption involving substitutions, bit-shifting, and logical operations using a 56-bit key. Data is then further scrambled using a swapping algorithm. Data is transposed one last time The idea is to continually scramble the underlying message to make it appear as random as possible. No longer secure

Forensic Certifications

Demonstrates baseline of competence Know the following areas: PC hardware Basic networking Security hacking

Formal Forensic Approaches

Department of Defense Forensic Standards (D3) Digital Foresnic Research Workshop Framework(DFRWS) The Scientific Working Group on Digital Evidence Framework(SWGDE) Event-based digitial forensic investigation framework

iOS

Derived from OS X Interface based on touch and gestures In normal operations, iOS uses HFS+ file system Can use FAT32 when communicating with a PC Originally released in 2007 for the iPod Touch and the iPhone

RSA

Described in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT Perhaps the most widely used public key cryptography algorithm today Is based on relationships of prime numbers Security of RSA derives from fact that it is difficult to factor a large integer composed of two or more large prime factors

Routers in Detail

Determine where to send information from one computer to another Are specialized computers that send your messages and those of every other Internet user to their destinations along thousands of pathways Maintain a routing table to keep track of routes Some routes are programmed manually, many are "learned" automatically by route

initdefault

Determines which run level to enter initially, using the highest number in the run_level field. If there is no initdefault entry in inittab, then init requests an initial run level from the user at boot time.

Functions of Session Layer:

Dialog Control - The session layer is responsible for setting up sessions between devices. It allows two devices to enter into dialog (communication process). These dialogs can take place either in half-duplex or full duplex mode. Synchronization - At the session layer, checkpoints (synchronization bits) are added into a stream of data to synchronize the sessions. For example, if a device is sending a file of 1000 pages, then you can insert checkpoints after every 100 pages to ensure that these 100 pages are received without an error and acknowledged independently. If an error occurs while transmitting page 631, the only pages that should be retransmitted are from 601 to 631. Previous pages need not be resent.

Operating systems

Different operating systems have different file structures. Linux distributions vary and are generally updated more frequently than Windows or Mac OS.

Handling Evidence

Digital forensics specialist is responsible for finding, preserving, and preparing evidence The specialist must: -Collect data -Document filenames, dates, and times -Identify any file, program, and storage anomalies -Gather evidence

Handling Evidence

Digital forensics specialist is responsible for finding, preserving, and preparing evidence The specialist must: Collect data Document filenames, dates, and times Identify any file, program, and storage anomalies Gather evidence

Windows Tools for recovering data files:

DiskDigger WinUndelete FreeUndelete OSForensics

RAID-0 (Disk Striping)

Distributes data across multiple disks in a way that improves data retrieval speed.

List 4 formal forensic approaches

DoD forensic standards The Digital Forensic Research Workshop Framework (DFRWS The Scientific Working Group on Digital Evidence Framework (SWGDE) Event based Digital Forensics Investigation Framework

Documentation of Methodologies and Findings

Documentation of forensic processing is critical to effectively presenting findings and the court allowing evidence into admission The following areas should be completely understood by forensic specialist 1. Disk Structure 2. File Slack Searching

Why 4DES Was Never Implemented

Early simulations indicated it was too scrambled Blocks of original plaintext appeared in the final ciphertext One of the driving factors behind searching for a new algorithm not in the DES line

What an email review can reveal

Email messages related to the investigation Email addresses related to the investigation Sender and recipient information Information about those copied on the email Content of the communications Internet Protocol (IP) addresses Date and time information User information Attachments Passwords Application logs that show evidence of spoofing

FORENSIC SOFTWARE TOOLS

EnCase Forensic Toolkit (FTK) OSForensics Helix Kali Linux AnaDisk disk analysis tool CopyQM Plus disk duplication software The Sleuth Kit Disk Investigator

Common Forensic Software Programs

EnCase Widely used by law enforcement Prevents accidental changes to suspect machine Analyzes header, checksum and data blocks Forensic Toolkit Widely used by law enforcement Password cracking Search and analyze Windows Registry

Forensic Specfic Certifications

Encase Certified Examiner Certification Access Data Certified Examiner OS Forensics ISC2 Certified Cyber Forensics Professional (CCFP) EC-Council Certified Hacking Forensic Investigator (CHFI) High Tech Crime Network certifications SANS Global Information Assurance Certification (GIAC)

Proper Procedure: Identifying File, Program, and Storage Anomalies

Encrypted, compressed, and graphics files store data in binary format. Therefore, they require manual evaluation.

Functions of Presentation Layer

Encryption - Presentation Layer encrypt the data before it passes to the session layer. Encryption is a process of converting a readable data into unreadable format so that it can protects the information from unauthorized access. On the receiver side, presentation layer is going to decrypt data in the readable format and passes it to the application layer. Compression - Presentation layer compress data in less number of bits (reduce the size of data) So that, it can travel in the network fast with consuming less space. It is important while transmitting multimedia information such as text, audio and video.

Scytale Cipher

Encrypts messages by wrapping a leather strip around a cylinder or baton, and writing across the leather Turning cylinder produced different ciphertexts Message decrypted by reading the message once placed over the same leather "key" wrapped around the same size cylinder

How to Set Up a Forensic Lab

Equipment Storage RAID 5 is recommended Back up at least 1x/day Security is paramount Lab Limit access to lab Physical security Fire resistant evidence safe Working network For email and internet use Outside of the lab

stateful packet inspection (SPI) firewall

Examines each and every packet, denying or permitting based on not only the current packet, but also considering previous packets in the conversation Firewall is aware of the context in which a specific packet was sent Are far less susceptible to ping floods, SYN floods, and spoofing

Windows

FAT16 and FAT32 used in pre-Windows 2000 versions NTFS file system in use since Windows 2000 Uses a table to map files to specific clusters where they are stored on the disk

windows

FAT32 (before WIN2000) Deleted files not removed from drive, FAT is updated to reflect the clusters are no longer in use and will be overwritten NTFS (starting with WIN20000 Deleted files not removed from drive,clusters marked as deleted (moved to the Recycle bin) and marked with a special character. Windows XP used INFO2 file Windows 7/Vista use $I structure Clusters and Slack Space - understand this

Hexidecimal values: JPEG

FF D8

Jpeg

FF D8 PDF: 25 50 BMP: 42 4D ZIP: 50 4B EXE: 4D 5A PNG: 89 50 GIF: 47 49 WAV, AVI: 52 49 MP3: 49 44

MAC refers to three critical properties

File modified File accessed File created These date/time stamps can be important forensically. For example, if the modified date for an image is later than the created date, then that image has been edited.

mac

File systems HFS and HFS+

Documenting Filenames, Dates, and Times

Filenames, creation dates, and last modified dates and times can be relevant as evidence Catalog all allocated and "erased" files Sort files based on filename, file size, file content, creation date, and last modified date and time Sorting provides a timeline of computer usage

Dcoumenting Filenames, Dates and Times

Filenames, creation dates, and last modified dates and times can be relevant as evidence Catalog all allocated and "erased" files Sort files based on filename, file size, file content, creation date, and last modified date and time Sorting provides a timeline of computer usage

Unallocated/slack space

Files stored on disk (archives, files, folders, etc.) Host protected area (HPA) or vendor-specific drive space (recovery volumes, etc.) Master boot record (MBR) where empty drive sectors remain Boot sectors in nonbootable partitions To find relevant data only in the unallocated space, search the unallocated space for keywords. Tools such as AccessData's Forensic Toolkit (FTK) allow an investigator to take an entire image and try to identify all of the documents in the file system, including the unallocated space. To search the entire disk many times over, tools such as FTK can help you build a full-text index. Full-text indexing allows you to build a binary tree-based dictionary of all the words that exist in an image, and you can search the entire image for those words in seconds.

Windows Log Files

Files that contain information about events and other activities that occur in Windows Event Viewer used to view log files All versions of Windows support logging, although the method to get to the log can vary from one version to another. With Windows 10 and Windows Server 2012, you find the logs as follows: Click on the Start button in the lower-left corner of the desktop. Click the Control Panel. Select Administrative Tools. Select Event Viewer.

How to fake an email

Find a free public Wi-Fi in an area at least one hour from your home. Spoof both your IP address and MAC address. Send the email through an anonymous email account set up for that purpose. It is, however, very common for criminals to actually send emails from their own computers without even bothering to spoof their IP address or MAC address. Even computer-savvy criminals, who think to spoof their IP addresses, might not think to spoof the MAC address.

Evidence-Handling Tasks (3)

Find evidence Preserve evidence Prepare evidence

Getting Headers for Yahoo Email

First open the message. On the lower right, there is a link named Full Headers. Clicking on that link allows you to see the headers for that email.

Eradication

Fix vulnerabilities Example: Remove the malware Perform comprehensive examination of what occurred and how far it reached Ensure that the issue was completely addressed Forensics begins at this stage

Disaster Recovery Plan (DRP)

Focuses on executing a full recovery to normal operations Sometimes referred to as an incident response plan (IRP) focuses on returning to full functionality

1983

Richard Stallman creates GNU (GNU's Not UNIX

Preparing the System

For suspect computers: Remove the drive(s) Create an evidence form and/or a chain of custody form For mobile devices: Remove SIM card, if necessary Some devices let you dock the phone examine it without removing SIM

Present evidence well

Forensic examiners must present computer evidence in a logical, compelling, and persuasive manner. The evidence should be solid enough that a defense counsel cannot rebut it. A forensic specialist must create a step-by-step reconstruction of actions, with documented dates and times. The specialist's testimony must explain simply and clearly what a suspect did or did not do.

Search throughout a device

Forensic specialists must search at the bit level across a wide range of areas inside a computer, including: Email and temporary files in the operating system and in databases Swap files that hold data temporarily, logical file structures, and slack and free space on the hard drive Software settings and script files that perform preset activities Web browser data caches, bookmarks and history, and session logs that record patterns of usage

Determine when evidence was created

Forensic specialists should not trust a computer's internal clock or activity logs. Before logs disappear, an investigator should capture: The time a document was created The last time it was opened The last time it was changed Trust only physical evidence—The physical level of magnetic materials is where the 1s and 0s of data are recorded. In system forensics, only this physical level is real. A forensic specialist should consider everything else untrustworthy

Imaging with dd and netcat

Forensically wipe the drive: dd if=/dev/zero of=/dev/hdb1 bs=2048 Use netcat to set up the forensic server to listen: # nc -l -p 8888 > evidence.dd Use the dd command to read the first partition: # dd if=/dev/hda1 | nc 192.168.0.2 8888 -w 3

Follow-up

Forensics plays a critical role in this stage as well. The IT team must determine how this incident occurred and what steps can be taken to prevent the incident from reoccurring. Obviously, the results of the forensic examination are instrumental to the follow-up stage

Expert Reports

Format Thoroughness Back up everything you say

Kali Linux

Has a number of forensics tools Can use as quality control tool to complement OSForensics, FTK, or Encase Includes Autopsy, a web-based graphical user interface for the command-line tool Sleuth Kit

Cryptographic Hashes

Hashing is a type of cryptographic algorithm with some specific characteristics It is one-way, not reversible It is a fixed-length output no matter what input is given The algorithm must be collision resistant

Kali Linux

Formerly known as BackTrack Includes a variety of tools and has an easy-to-use KDE interface

invisisble secrets

Free tool that can be used to hide or extract a hidden file.

Linux GUI's

GNOME (GNU Network Object Model Environment) KDE (K Desktop Environment) Plasma Common Desktop Environment (CDE) Originally developed in 1994 for UNIX systems Based on HP's Visual User Environment (VUE) Enlightenment Relatively new Designed for graphics developers

2007

General release of Windows Vista

Email Message Components

Header Addressing information Source and destination Body Contents of the message Attachments External data that travels along with each message

Windows Registry Hives

HKEY_CLASSES_ROOT (HKCR) HKEY_CURRENT_USER (HKCU) HKEY_LOCAL_MACHINE (HKLM) HKEY_USERS (HKU) HKEY_CURRENT_CONFIG (HCU)

Windows Vista and Windows 7

Had feature changes and additional capabilities over XP, but essentially the interface was moderately tweaked with each version. The same can be said of Windows Server 2008. Someone comfortable with Windows Server 2003 would have no problem working with Windows Server 2008.

What are 4 basic principles to consider when dealing with forensic evidence?

Handle the original data as little as possible - you should instead make a bit level copy and do all forensic analysis on that. Comply with the rules of evidence - follow the chain of custody and Daubert principle, and other Rules of evidence (example, Federal Rules of Evidence) Avoid exceeding your knowledge - if you exceed your listed expertise you could miss vital information or at the very lease the other lawyer could claim you have. Create an analysis plan - you should create an standard analysis plan that is customizable by situation, which should include how you will collect evidence, concerns about evidence being changed or destroyed, what tools are appropriate for the specific investigation, type of case, admissibility rules.

magnetic media

Hard drives and floppy drives Data is stored magnetically; drives are susceptible to magnetic interference If drive is demagnetized, there is no way to recover data Transport suspect drives in special transit bags that reduce electrostatic interference to decrease the chance of inadvertent loss of data Magnetic drives have moving parts

Event based Digital Forensics Investigation Framework

Has 5 primary phases, readiness, deployment, physical crime scene investigation, digital crime scene investigation, and presentation

/bin directory

Holds binary or compiled files used by ordinary users Can include malware

/root

Home directory for the root user Contains data for the administrator Linux root user is equivalent to Windows Administrator

both magnetic and solid state drives

Host protected area (HPA) Master boot record (MBR) Volume slack Good blocks marked as bad File slack

Magentic and Solid State Drives

Host protected area (HPA) or vendor-specific drive space Master boot record (MBR) where empty drive sectors remain Volume slack Unallocated space Good blocks marked as bad File slack Files stored on disk (archives, files, folders, etc.) Host protected area (HPA) or vendor-specific drive space (recovery volumes, etc.) Master boot record (MBR) where empty drive sectors remain Boot sectors in non-bootable partitions

2017

Hundreds of Linux distributions are available

Adding Forensics to Incident Response

Identify forensic resources the organization can use in case of an incident Identify an outside party that can respond to incidents with forensically trained personnel Weave forensic methodology into organization's incident response policy Provide appropriate training to staff for preserving evidence

Name 6 types of computer based crime

Identify theft hacking systems for data cyberstalking/harrassment internet fraud non-access computer crimes cyberterrorism

Identify Crime:A criminal uses phishing to trick a victim into giving up personal information

Identity theft

Electronic Communications Privacy Act (ECPA)

If an Internet service provider (ISP) or any other communications network stores an email, retrieval of that evidence must be analyzed under the Electronic Communications Privacy Act (ECPA). The ECPA creates statutory restrictions on government access to such evidence from ISPs or other electronic communications service providers. Requires different Legal processes to obtain specific types of information: Basic subscriber information—This information includes name, address, billing information, telephone number, etc. An investigator can obtain this type of information with a subpoena, court order, or search warrant. Transactional information—This information includes websites visited, email addresses of others with whom the subscriber exchanged email, and buddy lists. An investigator can obtain this type of information with a court order or search warrant. Content information—An investigator who has a search warrant can obtain content information from retrieved email messages and also acquire unretrieved stored emails. Real-time access—To intercept traffic as it is sent or received, an investigator needs to obtain a wiretap order.

How ophcrac affects forensics

If occurs on Windows server 2003 2008 2012 reboot will show in log. If log shows a reboot after a successful logon this can indicate ophcrack or similiar tool used A forensic investigator can also check physical security such as security cameras maybe helpful Finally if user assigned to acct is not present this can also be an indication

Windows Registry: Passwords

If the user tells Internet Explorer to remember passwords, then those passwords are stored in the Registry and you can retrieve them. The following key holds these values: HKCU\Software\Microsoft\Internet Explorer\IntelliForms\SPW

Seizing Evidence from an iPhone

If you have imaged the phone and you then search for information, you may have to look more closely to find some data: Library_CallHistory_call_history.db has the entire call history. If you cannot view that directly on the phone itself, the database file has all call information. Cookies are in the file Library_Cookies_Cookies.plist. This can give you a history of the phone user's Internet activities. These, and other files, are actually copied to a PC during synchronization. Here are a few of those files: Library_Preferences_com.apple.mobileipod.plist Library_Preferences_com.apple.mobileemail.plist Library_Preferences_com.apple.mobilevpn.plist The mobileemail.plist file gives you information about email sent and received from the phone. The mobilevpn.plist file can indicate if the user has used the phone to communicate over a VPN. Deleted files When a file is deleted on iPhone/iPad/iPod, moved to.Trashes\501 folder Data exists until overwritten

Rules For Seizing Evidence from a Mobile Device

If you plug device into a computer, make sure device does not synchronize with the computer Touch evidence as little as possible Document what you do to the device Don't accidentally write data to the mobile device

Multialphabet substitution example

If you select three substitution alphabets (+2, -2, +3) A CAT becomes C ADV

file slack searching

If you write a 1-kilobyte (KB) file to a disk that has a cluster size of 4 KB, the last 3 KB of the cluster are wasted This unused space between the logical end of file and the physical end of file is known as file slack or slack space File slack is a source of potential security leaks involving passwords, network logons, email, database entries, images, and word processing documents

Apple 1

In 1975, Steve Wozniak and Steve Jobs finished the prototype of the first Apple computer. Wozniak worked for Hewlett-Packard (HP) and his employment contract required him to give his employer first right of refusal on any of his inventions. However, HP was not interested and released the technology to Wozniak. Apple Computer was formed in April 1976 by Steve Jobs, Steve Wozniak, and Ronald Wayne. The Apple I, created by Wozniak, had an 8-bit microprocessor running at just below 1 MHz. The Apple I had a built-in video terminal, sockets for 8 kilobytes of onboard RAM, a keyboard, and a cassette board meant to work with regular cassette recorders

Center for Education and Research in Information Assurance and Security (CERIAS)

In 2004 Brian Carrier and Eugene Spafford at Purdue University proposed a forensics model that was more flexible and intuitive. Has five primary phases: -Readiness -Deployment -Physical Crime Scene Investigation -Digital Crime Scene Investigation -Presentation

Incident Response Plan

In place to respond to: Fire Flood Hurricane Tornado Hard drive failure Network outage Malware infection Data theft or deletion Intrusion

var/vm folder

In this folder, you will find a subfolder named app profile, which will contain lists of recently opened applications as well as temporary data used by applications

/var/spool/cups

In this folder, you will find information about printed documents, including the name of the document printed and the user who printed it.

The Scientific Working Group on Digital Evidence Framework (SWGDE)

Includes 4 stages, Collect, preserve, examine, transfer

Recovery PLan

Includes business continutity plan disaster recovery blan based on priorities established in business impact analysis Alternate equipment identified? Alternate facilities identified? Mechanism in place for contacting all affected parties, employees, vendors, customers, and contractors, even if primary means of communication are down? Off-site backup of the data exists? Can backup be readily retrieved and restored?

Sparse Infector

Infects only on certain occasions - for example, it may infect every 10th program executed, or it might wake up once a month and infect. This strategy makes it more difficult to detect the virus.

What is bit level information?

Information at the level of actual 1's and 0's stored in memory or on the storage device, as opposed to going through the file systems interpretation

Network packets

Information that is sent across a network is divided into chunks, called packets. Packets exist in the OSI model at Layer 3 and are typically formatted according to the Internet Protocol—though you may come across many other protocols and their unique formats.

HTTP Response Messages 100-199

Informational; the server is giving your browser some information, most of which will never be displayed to the user

Deleting a File in Linux

Inode hard link is integral Inode links directly to a specific file OS keeps a count of references to each hard link When reference count reaches zero, file is deleted

Scapel Usage

Install tool Verify output directory is empty edit config file: In the configuration file /etc/scalpel/scalpel.conf, uncomment the specific file format you want to recover. run scalpel command: sudo scalpel [device/directory/file name] -o [output directory]

memory resident

Instructions that remain in memory while the computer or mobile device is running.

Playfair Cipher

Invented by Charles Wheatstone in mid 1800s. Lord Playfair pushed use of it. Works by encrypting pairs of letters, also called digraphs, at a time Uses a 5 × 5 table that contains a keyword or key phrase To use , one need only memorize that keyword and four rules Example: "Attack at dawn" becomes "At ta ck at da wn"

How SQL injection affects forensics

Investigator should search firewall logs and database logs

Recovery

Involves returning the affected systems to normal status If malware: Ensure the system is back in full working order with no presence of malware Might need to restore software and data from backup

Universial Serial Bus (USB)

Is actually a connectivity technology, not a storage technology Can be used to connect to external drives that can be either magnetic or solid state Have no moving parts, which means these drives are resilient to shock damage Thumb drives can be easily erased or overwritten. Copy data from USB drive to a target forensic drive for analysis

discarded information

Is another method that allows a hacker to gather information about a person's identity Often referred to as dumpster diving Shred documents before throwing them out to avoid identity thief

What three things should be considered regarding cyberstalking/harassment cases?

Is it possible, if a person make a threat is it credible? How frequent How serious, example specific detailed threats, taking the "I will kill him/her", to the next step including detailing how you might accomplish it

What are three roles can a computer or device play in computer crime

It can be the target of the crime It can be the instrument of the crime It can be an evidence repository that stores valuable information about the crime

Proper Procedure: Transporting the Computer System to a Secure Location:

It is evidence Lock it in the vehicle Drive straight to lab

Attempting Local Repair

It is possible that the data is deemed "lost," and there will be no increased loss if you attempt local repair and fail. If so, you can try the following: a. Remove the printed circuit board and replace it with a matching circuit board from a known healthy drive. b. Change the read/write head assembly with matching parts from a known healthy drive. c. Remove the hard disk platters from the original drive and install them into a known healthy drive.

Windows Registry : Tracking Word Documents

It is possible to track Word documents in the Registry. Many versions of Word store a PID_GUID value in the Registry, for example, something like: { 1 2 3 A 8 B 2 2 - 6 2 2 B - 1 4 C 4 - 8 4 A D - 0 0 D 1 B 6 1 B 0 3 A 4 }. The string 0 0 D 1 B 6 1 B 0 3 A 4 is the MAC address of the machine on which this document was created.

Getting Header in Outlook

It is relatively easy to view the headers using Outlook. With a specific message open, select File and then Info. Then select Properties and you will be able to view the headers. Older versions of Outlook have a different method to get to headers. With Outlook 2000/2003/2007, there are two methods: Method #1—Right-click the message in the folder view, and then choose Options. Method #2—In an open message, choose View and then Options. With either method, you will see the Internet headers portion of the Message Options dialog box.

/var/log/lpr.log

Items that have been printed Useful or corportate espinoage cases

JTAG

Joint Test Action Group An Institute of Electrical and Electronics Engineers (IEEE) standard for testing chips Test access points (TAPs) used to directly access the chip and extract data Forensic examiner takes back off of phone, and then connects wires by soldering or by using some other means to the TAPs of the phone's memory chip Wires also connected to a JTAG device that uses software to extract the data directly from the memory chip

Preventing Logical Damage

Journaling file systems Use a consistency checker Use disk controllers with battery backups

/etc directory

Just as in Linux, this is where configuration files are located. Cybercriminals often adjust the system's configuration. Sometimes this is done in order to facilitate the criminal's return to the system later.

volatile memory analysis: Step Four

Justify the validity of the acquired memory data (essential when producing digital data from a live system as evidence in court). One common approach is to acquire volatile memory data in a dump file for offline examination. You can then analyze the dump electronically or manually in its static state.

transporting the evidence (computer)

Keep evidence in possession or control at all times Document movement of evidence between investigators Secure evidence appropriately so it can't be tampered with or corrupted Lock in a vehicle Drive vehicle directly to lab

volume Shadow copy

Keeps a record or copy of state changes Stores them in blocks of data that are compared daily Changed blocks are copied to Volume Shadow Volume Shadow Copy service runs once per day

Windows Boot Process: Step 13

Kernel initialization begins (screen turns blue

AES Steps

Key Expansion Initial Round: AddRoundKey Rounds: SubBytes ShiftRows MixColumns AddRoundKey Final Round: SubBytes ShiftRows AddRoundKey

linux directories

Key directories are important to the functioning of every operating system Directories are also important places to seek out evidence in an investigation

modern methods

Known Plaintext Chosen Plaintext Ciphertext-only Related-key

Modern Methods of Cracking Encryption

Known plaintext attack Chosen plaintext attack Ciphertext-only Related-key attack

Technical information collection considerations:

Lifespan of information, how long is information valid and accessible for example some evidence resides in storage that must have constant power. It is also frequently not possible or practical to determine who made a change and when.

636

Lightweight Directory Access Protocol Secure (LDAPS) (SSL or TLS)

What are some challenges to System Forensics

Large volume of data, system complexity, distributed crime scenes, growing caseload and limited resources, obscured information and anti-forensics

Sleuth Kit

Library and collection of command-line tools allowing investigation of volume and file system data

Linux shell commands for forensics

Linux has hundreds of shell commands Some can be very useful in forensic investigations

Log Files as Source of Evidence

Log files contain primary records of a person's activities on a system or network Log files can often identify: Source, nature, and time of an attack Specific user account of events related to illicit activities

Types of Logs: Security event

Log files from servers and Windows security event logs on domain controllers, for instance, can attribute activities to a specific user account. This may lead you to the person responsible. Intrusion detection systems (IDSs) record events that match known attack signatures, such as buffer overflows or malicious code execution. Configure an IDS to capture all the network traffic associated with a specific event. In this way, you can discover what commands an attacker ran and what files he or she accessed. You can also determine what files the criminal downloaded, such as malicious code, or uploaded, such as files copied from the system.

Functions of Network Layer

Logical Addressing - The data link layer provides physical addressing which is useful for a local network. When the packet is designed for a device outside the network, we require other addressing scheme to identify source and destination. Network layer adds header to the data that includes the logical address (IP address) of the source and destination. It is a 32-bit address that uniquely identifies the device connected to the network. Routing - It defines the proper path of a packets to reach in its correct destination. Routing can be of two types, static or dynamic. Handling Congestion issues - Any given network has a certain capacity to deliver or handle number of packets. When the packets exceed the handling capacity then the lots congestion occurs. It is the responsibility of the network layer to control such congestion problems. Inter-networking - Inter-networking means connecting two or more computer networks together. The Internet is the best example of inter-networking. There are different types of networks that exist in the real world such as LAN, MAN and WAN.

Identity Theft Forensics

Look for spyware on the victim's machine If spyware exists, search for where the spyware is sending its data Periodic email with an attachment A stream of packets to a server the criminal has access to If phishing, check email history on the victim's computer as well as the web history

Windows Boot Process: Step Three

MBR locates boot partition. This is the partition that has the operating system on it.

Windows Boot Process: Step Four

MBR passes control to boot sector on boot partition

NTFS Fundamental Files

MFT(Master File Table) which describes all files on the volume Cluster bitmap which is a map of all the clusters on the hard drive

New Technology File System (NTFS)

Mac OS X includes read-only support for the New Technology File System (NFTS). This means if you have a portable drive that is NTFS, Mac OS X can read that partition

Microsoft Disk Operating System (MS-DOS)

Mac OS X includes support for Microsoft Disk Operating System (MS-DOS) file systems FAT12, FAT16, and FAT32.

Yosemite

Mac OS X v10.10)—Released in October 2014. The most important part of this release, from a forensics standpoint, is that it allowed users who have iPhones with iOS 8.1 or later to pass certain tasks to their Macintosh computer.

Leopard

Mac OS X v10.5)—Had over 300 new features, support for Intel x86 chips, and support for the new G3 processor

Lion

Mac OS X v10.7)—Included a major interface change that made it more like the iOS interfaces used on iPhone and iPad.

Mountain Lion

Mac OS X v10.8)—Had built-in support for iCloud, to support cloud computing.

1985

MacIntosh Had an 8-MHz Motorola processor, a black-and-white monitor, and a 3.5-inch floppy drive. The operating system was System 1, which eventually led to the Macintosh II running System 7. System 7—Allowed text dragging between applications, viewing and switching applications from a menu, a control panel, and cooperative multitasking. Mac OS for PowerPC—Introduced the System 7.1.2 operating system. AIX for PowerPC—Used a variation of the IBM AIX system. It also used the Common Desktop Environment, a graphical user interface that is popular in the UNIX world. This product did not do well in the market and was discontinued in 1997

Machintosh File System (MFS)

Macintosh File System (MFS) shipped with the first Macintosh in 1984. It has not been used in more than 15 years and you are unlikely to encounter it.

MacIntosh

Macintosh OS X and later versions are based on FreeBSD A UNIX clone, much like Linux Mac OS X uses HFS+, or Hierarchical File System Plus Earlier versions of Macintosh used HFS Therefore, some of the techniques that work for Linux also work with Macintosh. However, there are also some tools you can use that are made specifically for Macintosh

Directories

Macintosh has a number of important directories Some are relevant to a forensic examination of a Macintosh machine

Imaging with Encase

Makes bit-level images and then mounts them for analysis Preview mode allows investigator to use a null modem cable or Ethernet connection to view data on the subject machine safely Doesn't alter evidence

spoofing

Making an email message appear to come from someone or someplace other than the real sender or location First machine to receive spoofed message records machine's real IP address Header contains both the faked IP and the real IP address unless, of course, the perpetrator is clever enough to have also spoofed his or her actual IP address.

Windows Registry: Malware

Malware may be found in the Registry. If you search the Registry and find HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon, it has a value named Shell with default data Explorer.exe. This tells the system to launch Windows Explorer when the logon is completed. Some malware appends the malware executable file to the default values data, so that the malware will load every time the system launches. It is important to check this Registry setting if you suspect malware is an issue. The key HKLM\SYSTEM\CurrentControlSet\Services\ lists system services. Several types of malware install as a service, particularly backdoor software. Be sure to also check this key if you suspect malware is an issue.

linux shells

Many Linux administrators work entirely in the shell without ever using a graphical user interface (GUI). Linux offers many different shells

/mnt

Many devices are mounted in /mnt Drives must be mounted prior to use Checking this directory lets you know what is currently mounted on system

How to Examine a Mac

Many forensics tools are less effective in extracting data on a Macintosh than in Windows. One technique is to create a copy of the forensic image and then mount it as a read-only virtual machine (VM). Mount it as read only.

RFC 2822 Specifications for Email Headers

Message header must include From field-the email address and optionally the name of the sender Date field-the local time and date when the message was written Message header should include: (not required) Message-ID field-an automatically generated field in-Reply-To field- the message-ID of the message that is a reply to which is used to link related messages together

/var/log/kern.log

Messages from the operating system's kernel less interesting forensically but can be used to rule out malware

Windows 8 phone

Microsoft Mobile Nokia

Recovering After Logical Damage

Microsoft Windows: chkdsk Linux: fsck Mac OS X: Disk Utility The Sleuth Kit TestDisk

RAID 1 (mirroring)

Mirrors the contents of the disks creating an identical copy of the drive running on the machine.

Wi-Fi

Most cellular phones and other mobile devices can connect to Wi-Fi networks Free Wi-Fi hotspots in restaurants, coffee shops, hotels, homes, and many other locations

solid state drives

Most use Negated AND (NAND) gate-based flash memory NAND retains memory without power

Recovering a file in linux

Move system to single-user mode with init 1 command Use grep to search for and recover files Example: # grep -i -a -B10 -A100 'forensics' /dev/sda2 > file.txt

Windows Boot Process : Step 11

NTLDR loads hal.dll (hardware abstraction layer).

Windows Boot Process: Step 12

NTLDR loads the system hive (i.e., the Registry) and reads in settings from it.

Windows Boot Process: Step 9

NTLDR reads boot.ini and displays the boot loader menu. If there are multiple operating systems, they will be displayed.

Windows Boot Process: Step 8

NTLDR starts minimal file system drivers (FAT, FAT32, NTFS).

Windows Boot Process: Step 7

NTLDR switches from real mode 32-bit memory or 64-bit depending on the system. Real mode is the default for x86 systems. It provides no support for memory protection, multitasking, or code privilege levels.

Wireless Network Discovery Tools

NetStumbler MacStumbler iStumbler

Network Traffic Analysis

Network Monitoring-the big picture of what is happening on a network Network Analysis-discovers the details of what is happening on a network

Function of Application Layer

Network Virtual Terminal - It is a software version of physical terminal. It allows the user to login to the computer remotely connected in the network. File Transfer Access and Management (FTAM) - It helps user to access files in a remote computer and make changes. User can directly edit the file in the remote computer or they can download it into their local computer. Mail Services - It helps in e-mails forwarding to another device over the internet.

Security

Network and electronic security Lab network should not be attached to the Internet Includes physical security Access to the lab Ways of securing evidence

Wireshark

Network protocol analyzer Captures Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and other packets Analyzes real-time and saved data Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and others Supports IPv4 and IPv6 Allows Voice over IP (VoIP) analysis Freely available

stateless

No information about the exchange is permanently retained by the server without help (i.e. cookies) ; applies to normal web traffic

/proc

Not stored on hard disk Is created in memory and keeps information about currently running processes Contains subdirectories that can be used to recover files and evidence EX:Assume that an intruder has downloaded a password cracker and is attempting to crack system passwords. The tool is attempting a number of passwords in a text file called pass. The intruder subsequently deletes both the executable and the text file, but the process is still running in memory. You can use ps or pstree to find the running processes and get the process ID. Assume the process ID is 3201. Now in the /proc directory, you can find /proc/3201. If you simply copy the executable from /proc to some other directory, it recovers that deleted executable. Of course, this works only on a live system, prior to shutting it down

Windows Boot Process: Step 6

Note that if instead of being shut down, Windows has been put in the hibernation state, the contents of hiberfil.sys are loaded into memory and the system resumes at the previous state

Windows Boot Process: Step 10

Ntldr loads NTOSKRNL and passes hardware information. The NTOSKRNL is the actual kernel for the Windows operating system. This is the end of the boot phase and the beginning of the load phase

Packet Mistreating

Occurs when a compromised router mishandles packets Results in congestion in a part of the network

crytographic hashes

One -way, not reversibile Fixed-length output regardless of input Must be collision resistant

Getting Header in Apple Mail

Open Apple Mail. Click on the message for which you want to view headers. Go to the View menu. Select Message, then Long Headers. The full headers will appear in the window below your Inbox.

Linux Distributions

Open source operating system Popular distributions: Ubuntu Red Hat Enterprise Linux (RHEL) OpenSUSE Debian Slackware

Generic Forensic Zip (Gfzip)

Open-source file format used to store evidence from a forensic examination

Types of Logs: Operating system event

Operating systems log certain events, such as the use of devices, errors, and reboots. Operating system logs can be analyzed to identify patterns of activity and unusual events

Other symmetric algorithms

Other symmetric algorithms: Blowfish Serpent Skipjack

DoS:

Overwhelming a system with requests

Certifications

PC Hardware: Comp TIA A + Basic Networking: Network+ or Cisco Certified Network Associate (CCNA) Security: Comp TIA Security + or ISC2 CISSP Hacking: EC-Council Certified Ethical Hacker

995

POP3 Secure encrypted POP3

SAM file

Password hashes are stored in a SAM file in Windows. It's in c:\windows\system32\config\SAM. There is a backup of this file in the repair folder. It's encrypted with Syskey which is 128 bit. Windows locks this file when it boots but ophcrack boots to linux live cd and scans hash during this process

Hacking via Cross-Site Scripting

Perpetrator seeks out someplace on target website that allows end users to post text that other users will see, such as product reviews Instead of posting a review or other text, the attacker posts JavaScript If website does not filter user input before displaying, other users navigate to this review and script executes

Avoid Changing evidence

Photograph equipment in place before removing it Label wires and sockets so computers and peripherals can be reassembled in a laboratory exactly as they were in the original location Transport computers, peripherals, and media carefully to avoid heat damage or jostling Avoid touching original computer hard disks and CDs Make exact bit-by-bit copies and store the copies on a medium that cannot be altered, such as a CD-ROM

Snort

Primarily used as an open source intrusion detection system Can function as a robust packet sniffer with a lot of configuration options

Wardriving

Process of driving around an area while a passenger in the vehicle scans for insecure, or weakly secured, wireless networks Participants then attempt to breach the targets they find

show version

Provides a significant amount of hardware and software detail about the router. It displays the platform, operating system version, system image file, any interfaces, the amount of RAM the router has, and the number of network and voice interfaces there are.

American Society of Crime Laboratory Directors (ASCLD) (slides)

Provides guidelines for: Managing a forensics lab Acquiring crime lab and forensic lab certification A lab must meet about 400 criteria to achieve accreditation TEMPEST

Types of RAID

RAID 0, 1, 3, 4, 5, 6, 1+0

Raid Aquisitions

RAID 0, 1, 3, 4, 5, 6, 1+0 Can acquire RAID 1 disks separately RAID 0, 3, 4, 5, and 6 use data striping across multiple disks Make a forensic image of the entire RAID array

password cracking tools

Rainbow Tables John the Ripper

431888 Important Intruder Ports

Reachout (malware)

Four types of Evidence -

Real, Documentary, Testimonial and Demonstrative

Data Doctor

Recovers all Inbox and Outbox data and all contact data, and has an easy-to-use interface. It has a free trial version, but there is a cost for the full version. Data Doctor retrieves Inbox and sent message data as well as contact data.

MacKeeper

Recovers deleted files on Macintosh computers Free, fully functional trial version available

HTTP Response Messages 300-399

Redirect messages telling the browser to go to another URL

caesar cipher

Referred to as the substitution cipher A simple method of encryption and very easy to crack Choose some number by which to shift each letter of a text Substitute the new alphabetic letter for the letter being encrypted used by the ancient Romans

3389 Important Intruder Ports

Remote Desktop

Proper Procedure: Preparing the System

Remove all drives Create chain of custody form (for each) Or, leave in system and acquire with forensically safe boot disks, CD-ROMs, or thumb drives

HTTP Commands: DELETE

Remove the webpage

HTTP Commands: POST

Request to append to a webpage

HTTP Commands: GET

Request to read a webpage

HTTP Commands: HEAD

Request to read just the head section of a webpage

ISO 27001

Requirements for Information Security Management Systems Section 14 addresses business continuity management.

Router Forensics

Router is hardware or software device that forwards data packets across a network to a destination network May contain: Read-only memory (ROM) with power-on self test code Flash memory containing the router's operating system Nonvolatile random access memory (RAM) containing configuration information Volatile RAM containing routing tables and log information

Federal Rules of Evidence (FRE)

Rules established by the US Supreme Court guiding the introduction and use of evidence in federal court proceedings that are an important benchmark for state and other courts. FRE governs what and how electronic records may be used, and the roles of record custodianship Uses rules 901 and 902

Where windows password hashes are stored

SAM file in Windows\System32 directory

integrated circuit card identifier (ICCID).

SIM is identified by this These numbers are engraved on the SIM during manufacturing. This number has subsections that are very important for forensics. This number starts with the issuer identification number (IIN), which is a seven-digit number that identifies the country code and issuer, followed by a variable-length individual account identification number to identify the specific phone, and a check digit.

Hacking systems for data,

SQL injection, Cross-Site scripting, Ophcrack, Tricking tech support

993

Secure IMAP or Encrypted IMAP

Types of Windows Log Files

Security Application- System Forwarded Events Applications and Services

Proper Procedure:Shutting Down the Computer: Windows

See what is currently running - but touch as little as possible 1. Ctrl+Alt+Del to check a. Task Manager b. Process Tab c. Take a photo with a camera 2. Check for live connections to the system: run each of the following commands and photograph the results before shutting down the machine a. netstat b. net sessions c. Openfiles 3. Capture memory using a forensic tool from a USB device a. OSForensics b. Access Data's FTK 4. Shut down by pulling the plug

Windows Boot Process: Step 14

Services load phase begins

/etcinittab File

Sets boot-up process and operation includes: label run_level action:a process boot bootwait initdefault sysinit

/sbin directory

Similar to /bin Contains binary files not intended for the average computer user EX: mke2fs command, a file system utility that is usually utilized by administrators, is in this directory.

Deleting Files on Macintosh

Similar to Windows, when file is deleted, references to file are gone and clusters might be used and overwritten Even if data is overwritten, data might exist in unallocated space and in index nodes Deleted files moved to the trash folder, similar to Recycle Bin in Windows Macintosh trash folder is .Trash, a hidden folder on the root directory of file system Recover deleted files from .Trash by copying or moving to other location or Use tools to recover files, even after trash bin has been emptied Mac Undelete Free Undelete MacKeeper

artificial intelligence (AI)

Simulates human intelligence such as the ability to reason and learn

How denial of service attacks affect forensics

Single machine-trace packets (common for attackers to spoof IP addresses, less common to spoof MAC addresses) Seek commonalities of zombie computers

history of encryption

Single-alphabet ciphers - Caesar Cipher Multi-alphabet Substitution ciphers

Sniffer

Software or hardware that can intercept and log traffic passing over a digital network Extracts network packets and performs a statistical analysis on the dumped information Commonly applied sniffers include Tcpdump (UNIX platforms and) WinDump

Percentage of computers suspected of having some type of spyware

Some estimates as high as 80%. Spyware can be legal such as parents monitoring children, cookies (at a base level are spyware) or employer's monitoring employees. Illegal spyware often tranferred via trojans through a link or email.

FIN Scan

Sometimes a host may need to terminate a connection quickly, due to a port being unreachable or a timeout, for example. Can send a Reset (RST) packet. Initial SYN packet should never have FIN or RST associated with it. Indicates an attack/malicious attempt to get by your firewall. A packet is sent with the FIN flag turned on. If port is open, this generates an error message. Because there was no prior communication, an error is generated telling the hacker the port is open and in use.

NFPA 1600:

Standard on Disaster/Emergency Management and Business Continuity Programs This is from the U.S. National Fire Protection Association.

boot

Starts the process and continues to the next entry without waiting for the process to complete. When the process dies, init does not restart the process.

bootwait

Starts the process once and waits for it to terminate before going on to the next inittab entry

sysinit

Starts the process the first time init reads the table and waits for it to terminate before going on to the next inittab entry

What Is Disaster Recovery?

Steps taken after an information technology-related disaster to restore operations Forensic techniques may be best method for determining what caused the disaster and for avoiding a repeat of it Forensic process begins once an incident has been discovered Is not fully underway until after the disaster or incident is contained

RAID 1+0 - A Stripe of Mirrors

Stripe file blocks across mirrored drives High disk space utilization High redundancy Minimum of 4 drives

documentation

Strong evidence-processing documentation Good chain-of-custody procedures A systems forensics specialist should have a good understanding of: Computer hard disks and CDs, and know how to find hidden data in obscure places The techniques and automated tools used to capture and evaluate file slack or slack space

Hierarchical File System Plus (HFS+) and Forensics

Supports aliases Performs defragmentation on a per-file basis

Reiser File System

Supports journaling Performs well when hard disk has large number of smaller files

Features HFS+

Supports journaling Supports disk quotas Has hard and soft links Uses 32 bits for allocation blocks rather than 16 bits Supports long filenames, up to 255 characters Uses Unicode rather than ASCII

Intrusion detection system logs

Suspicious traffic

Searching Virtual Memory

Swap file/virtual memory is in /var/vm/ Check it with Linux commands: ls returns list of files ls -al returns list of all files in virtual memory, who launched program and when grep lets you search in virtual memory folder

substitution and transposition

Swapping of blocks of ciphertext All modern block-cipher algorithms use substitution and transposition Combination of substitution and transposition increases security of resultant ciphertext by making cryptanalysis more complex

Evidence-Gathering Measures

Take following measures: Avoid changing evidence Determine when evidence was created Search throughout device (level of 1s and 0s) Determine info about encrypted and steganized files, without decoding Present evidence well

Proper Procedure: Documenting the Hardware Configuration of the System (before dismantling)

Take pictures of computer from all angles Label each wire Record BIOS/UEFI information

Imaging with Forensic Toolkit (FTK)

Takes snapshot of entire disk, makes bit-level copy for analysis Inexpensive, easy to use, good all-in-one forensic tool Offers Registry viewing, in-depth logging, standalone disk imaging, direct email and zip file analysis

MacIntosh Forensic Techniques

Target Disk Mode Searching Virtual Memory Shell Commands

Narrow al

Technologies that can perform specific tasks as well as, or better than humans.

viewing logs in linux

Text editor in GUI Any of these commands work from the shell: dmesg | lpr # tail -f /var/log/lpr.log # less /var/log/ lpr.log # more -f /var/log/ lpr.log

caesar cipher example:

Text is: A CAT You choose to shift by two letters, then A replaces C, E replaces C, C replaces A, and V replaces T; encrypted message is: C ECV If shift by three letters, message is: D FDW

Identifying File, Program, and Storage Anomalies

Text search programs can't identify text data stored in binary format They require manual evaluation Evaluate hidden partitions for evidence and document their existence In Windows, also evaluate files in the Recycle Bin If you find relevant files, thoroughly document the issues involved. Those issues can include the following: • How did you find the files? • What condition were they in (i.e., did you recover the entire file or just part of the file)? • When was the file originally saved? Remember that the more information you document about evidence, the better.

Identifying File, Program, and Storage Anomalies (slides)

Text search programs can't identify text data stored in binary format They require manual evaluation Evaluate hidden partitions for evidence and document their existence In Windows, also evaluate files in the Recycle Bin

plaintext

Text you want to encrypt

Windows Boot Process: Step One

The BIOS conducts the power-on self test (POST). This is when the system's BIOS checks to see if the drives, keyboard, and other key items are present and working. This occurs before any operating system components are loaded.

Windows Registry: Uninstalled software

The HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall key lets you see all the software that has been uninstalled from this machine.

Hierarchial File System (HFS)

The Hierarchical File System (HFS) was used on the Macintosh Plus. Apple introduced this file system in 1985, specifically to support its new Apple hard drive. It replaced the earlier Macintosh File System.

Windows Registry: USB Devices

The Registry key HKEY_LOCAL_MACHINE\System\ControlSet\Enum\UBSTOR lists USB devices that have been connected to the machine. It is often the case that a criminal will move evidence or exfiltrate other information to an external device and take it with him or her. This Registry setting tells you about the external drives that have been connected to this system.

Windows Registry: Wireless Networks

The Registry stores passphrases for accessing wireless networks. When an individual connects to a wireless network, the service set identifier (SSID) is logged as a preferred network connection. This information can be found in the Registry in the HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces key.

Triple DES (3DES)

The U.S. federal government began a contest seeking a replacement cryptography algorithm. In the meantime, Triple Des (3DES) was created as an interim solution. Essentially, it does DES three times, with three different keys. More secure variant of DES

Mean time to failure (MTTF)

The amount of time, on average, before a given device is likely to fail through normal use

Steganography

The art and science of writing hidden messages Goal is to hide information so that even if it is intercepted, it is not clear that information is hidden there Most common method today is to hide messages in pictures using the least significant bit (LSB) method

Chosen plaintext attack

The attacker obtains the ciphertexts corresponding to a set of plaintexts of his own choosing. This can allow the attacker to attempt to derive the key used and thus decrypt other messages encrypted with that key.

Mean time to repair (MTTR)

The average time it takes to repair an item

Storing a file in Windows (NTFS)

The cluster bitmap file map is an array of bit entries where each bit indicates whether its corresponding cluster is allocated/used or free/unused. MFT contains one base file record for each file and directory MFT serves same purpose as FAT Cluster bitmap file maps all clusters on disk

grep flags

The flags used are defined as follows: -i—Ignore case distinctions in both the PATTERN and the input files; that is, match both uppercase and lowercase characters. -a—Process a binary file as if it were text. -B—Print number lines/size of leading context before matching lines. -A—Print number lines/size of trailing context after matching lines.

payload

The information to be covertly communicated; the message the user wants to hide

run_level

The init level at which the entry is executed

Deleting a File in Windows (FAT/FAT32)

The more recently a file was deleted, the more likely you will be able to recover the file. Over time, it becomes more likely that clusters marked as unused have had other information saved in them. A cluster may have been deleted and saved over several times. Recovering a deleted file is not always an all-or-nothing procedure. It is possible to recover When a file is deleted, data not removed from disk FAT is updated to reflect clusters no longer in use New data saved to those clusters may overwrite old information

Packet Filter Firewall

The most basic type of firewall Filters incoming packets and either allows them entrance or denies them passage based on a set of rules Also referred to as a screened firewall Can filter packets based on packet size, protocol used, source IP address, and so on Many routers offer this type of firewall option in addition to their normal routing functions

Cellabrite

The most widely known phone forensics tool. Used heavily by federal law enforcement. It is a very robust and effective tool. Downside: the high cost. It is the most expensive phone forensics tool on the market.

Important Windows Files: Crss.exe

The program that handles tasks like creating threads, console windows, and so forth

HKEY_CURRENT_USER (HKCU)

This hive is very important to any forensic investigation. It stores information about the currently logged-on user, including desktop settings, user folders, and so forth.

Email headers contain:

The sender, the application, and any servers it passed through. Header keeps record of the message's journey networks and mail servers Each server adds information to the header Each network device has an Internet Protocol (IP) address Identifies device Can be resolved to a location address

Order of Volatility

The sequence of volatile data that must be preserved in a computer forensic investigation.

carrier

The signal, stream, or file in which the payload is hidden

email client

The software program used to compose and read email messages

Super DLT (SDLT)

The successor to Digital Linear Tape (DLT). (4)

Rainbow tables

The time of cryptanalysis can be reduced by using precalculated data stored in memory. Essentially, these types of password crackers work with precalculated hashes of all passwords available within a certain character space. These files are called rainbow tables because they contain every letter combination "under the rainbow." They are particularly useful when trying to crack hashes. Popular hacking tools like Ophcrack depend on rainbow tables. Ophcrack is usually very successful at cracking Windows local machine passwords

channel

The type of medium used. It can be a passive channel such as photos, video, or sound files. It can also be an active channel such as a streaming video connection.

Windows 95

The underlying operating system and the graphical user interface were fused into one single, coherent product.

Wireless Networking: 802.11g

There are still many of these wireless networks in operation, but you can no longer purchase new Wi-Fi access points that use it. This standard has an indoor range of 125 feet and a bandwidth of 54 Mbps. It includes backward compatibility with 802.11b

HKEY_CLASSES_ROOT (HKCR)

This hive stores information about drag-and-drop rules, program shortcuts, the user interface, and related items

MobileEdit

There are several variations of this product. MobileEdit Lite is the most forensically advanced version of MobileEdit. This is a very easy-to-use tool that can aid a forensic examiner in extracting data from cell phones

Foreign Intelligence Surveillance Act (FISA)

This U.S. law prescribes procedures for the physical and electronic surveillance and collection of "foreign intelligence information" between foreign powers and agents of foreign powers, which may include American citizens and permanent residents suspected of espionage or terrorism. The law does not apply outside the United States but may be encountered by a forensic investigator in researching intelligence even if it does not specifically regard espionage or terrorism. The law is an important part of many agencies' approaches to information gathering. It has been amended frequently so it is important to stay current on the latest revisions and court cases

Related-key attack

This attack is similar to a chosen plaintext attack, except the attacker can obtain ciphertexts encrypted under two different keys. This is actually a very useful attack if you can obtain the plaintext and matching ciphertext.

Apple II

This computer was based on the same microprocessor but came in a plastic case with the keyboard built in. It was also the first personal computer with color graphics. Apple II was followed by a series of enhancements, including the Apple IIGS in 1986, which was 16-bit rather than 8-bit. There were multiple operating systems for the Apple II.

/Users directory

This directory contains all the user accounts and associated files.

/Network directory

This directory contains information about servers, network libraries, and network properties.

/var/log

This directory has many logs in it. The /var/log/daily.out contains data on all mounted volumes, including the dates they were mounted. This is very important in cases involving stolen data. You can see what devices have been attached and potentially get data from them. This folder includes data on removable media, including serial numbers.

/Applications directory

This directory is where all applications are stored. It can hold important information about any malware.

Windows Registry: ShellBag

This entry can be found at HKCU\Software\Microsoft\Shell\Bags. ShellBag entries indicate a given folder was accessed, not a specific file. This Windows Registry key is of particular interest in child pornography investigations

/Library/Receipts

This folder contains information about system and software updates. Though less useful for a forensic investigation than some of the other folders, it does include information about if and when a given patch was applied, which might be of some interest in investigating malware crimes.

/Users/<user>/Library/Preferences/ folder

This folder contains user preferences, including the preferences of programs that have been deleted. This could be a valuable place to get clues about programs that have been deleted from the system.

HKEY_LOCAL_MACHINE (HKLM)

This hive can also be important to a forensic investigation. It contains those settings common to the entire machine, regardless of the individual user.

HKEY_CURRENT_CONFIG (HCU)

This hive contains the current system configuration. This might also prove useful in your forensic examinations

Korn shell (ksh)

This is a popular shell developed by David Korn in the 1980s. The Korn shell is meant to be compatible with the Bourne shell, but to also incorporate true programming language capabilities.

Hierarchical File System Plus (HFS +)

This is an enhancement of the HFS file system. HFS+ is the preferred file system on Mac OS X.

file accessed

This is the date the file was last accessed. An access can be a move, an open, or any other simple access. It can also be tripped by antivirus scanners or Windows system processes.

bourne-again shell (Bash)

This is the most commonly used shell in Linux. It was released in 1989.

18 U.S.C. 2252B

This law is about perpetrators who attempt to hide the pornographic nature of their website, often to make it more accessible to minors. This is a very serious concern, and one that sometimes arises in child predator cases.

/Users/<user>/.bash_history log

This log will show you a variety of commands, such as rm (removing or deleting something) and dd (indicating the user might have tried to make an image of the drive).

C shell (csh)

This shell derives its name from the fact that it uses very C-like syntax. Linux users who are familiar with C will like this shell. It was first released for UNIX in 1978.

NIST 800-61

This standard also will help guide you in forming an incident response plan

ISO 27035

This standard guides you in how to formulate an incident response plan. It requires a structured and planned approach to detect, report, and assess information security incidents; respond to and manage information security incidents; detect, assess, and manage information security vulnerabilities; and continuously improve information security and incident management as a result of managing incidents

Wireless Networking: 802.11b

This standard operated at 2.4 GHz and had an indoor range of 125 feet with a bandwidth of 11 megabits per second (Mbps).

Wireless Networking: 802.11n

This standard was a tremendous improvement over preceding wireless networks. It obtained a bandwidth of 100 to 140 Mbps. It operates at frequencies of 2.4 or 5.0 GHz, and has an indoor range of up to 230 feet.

Wireless Networking: 802.11ac

This standard was approved in January 2014. It has throughput of up to 1 Gbps with at least 500 Mbps. It uses up to eight MIMO.

Wireless Networking: 802.11n-2009

This technology gets bandwidth of up to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz. It uses multiple-input multiple-output (MIMO), which uses multiple antennas to coherently resolve more information than possible using a single antenna.

Forensic SIM Cloner

This tool is used to clone SIM cards, allowing you to perform forensic analysis of the SIM card.

live forensic tools:netstat

This utility is important in checking live system data is a command-line tool that displays both incoming and outgoing network connections. It also displays routing tables and a number of network interface statistics. It is available on UNIX, UNIX-like, and Windows-based operating systems.

Wireless Networking: 802.11a

This was the first widely used Wi-Fi standard. It operated at 5 GHz and was relatively slow.

RSA NetWitness

Threat analysis software/protocol analyzer Captures raw packets from wired and wireless interfaces Analyzes real-time data throughout the seven layers Filters by Media Access Control (MAC) address, Internet Protocol (IP) address, user, and more Freely available and threat analysis software

Collecting Data

Three primary types of data that a forensic investigator must collect, in this order: Volatile data Temporary data Persistent data

Collecting data

Three primary types of data that a forensic investigator must collect, in this order: Volatile data Temporary data Persistent data

Important Intruder Ports: 407

Timbuktu has any legitimate use. Timbuktu is an open source alternative to PC Anywhere. It allows program users to log on to a remote system and work just like they were sitting in front of the desktop. It is possible that technical support personnel are using Timbuktu to make support calls more efficient. But it is also possible that an intruder is logging on and taking over the system.

Modern cryptography

Two main types: Symmetric and asymmetric Used every day by millions of consumers on the World Wide Web to buy products and services securely "https" at beginning of Web address or a padlock symbol indicates a secure protocol such as Transport Layer Security (TLS) is at work Cryptography also used in: Antivirus software Wireless security (WPA and WPA2 encryption) Hard disk encryption using Microsoft Encrypting File System (EFS) is a form of cryptography Did you know your mobile phone transmissions are encrypted, as are your ATM and credit cards?

SYN Flood Attack

Type of DoS attack in which the attacker sends multiple SYN messages initializing TCP connections with a target host attacker sends SYN server replies with SYN/ACK attacker sends another SYN server replies with SYN/ACK and continues this pattern taking up all server resources

Hacking via SQL Injection

Typical SQL statement SELECT * FROM tblUsers WHERE USERNAME = '" + txtUsername.Text +' AND PASSWORD = '" + txtPassword.Text +" ' Specific username and password: SELECT * FROM tblUsers WHERE USERNAME = 'thisuser' AND PASSWORD = 'letmein' SQL injection example: SELECT * FROM tblUsers WHERE USERNAME = '' or '1' = '1' AND PASSWORD = '' or '1' = '1'

1969

UNIX created at Bell Laboratories

1972

UNIX operating system released

Solid-state drives (SSD)

Use microchips that retain data in non-volatile memory chips Contain no moving parts Drives are usually less susceptible to physical damage than magnetic drives If internal, SSDs can use same interfaces as magnetic drives, including SCSI and SATA If external, it is most common for them to have a universal serial bus (USB) connection

index.dat

Used by Microsoft Internet Explorer Stores: Web addresses Search queries Recently opened files Even if the suspect's browsing history has been erased, it is still possible to retrieve it if he or she was using Microsoft Internet Explorer. Internet Explorer uses index.dat to store Web addresses, search queries, and recently opened files. So if a file is on a universal serial bus (USB) device but was opened on the suspect machine, index.dat would contain a record of that file. You can download a number of tools from the Internet that will allow you to retrieve and review the index.dat file.

Email Protocols: Post Office Protocol version 3 (POP3)

Used to receive email Operates on port 110, or 995 (secure) Designed to delete email on server as soon as user downloads email

Email Protocols: Internet Message Access Protocol (IMAP)

Used to receive email Operates on port 143 User views email on the server, decides whether to download the mail; email is retained on server allows client to only view headers so user can decide which message to download

Email Protocols:Simple Mail Transfer Protocol (SMTP)

Used to send email from a client to a mail server, and between servers Typically operates on port 25 SMTPS (secure) operates on port 465

Multialphabet substitution

Uses multiple numbers by which letters in plaintext are shifted Multiple substitution alphabets are created Represents a slight improvement on the Caesar cipher but is still easily cracked

symmetric cryptography

Uses same key to encrypt and decrypt plaintext May have one encryption key sender to receiver & different key for receiver to Sender

Getting Header for Gmail

Viewing email headers in Gmail is fairly simple. Follow these steps: 1. Log on to Gmail. 2. Open the message for which you want to view headers. 3. Click the down arrow next to Reply, at the top of the message pane. 4. Select Show Original. The headers appear in a separate window.

Windows 8

Was a radical change. Even though the desktop looks much like Windows 7, the operating system is meant to be more like that of a tablet.

Wireless Storage Devices

Wireless digital and video cameras Wireless printers with storage capacity Wireless network-attached storage (NAS) devices Tablets and smartphones Wireless digital video recorders (DVRs) Wireless game consoles

advanced steganography

With BPCS (Bit-plan complexity segmentation), carrier is often an image that stores colors in 24 bits, and this fact can be used to increase storage area for payload. The complex areas on the bit planes are replaced with the payload

Deleting Files in Windows (NTFS)

When a file is deleted, data not removed from disk Clusters are marked as deleted and "moved" to Recycle Bin When Recycle Bin is emptied, clusters marked as fully available Filename in the MFT is marked with a special character that means the file has been deleted In NTFS prior to Vista, the Recycle Bin resides in a hidden directory called RECYCLER. In Vista and Windows 7, the name of the directory was changed to $recycle.bin. Just as with FAT systems, clusters in an NTFS system are more likely to be overwritten as more time elapses after deletion.

Windows Files and Permissions

When copying and pasting on the same partition, files and folders inherit the rights of the folder they are being copied to. When cutting and pasting (moving), files and folders retain the original permissions if they are on the same partition.

Usiing Paraben

When you first start Paraben, you select New and then create a new case. Paraben will associate information about the investigator along with the case information. Next, select the type of email database you are going to be working with. The major email clients are all represented. At this point, you select the database you want to work with, and it is added to the case. From within Paraben, you can sort, search, scan, and otherwise work with the email data.

dmesg command

When your system boots up, you see a lot of information telling you what processes are starting, what processes failed, what hardware is being initialized, and more. This can be invaluable information to a forensic investigation. You can use the dmesg command to view all the messages that were displayed during the boot process. The command dmesg displays the messages for you. However, it does tend to fill up multiple screens. It is recommended that you simply pipe the output to some file (for example, dmesg>myfile.txt) and then search that file.

1998

Windows 98

1996

Windows NT 4.0

2013

Windows Server 2012 R1

2016

Windows Server 2016

2008

Windows Vista Home Basic, Home Premium, Business, Ultimate, Windows Server 2008

2001

Windows XP (first 64 bit version)

2003

Windows XP with Server 2003

Legacy

Windows XP, 2000 MAC OS 8 or earlier

Wireless Networking: 802.11ad

Wireless Gigabyte Alliance—This supports data transmission rates up to 7 Gbps—more than 10 times faster than the highest 802.11n rate.

types of crimes involving computers

White-collar crimes Violent crimes—murder, terrorism Counterintelligence Economic espionage Counterfeiting Child pornography Drug dealing

Windows Boot Process : Step 15

Win32 subsystem start phase begins

1985

Windows 1.0 opened

2015

Windows 10

current OS

Windows 10, 8, 7 Windows Server 2016, 2012 2008 Mac os 9 10

2000

Windows 2000

2009

Windows 7 and Server 2008 R2

2012

Windows 8 and Server 2012

1995

Windows 95

Scalpel

Works with Linux and Mac OS Possible to compile source code to work in Windows

extundelete

Works with both ext3 and ext4 partitions in Linux Uses shell commands Example: To restore all deleted files from sda1 partition: extundelete /dev/sda4 --restore-all

Enigma Machine

World War II by Germans-electromechanical rotor-based cipher system Is a multialphabet substitution cipher using machinery to accomplish the encryption When operator pressed a key, encrypted ciphertext for plaintext was altered each time

Universal Mobile Telecommunications System (UMTS)

a 3G standard based on GSM. It is essentially an improvement of GSM

fraud

a broad category of crime that is an attempt to gain financial reward through deception. Two subclasses are investment offers and data piracy

personal unlocking code (PUK)

a code used to reset a forgotten PIN. Using the code returns the phone to its original state, causing loss of most forensic data. If the code is entered incorrectly 10 times in a row, the device becomes permanently blocked and unrecoverable.

dd

a common UNIX program whose primary purpose is the low-level copying and conversion of raw data at the bit level. If you do your copy through the file system/operating system, then you can see only the data that the operating system sees. You won't get deleted files or slack space, so a basic file system copy is inadequate for forensic analysis. You must get a bit-level copy, and the dd utility is perfect for that

Feistel Function

a cryptographic function that splits blocks of data into two parts. Uses XOR one of the most influential developments in symmetric block ciphers

inode

a data structure in the file system that stores all the information about a file except its name and its actual data

Windows Registry

a database in Windows that stores user preferences, file locations, program configuration settings, startup information, hardware settings, and more. This includes viruses, worms, Trojan horses, hidden programs, and spyware. The ability to effectively scan registry for evidence is critical

home location register (HLR)

a database used by the MSC that contains subscriber data and service information. It is related to the visitor location register (VLR), which is used for roaming phones.

Quiescent State

a dormant mode that conserves battery life while maintaining user data and performing other background functions. Context information for the device is preserved in memory to allow a quick resumption of processing when returning to the active state.

User Assist

a feature of Windows 2000 and later that tracks what happens on the computer, including programs launched. Unless it is disabled there will be a record of everything done on that computer. This information is encrypted and stored in the Registry. The free UserAssist tool allows you to find out more.

Expert report

a formal document that details expert's findings. Often filed prior to trial. Can be used in a deposition. Considerations include: -format of report -throughness -back up everything you say

test system

a functional system compatible with the hard drive from which someone is trying to recover data

shielding

a high-cost approach to preventing EMR detection includes: -lining wall, ceiling, floor and doors with specially conductive metal sheeting -installing filters that prevent power cables from transmitting computer emanations -installing special baffles in heating and ventilation ducts to trap emanations -installing line filters on telephone lines -installing special features at entrances and exits that prevent facility from being open to outside at any time

Volitile Memory Analysis

a live system forensic technique in which you collect a memory dump and perform analysis in an isolated enviornment Must establish A trusted command shell A data collection system and a method for transmitting the data

fuzzy logic

a mathematical method of handling imprecise or subjective information

DoD 5220.22-M

a matrix of how to sanitize different types of media Department of Defense standards most people inaccurately believe seven over-writes ensures data is completely wiped really depends on type of medium data is stored on or in.

subscriber identity module (SIM)

a memory chip that stores the International Mobile Subscriber Identity (IMSI). It is intended to be unique for each phone and is what you use to identify the phone. Many modern phones have removable SIMs, which means you could change out the SIM and essentially have a different phone with a different number.

Digital Forensic Research Workshop Foundation

a nonprofit volunteer organization with the goal of enhancing the sharing of knowledge and ideas about digital forensics research

Window Washer

an example of one tool that enables you to retrieve and review the index.dat file.

Cross-Site Scripting (XSS)

a vulnerability in dynamic web pages that allows an attacker to bypass a browser's security mechanisms and instruct the victim's browser to execute code, thinking it came from the desired website

TCP Header Bits, of Interest:ACK (1 bit

acknowledges the attempt to synchronize communications

EnCase data blocks

actual data copied from the suspect machine

XOR

affects the study of encryption the most checks to see whether there is a 1 in a number in a given place, but not in both numbers at the same place. If not, the resultant number is 0. is reversible if you XOR the resultant number with the second number you get back the first number, and if you XOR the resultant number with the first number you get back the second number

soft link

aka symbolic link Is not actually a file itself, but rather a pointer to another file or directory.

Proper Procedure: Documenting Filenames Dates and Times

all allocated and "erased" files

Full Backup

all changes restore just the last backup

FISA) the foreign intelligence surveillance act of 1978

allows for collection of "foreign intelligence information" between foreign powers and agents of foreign powers using physical and electronic surveillance. Warrant necessary

Wireless Communications and Public Safety Act of 1999

allows for the collection and use of empty communication which means nonverbal and non-text communications such as GPS

disk quotas

allows the administrator to limit the amount of disk space a given user can use, keeping that user from taking up all the space

live forensic tools: ListDLLs

allows you to view the currently loaded dynamic-link libraries (DLLs) for a process. ListDLLs lists the DLLs loaded by all running processes. cannot show the DLLs loaded for hidden processes. A common attack involves using a Trojan horse to compromise a program or system DLL. So this tool can be important to your forensic investigation. It is available online for free.

Cyclical Redundancy Check (CRC)

almost always in trailer not header Ethernet uses a 32-bit cyclic redundancy check (CRC). The sender calculates the CRC using a very complex calculation on the source address, destination address, length, payload, and pad, if any. The four-octet (32-bit) result is stored in the trailer by the sender and the frame is transmitted. The receiving device repeats the exact same calculation as the sender and compares the result with the value stored in the trailer. If the values match, the frame is good and the frame is processed. But if the values do not match, the receiving device has a decision to make. The decision is made consistently based upon the protocol involved. In the case of Ethernet, the receiver discards the errored frame and sends no indication whatsoever that the frame has been discarded. The receiver usually does, however, update some internal counter, which can be queried to say how many frames were discarded. There is also a counter that says how many frames arrived and passed the CRC check.

AES

also known as Rijndael block cipher 1. Key expansion 2. Initial round 3. Rounds 4. Final round

Natural language processing

an AI technique using software to interpret natural languages (the languages spoken by people, such as English, French, Chinese and others). These techniques deal with speech recognition, understanding and generation.

genetic algorithm

an artificial intelligence system that mimics the evolutionary, survival-of-the-fittest process to generate increasingly better solutions to a problem

Router Attacks-Router table poisoning

an attacker alters the routing data update packets that the routing protocols need, resulting in incorrect entries in the routing table Incorrect router table entries can result in: Artificial congestion The router becoming overwhelmed An attacker being allowed access to data in the compromised network

anonymous remailing

an attempt to throw tracing or tracking attempts off the trail Suspect sends an email message to an anonymizer To find out who sent remailed email, must examine logs maintained by remailer or anonymizer companies however most of these services usually do not maintain logs can also closely analyze the message for embedded information that might give clues to the user or system that sent the message . Often the remailing servers are outside of the jurisdiction of U.S. law enforcement and may even be on another continent.

Phishing

an attempt to trick a victim into giving up personal information

clean room

an environment that has a controlled level of contamination such as from dust, microbes, and other particles

Internet fraud,

any attempt to gain financial reward through deception. Two major subclasses of fraud are; Investment offers and Data piracy

Identity theft

any crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain

Discarded information

any documents that are thrown out without being shredded

process

any program or daemon

Spyware

any software that monitor your activity on a computer.

/var/log/apache2/*

apache web server activity

sectors

are contiguous on a disk and are defined by two radii on the platter

journaling file systems

are fault tolerant because the file system logs all changes to files, directories, or file structures.

aliases

are like symbolic links; they allow you to have multiple references to a single file or directory.

active state

are powered on, performing tasks, and able to be customized by the user and have their filesystems populated with data.

Electronic serial numbers (ESNs

are unique identification numbers developed by the United States Federal Communications Commission (FCC) to identify cell phones. They are now used only in code division multiple access (CDMA) phones, whereas GSM and later phones use the International Mobile Equipment Identity (IMEI) number. The first 8 bits of the ESN identify the manufacturer, and the subsequent 24 bits uniquely identify the phone. The IMEI is used with GSM and Long Term Evolution (LTE) as well as other types of phones.

Chi-square analysis

assesses how closely the observed frequencies fit the pattern of the expected frequencies and is referred to as a "goodness-of-fit" test

Digital Steganography

at one time, was only used by computer professionals because it required writing specific computer program code to manipulate the bits in an image. That is not the case today. There are a number of tools readily available on the Internet that will enable a user to hide information in an image or detect steganography

multipartie virus

attack the computer in multiple ways including infecting the boot sector of the hard disk and one or more file

Remote-to-local:

attacker does not have a user account but exploits a vulnerability to gain access

Banner grabbing

attempts to connect to a web server on port 23 (Telnet) is evidence of a well-known old hacker trick, which is to attempt to telnet into a web server and grab the server's banner or banners. This allows the hacker to determine the exact operating system and web server running unless the system administrator has modified the banner to avoid this hacker trick.

Sparse Infector

attempts to elude detection by performing its malicious activities only sporadically.

Known plaintext attack

based on having a sample of known plaintexts and their resulting ciphertexts, and then using this information to try and ascertain something about the key used.

Frequency Analysis

basic tool for breaking most classical ciphers such as the Caesar cipher, the Vigenère cipher, etc. In natural languages, certain letters of the alphabet appear more frequently than others. By examining those frequencies, you can derive some information about the key that was used. While this method is effective against classic ciphers, it is not effective against modern methods of cryptography

file command

can tell you exactly what a file is regardless of whether or not it has been renamed or had its extension changed. This can be very important in a forensic investigation will help you in situations where the criminal has changed the file extension to make the file appear to be something other than what it is.

TEMPEST

certifies equipment that sheilds from EMR detection

consistency checking

checking involves scanning a disk's logical structure to ensure that it is consistent with its specification. In most file systems, a directory must have at least two entries: a dot (.) entry that points to itself and a dot-dot (..) entry that points to its parent. A file system repair program reads each directory to ensure that these entries exist and point to the correct directories. If they do not, the program displays an error message, and you can correct the problem. Both chkdsk and fsck work in this fashion.

OR

checks to see whether there is a 1 in either or both numbers in a given place. If so, then the resultant number is 1. If not the resultant number is 0.

sweeper or scrubber

clean unallocated space by writing over the unallocated old fragments to remove evidence most write over once or twice DoD standard 7 times

The /hdiutil partition /dev/disk0

command lists the partition table for the boot drive. It is important to know the partitions the machine recognizes upon boot-up.

fdisk

command lists various paritions

Email files: .emi

common to several email clients

A person from Nigeria emails you, asking to use your bank account to "park" some money temporarily.

computer fraud

Data piracy is an example of this type of crime.

computer fraud

/etc

contains configuration files. Most applications require some configuration when they start up . The web servers, boot loaders (LILO and GRUB), and many other applications have configuration files. Obviously, an intruder into a system may want to change how a given application behaves. web server, boot loader, and security software configuration files would be attractive targets for any hacker.

system log

contains events logged by Windows system components, including events like driver failures; Not as interesting from a forensic perspective as the other logs are

The Sarbanes-Oxley Act of 2002

contains many provisions about record keeping and destruction of electronic records relating to the management and operation of publicly held companies.

Center for Education and Research in Information Assurance and Security (CERIAS): Readiness Phase

contains sub-phases called Operations Readiness which involves training people and testing investigative tools and the Infrastructure Readiness phase which involves configuring equipment.

Library/Preferences/System Configuration/dom.apple.preferences. plist

contains the network configuration data for each network card. This is important information to document before beginning your search for evidence

/varspool

contains the print queue, so it can be very important if something is currently in the print queue

The IP header

contains the source IP address, the destination IP address, and the protocol number of the protocol in the IP packet's payload. These are critical pieces of information. l

The TCP header

contains the source port, destination port, a sequence number, and several other fields. The sequence number is very important to network traffic; for example, knowing this is packet 4 of 10 is important. The TCP header also has synchronization bits that are used to establish and terminate communications between both communicating parties.

application log

contains various events logged by applications or programs; Many applications record their errors here

cp

copies one file to another directorye

mkdir

creates a new directory

non-access computer crimes

crimes that do not involve an attempt to access a target examples are viruses logic bombs and denisl of service attacks

Non-access computer crimes,

crimes that do not involve an attempt to actually access the target. Examples include DDoS, viruses, and logic bombs.

Helix

customized Linux Live Cd used for computer forensics

A suspicious person in a chat room asks for your home address every time you are both online together.

cyberstalking/harassment

Logical damage

damage to how the data is stored for example file system corruption May prevent host operating system from mounting or using the file system May cause system crashes and data loss May be caused by power outages, or turning off a machine while it is booting or shutting down

data encryption standard (DES)

ex of Feistel cipher

process (/etcinit file)

executes upon entering the specified run level

Electronic Communications Privacy Act of 1986

governs privacy and disclosure, access, and interception f content and traffic data related to electronic communications

RFC 3864

describes message header field names. Common header fields for email include: • To—The email address and, optionally, name of the message's primary recipient(s) • Subject—A brief summary of the topic of the message • Cc—Carbon copy; a copy is sent to secondary recipients • Bcc—Blind carbon copy; a copy is sent to addresses added to the SMTP delivery list while the Bcc address remains invisible to other recipients • Content-Type—Information about how the message is to be displayed, usually a Multipurpose Internet Mail Extensions (MIME) type • Precedence—Commonly with values "bulk," "junk," or "list"; used to indicate that automated "vacation" or "out of office" responses should not be returned for this mail, for example, to prevent vacation notices from being sent to all other subscribers of a mailing list • Received—Tracking information generated by mail servers that have previously handled a message, in reverse order (last handler first) • References—Message-ID of the message to which this is a reply • Reply-To—Address that should be used to reply to the message • Sender—Address of the actual sender acting on behalf of the author listed in the From field

Communications Decency Act of 1996

designed to protect persons 18 and under from downloading or viewing material considered indecent.

Nascent State

devices are in this state when received from the manufacturer—the device contains no user data and has its original factory configuration settings.

-What are 7 types of Digital system Forensics?

disk forensics email forensics network forensics internet forensics software forensics live system forensics cell phone forensics

EnCase View pane

displays selected item

Enhanced Data Rates for GSM Evolution (EDGE

does not fit neatly into the 2G-3G-4G continuum. It is technically considered 2G, but was an improvement on GSM (2G), so it can be considered a bridge between 2G and 3G technologies.

secure emails

each email protocol has secured version which is encrypted with Tranport Layer Security (TLS).

How virus affect forensics

easy to locate, but difficult to trace back to creator first step is to document the particulars of virus, its behavior, file characteristics etc see if there is a commanlity between infected computers

WinUndelete

easy to use wizard driven

/var/log/mail.*

email activity useful for cyberstalking cases as well as many other types of forensic cases

Anonymizer

email server that strips identifying information from message before forwarding it with anonymous mailing computer's IP address

Stream Cipher

encrypts data as a stream, one bit at a time

EnCase checksum

ensures no error in copying of data and subsequently no information is modified by verifying before transfer and after transfer checksums

The Privacy Act of 1974

establishes a standard of information-handling practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by U.S. federal agencies.

Linux File Systems

ext3 ext4 Linux stores files in contiguous blocks which are normally large enough to accommodate the content, so defragmentation is not required. In rare cases, the blocks need to be extended. The exact size of these blocks depends on the parameters used with the command to create that partition. There are prepackaged tools and some built-in commands for recovering deleted files from Linux operating systems.

linux utilites

extundelete scalpel

/var/log/faillog

failed user logins tracks attempt to break into the system

zero-knowledge analysis

few assumptions are made about the state of the file system. The file system is rebuilt from scratch using knowledge of an undamaged file system structure. In this process, scan the drive of the affected computer noting all file system structures and possible file boundaries. Then match the results to the specifications of a working file system. usually much slower than consistency checking. You can use it, however, to recover data even when the logical structures are almost completely destroyed. This technique generally does not repair the damaged file system but allows you to extract the data to another storage device.

A criminal changes a file extension. This command can identify the file

file

both physical and logical analysis

file residue ambient data

fsck

files system check. can check to see whether a given parition is in good working condition

provides information about a specific user

finger

iPod_control\device\sysinfo

folder contains model number and serial number

allocation unit

formal definition of cluster

Expert Report

formal document that lists what tests you conducted, what you found and your conclusions, it also includes your CV(similar to resume)

FreeUndelete

free Windows tool for personal use commerical version available

Disk Investigator

free utility that comes as a GUI for use with Windows OS -presents a cluster-by-cluster view of hard drive in hexidecimal -from view menu can view directories and root -tools menu allows search for specific file or to recover deleted files

EnCase

from Guidance Software; widely used forensic toolkit. Prevents examiner from making accidental changes to suspect machine. Organizes information into cases. Based on evidence file which contains header, checksum and data blocks.

Oxygen Forensics

full forensic tool capable of imaging and examining iPhones and Android phones. It provides a number of user-friendly tools for extracting specific data such as contacts, social media data, and the like.

EC Council Computer Hacking Forensic Investigator (CHFI)

good general forensic certification covers general principles and techniques rather than specific software

rules of evidence

govern whether, when, how and why proof of a legal case can be placed before a judge and jury

Center for Education and Research in Information Assurance and Security (CERIAS): Deployment Phase

includes the Detection and Notification sub-phase, in which someone detects and incident and alerts investigators and the Confirmation and Authorization sub-phase which investigators receive authorization to conduct an investigation

TCP Header Bits, of Interest:FIN (1 bit)—

indicates there is no more data from the sender

Macro

infect the macros in office documents

macro virus

infect the macros in office documents by writing the macros as mini-virus scripts

Bit-level information

information at the level of actual 1s and 0s stored in memory or on the storage device

Obscured information

information that is encrypted, hidden via steganography, compressed, or proprietary formatted

SQL injection

inserting Structured Language Query commands into text boxes such as username and password fields to gain unauthorized data.

Memory resident

installs itself and remains in RAM from the time the computer is booted to the time it is shut down

Important Windows Files: Explorer.exe

interface the user interacts with such as the desktop, Windows Explorer, etc.

logical analysis

involves using the native operating system, on the evidence disk or a forensic duplicate, to peruse the data. looking for things that are visible, known about, and possibly controlled by the user. includes partitions, file metadata, context of data and file paths

iOS

iphone ipad ipod

Communication Assistance for Law Enforcement Act (CALEA)

is a U.S. wiretapping law. Its purpose is to allow law enforcement and intelligence agencies to lawfully conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband Internet, and VoIP traffic in real time.

live forensic tools: FPort

is a free tool that is now distributed by McAfee. FPort allows you to view all open TCP and UDP ports and maps those to specific processes. This lets you know which process is using which port. This tool is similar in function to running netstat -an.

Windows Registry

is a repository of all the information on a Windows system. For example, the configuration settings for a newly installed program are stored in the Registry. Among other things, the Registry: Includes information about the computer's hardware configuration Allows the operating system to keep multiple hardware configurations Allows multiple users with individual preferences Includes program shortcut menus and property sheets Supports remote administration through the network The usual way to get to the Registry is through the tool regedit. In Windows 10 and Server 2012, you select Start, then Run, then type in regedit. In Windows 8, you need to go to the applications list and select All Apps then find regedit.

INFO2

legacy Windows stores deleted files from Recycle Bin in D%DriveLetter%_%IndexNumber%_%FileExtension% D stands for drive %DriveLetter% is drive that the file was on before deletion %IndexNumber% a number assigned to each file or directory that is sent to Recycle Bin and indicates order of deletion %FileExtension% is the original file extension. If it is a folder there will be no extension

/var/log/lighttpd/*

lighttpd web server activity

EnCase Tree pane

like windows explorer. Lists all folders and can expand any element in the tree.

Containment

limit the impact of the incident. This means keeping it from affecting more systems. In the case of a virus, the strategy is to keep the virus from spreading. Have a policy in place that instructs users to disconnect their computers from the network and then call tech support if they suspect they have a virus. This contains the virus and prevents it from spreading further. The containment path may not be as clear for other incidents. For example, how would you contain a situation where an intruder is getting into the web server? First, you would isolate the web server from the rest of the network. Then you would attempt to prevent further intrusion, perhaps by changing passwords throughout the organization, on the assumption that the intruder might have compromised passwords. Although the specifics of containment might vary, the goal does not. Limit the spread of the incident as much as possible. This phase must occur first.

ps

lists all currently running processes that the user has started.

top

lists all currently running processes whether the user started them or not. It also lists more detail on the processes

ls

lists contents of current directory

EnCase Table pane

lists subfolders and files contained within the folder selected in Tree pane

ls /dev/disk? command

lists the current device files that are in use. You should document this information before shutting the system down for transport to the forensic lab.

Techniques of forensic analysis

live analysis physical analysis logical analysis Create a timeline

Types of Logs: Application

logs record the time, date, and application identifier. When someone uses an application, it produces a text file on the desktop system containing the application identifier, the date and time the user started the application, and how long that person used the application.

Types of Logs: Authentication

logs show accounts related to a particular event and the authenticated user's IP address. They contain date and timestamps as well as the username and IP address of the requestor.

Types of Logs: Network device

logs, such as firewall and router logs, provide information about the activities that take place on the network. You can also coordinate and synchronize them with logs provided by other systems to create a more complete picture of an attack. For example, a firewall log may show access attempts that the firewall blocked. These attempts may indicate an attack. Log files can show how an attacker entered a network. They can also help find the source of illicit activities.

Linux EMail Server

logs/var/log/mail.*

File systems

look at clusters not sectors

logical analysis

looking for things that are visible, known about, and possibly controlled by the user

General Al

machine that have all the sense (maybe more), all the reason, and think just like people do.

mac tools

mackeeper

Viruses can be divided into 6 distinct categories;

macro memory resident multipartite armored sparse infector polymorphic

storage formats

magnetic media solid state drives digital audio tape drives digital linear tape and super DLT optical media usb drives

payload

message to be hidden

Machine Learning

method of data analysis that automates data building. ML uses algorithms that learn interactively from data and can find insights without explicit programming

Find evidence

more than data recovery; finding and isolating evidence to prove or disprove allegations. Often must search through thousands of deleted files and fragments. Examiners work in secure labs to check for viruses in suspect machines and isolate data to avoid contamination. Work with verifiable copies of disks not actual disks, thus advisable to make more than one copy of the evidence depending on tests need to run and copies need to present.

mount

mounts a partition, allowing you to work with it

Undeleting Linux Files: Manually(Recovering Deleted Files)

move to single user mode (init 1) use grep of similar command (i.e. grep -b 'search-text' /dev/partitiion > file.txt use command-line editor to view file

Prepare evidence

must be able to withstand judicial scrutiny; thus through documentation of all tests conducted and all results must be accounted for. Failing to document and ruin a case.

/var/log/mysql.*

my SQL database useful for SQL injection attacks and other hacking crimes

Clusters

need not consist of contiguous sectors; for example, a 10-sector cluster may have sectors from many different locations.

net user trick to gain domain admin privilege

net user /domain /add localaccountname password net group /domain "Domain Admins" /addlocalaccount saves script to all users startup folder and waits for domain admin to logon which usually occurs in tech support dept so breaking a machine can have tech support login

Blackberry

new versions use android

hacking

orginally meant experimenting with a system, now generally means to break into a system

Email files: .pst

outlook

Email files: .mbx or .dbx

outlook express

Ping of Death

packets in excess of 65535 bytes sent targeted machine

Basic steganography terms

payload carrier channel

cmp

performs a textual comparison of two files and tells you the difference between the two

diff

perfroms a byte-by-byte comparison of two files and tells you the difference between the two

takes the name you provide and returns ID for that process; can work with paritial names

pgrep

ciphertext

plaintext subjected to an algorithm and key

switch

prevents traffic jams by ensuring that data goes straight from its origin to its proper destination. Switches remember the address of every node on the network and anticipate where data needs to go. A switch operates only with the computers on the same LAN because it operates based on the MAC address in a packet, which is not routable. It cannot send data out to the Internet or across a wide area network (WAN). These functions require a router.

Exchange Private folder

priv.edb

Streaming Data

priv.stm

Disk forensics

process of acquiring and analyzing information stored on physical storage media, includes recovery of deleted and hidden information as well as identifying who created the file.

Software forensics -

process of examining malicious computer code, also knows as malware forensics

Network forensics

process of examining network traffic, including transaction logs and real-time monitoring using sniffers and tracing

Internet forensics

process of piecing together where and when a user has been on the internet.

Important Windows Files: Lsass.exe

program that handles security and logon policies

Scientific Working Group on Digital Evidence (SWGDE)

promotes a framework process that include the following four stages: -Collect -Preserve -Examine -Transfer

Children's Online Privacy Protection Act of 1998 COPPA

protects children under 13 from the collection and use of their personal info. by websites. (replaces the 1988 COPA

Privacy Protection Act of 1980

protects journalists from being required to turn over to law enforcement any work product and documentary material, including sources, before it is disseminated to the public.

Federal Standards on BCP's

provide a good overview of what should be covered in any business continuity plan, and some, like NIST 800-34, are also applicable to disaster recovery plans. For the purposes of forensic examination, you don't need to be an expert in disaster recovery—just a basic overview of the process is sufficient.

Hierarchical storage management (HSM)

provides continuous online backup by using optical or tape "jukeboxes." It appears as an infinite disk to the system, and can be configured to provide the closest version of an available, real-time backup.

American Society of Crime Laboratory Directors (ASCLD)

provides guidelines for managing a forensic lab, for acquiring crime lab and forensic lab certification.

Telecommunications Act of 1996

provisions relative to the privacy and disclosure of info. in motion through and across telephony and computer networks

shows all the processes in the form of a tree structure

pstree

Exchange Public Folders

pub.edb

Locky

ransomware virus that encrypts sensitive files and demands payment for encryption key -first appeared 2016

The system_profiler SPSoftwareDataType command

related to system_profiler SPHardwareDataType. returns information about the operating system. This is also important for documenting the system prior to starting the forensic examination.

Windows N.T. 4.0

released shortly after Windows 95 for servers and professionals

The Child Protection and Sexual Predator Punishment Act of 1998

requires service providers that become aware of the storage or transmission of child pornography to report it to law enforcement

TCP Header Bits, of Interest:RST (1 bit)—

resets the connection

date command

returns the current date and time zone. It is good for documenting when exactly you begin your forensic examination. If you need the date in Coordinated Universal Time (UTC), then use date −u.

system_profiler SPHardwareDataType command

returns the hardware information for the host system. This provides information useful for the basic documentation of the system prior to beginning your forensic examination. There are related commands, such as system_profiler SPSerialATADataType. This command gives information on all the attached Serial Advanced Technology Attachment (SATA) devices.

android

samsung galaxy many many types

What are the 5 guidelines required by the Daubert Ruling for scientific evidence to be admissible in court?

scientific theory/technique has been tested • it has been subjected to peer review or publication • the known or potential error rate must be known • the technique must follow set standards so it can be replicated (existence and maintenance of standards controlling its operation) • it can be explained so that the court and jury understand it.(it has attracted widespread acceptance within the scientific community)

how netuser trick affects forensics

search system for unrecognized scripts esp in startup folders check account usage for odd behavior forensic investigator dhould be familiar with hacking techniques and tools

hard drives store data as a _______________

sector

Christmas Tree Scan

sends a TCP packet to target with the URG, PUSH, and FIN flags set alternates bits turned on and off in the flags byte server sends a rst flag

DOD Cyber Crime Center (DC3)

sets standards for digital evidence processing, analysis, and diagnostics. Require computer forensics support to detect, enhance, or recover digtial media. Involved with both law enforcement and counterintelligence

Global Information Assurance Certification (GIAC)

several levels of certification that include security, hacking, and forensics

router

similar to a switch, but it can also connect different logical networks or subnets and enable traffic that is destined for the networks on the other side of the router to pass through. Routers utilize the IP address to determine the path of outgoing packets and work at the Network Layer of the OSI model. Modern routers are complex devices. They handle packets, often have firewall and Dynamic Host Configuration Protocol (DHCP) capabilities, are programmable, and maintain logs.

pstree command

similar to the ps command, except it shows all the processes in the form of a tree structure. The tree format gives more information particular to a given forensic investigation. Not only will you know what processes are running, but also which process initiated those processes.

how cyberterrorism affects forensics

since cyberterrorism often uses multiple layers of attacks; each layer must be investigated. usually state-sponsored so difficult tedious investigation due to sophistication and monies spent on attack

Spyware

software that can monitor a user's activity on a computer

Three ways to fake emails

spoofing anonymous remailing "valid" emails

encrypgion vs steganography

steganography: message hidden encryption: message present but obfuscated and not easily deciphered

UDP header

still has a source and destination port number, but it lacks a sequence number and synchronization bits.

linux

stores files in contiguous blocks Inode (hard links and soft links) Manual recovery with grep and >

Email forensics

study of the source and content of email as evidence, includes identifying sender, recipient, date, time, and origination location of email.

invokes super user mode

su

TCP Header Bits, of Interest:SYN (1 bit

synchronizes sequence numbers.

AND

take two binary numbers and compare them one place at a time. If both numbers have a 1 in both places then the resultant number is 1. If not then the resultant number is 0.

TCP/IP VS OSI

tcp/ip application layer = osi model application/presentation/session tcp/ip transport layer=osi model transport tcp/ip internet layer= osi model network tcp/ip network access layer=osi data link and physical

open files command

tells you if any shared files or folders are open and who has them open.

Ciphertext-only attack

the easist attack to defend against The attacker only has access to a collection of ciphertexts. This is much more likely than known plaintext, but also the most difficult. The attack is successful if the corresponding plaintexts or, even better, the key can be deduced. However, obtaining any information at all about the underlying plaintext in this situation is considered a success.

Frye Standard

the evidence in question must be "generally accepted" by the scientific community

Session Layer

the fifth layer of the OSI model. This layer establishes, manages, synchronizes and terminates connection between the computers. It provides either half duplex or full duplex service.

CAN-SPAM Act (2003)

the first law meant to curtail unsolicited email, referred to as spam. However, the law has loopholes. You do not need permission before sending email. This means that unsolicited email is not prohibited. It applies only to commercial emails—emails that are trying to sell some product or service. Therefore, mass emailings for political, religious, or ideological purposes are not covered by the Act. The only requirement of CAN-SPAM is that the sender must provide some mechanism whereby the receiver can opt out of future emails and that method cannot require the receiver to pay in order to opt out. Restrictions on how the sender can acquire the recipient's email address and how the sender can actually transmit the email: A message cannot be sent through an open relay. A message cannot be sent to a harvested email address. A message cannot contain a false header. These methods are often used by people who send spam email. Tracking down the original sender of the email is the first step in investigating spam. Unfortunately, the email is sometimes sent from offshore sites or relayed through an innocent third party's servers. This makes prosecuting spam very difficult and enforcing a judgment almost impossible in most cases.

TCP/IP Network Access Layer

the first layer of the four layer TCP/IP model. Network Access Layer defines details of how data is physically sent through the network, including how bits are electrically or optically signaled by hardware devices that interface directly with a network medium, such as coaxial cable, optical fiber, or twisted pair copper wire. The protocols included in Network Access Layer are Ethernet, Token Ring, FDDI, X.25, Frame Relay etc. The most popular LAN architecture among those listed above is Ethernet. Ethernet uses an Access Method called CSMA/CD (Carrier Sense Multiple Access/Collision Detection) to access the media, when Ethernet operates in a shared media. An Access Method determines how a host will place data on the medium. IN CSMA/CD Access Method, every host has equal access to the medium and can place data on the wire when the wire is free from network traffic. When a host wants to place data on the wire, it will check the wire to find whether another host is already using the medium. If there is traffic already in the medium, the host will wait and if there is no traffic, it will place the data in the medium. But, if two systems place data on the medium at the same instance, they will collide with each other, destroying the data. If the data is destroyed during transmission, the data will need to be retransmitted. After collision, each host will wait for a small interval of time and again the data will be retransmitted.

Physical Layer

the first or the bottom most layer of the OSI model where all the physical connectivity of devices takes place in a network. It also defines the electrical and mechanical specifications like cables, connectors and signaling options of the medium. It converts the data into binary bits and then transfer to data link layer.

defragmentation

the following conditions are checked, and if met, the file is defragmented when it is opened: • The file is less than 20 megabytes in size. • The file is not already in use. • The file is not read-only. • The file is fragmented. • The system uptime is at least three minutes.

identity theft

the fraudulent acquisition and use of a person's private identifying information, usually for financial gain.

Phishing

the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. Usually done in mass email campaigns that yield a 1-3% success rate.

how logic bombs affect forensics

the nature of the logic bomb will give clues to creator usually an employee with access to system and programming background so relatively straightforward to investigate follow same parameters as investigating viruse if delivered by trojan

base transceiver station (BTS)

the part of the cellular network responsible for communications between the mobile phone and the network switching system. The base station system (BSS) is a set of radio transceiver equipment that communicates with cellular devices. It consists of a BTS and a base station controller (BSC). The BSC is a central controller coordinating the other pieces of the BSS.

Email Laws: Fourth Amendment to U.S. Constiution

this as well as state requirements govern the seizure and collection of any email messages that reside on a sender's or recipient's computer or other device. Does the person on whose computer the evidence resides have a reasonable expectation of privacy on that computer? If so, requires a search warrant or one of the recognized exceptions to the search warrant requirements, such as consent from the device owner.

state of running processes

this data is captured before system is shutdown

state of network connections

this data is captured before the system is shutdown

>

this is a redirect command, instead of displaying the output of a command like ls to the screen, it redirects the file

lists the processes in the order of how much CPU time the process is utlilizing

top

how fraud affects forensics

trace communications the more sophisticated an attack the less evidence there is follow the money trace owners of websites

Null Scan

turns off all flags creating a lack of TCP flags in packet (0000000)This would never happen in normal communications results in an error packet being sent again server sends a rst flag

channel

type of medium used

BPCS Bit Plane complexity segmentation

up to 50% of vessel data

live forensic tools: PSList

use to to view process and thread statistics on a system lists all running processes on the system. However, it does not reveal the presence of the rootkit or the other processes that the rootkit has hidden is a part of a suite of tools, PsTools, available as a free download.

Atbash Cipher

used by Hebrew scholars copying the book of Jeremiah Reverses the alphabet—substituting the first letter of the alphabet for the last letter, the second letter for the second-to-last letter, and so on Is primitive and easy to break

TCP Three-Way Handshake

used by TCP establishes a session between two systems. The first system sends a packet with the SYN flag set. The second system responds with a packet that has the SYN and ACK flags set. The first system responds with a packet with the ACK flag set. The two systems have now started a session.

LinEn boot disk

used to aquire contents of a Linux machine.

cd

used to change directories

rm

used to delete or remove a file

Swap file

used to optimize the use of random access memory (RAM). Data is frequently found in the swap file. The details on how to extract data from the swap file vary depending on the installed operating system.

rmdir

used to remove or delete entire directories

Forwarded Events log

used to store events collected from remote computers; Has data in it only if event forwarding has been configured

Applications and Services log

used to store events from a single application or component rather than events that might have systemwide impact

Windows Boot Process: Step 16

user logs on

GroupWise User Databases

userxxx.db

Vigenere Cipher

uses a table and a selected keyword to encrypt a message. Match the letter of your keyword on the top with the letter of your plaintext on the left to find the ciphertext. This type of multialphabet cipher is more secure than a single-alphabet substitution cipher but is still easily cracked by computers. Example: if you are encrypting the word cat and your keyword is horse, then the ciphertext is jok.

Asymmetric Cryptography

uses different keys to encrypt and decrypt plaintext

asymmetric crytography

uses different keys to encrypt and decrypt plaintext RSA Diffie-Hellman

Armoured virus

uses techniques that make it hard to analyze by compressing the code or encrypting it with a weak encryption method

Armored

uses techniques that make it hard to analyze, this is done by compressing it or encrypting it

Symmetric Cryptography

uses the same key to encrypt and decrypt plaintext Can use two different encryption keys, one from sender to receiver and one from receiver to sender Same key is still used for encryption and decryption Having different keys in both directions provides additional security if keys are learned or disclosed

Foresnic Network Analysis

uses tools and techniques of the network trade. Network monitoring helps get the "big picture" perspective, an insight into how networks and systems behave. Network analysis takes a deeper look at the traces between systems, networks, and intruders. Also referred to as "network forensic analysis." Analysis of network data to reconstruct network activity over a specific period of time Commonly used to: Reconstruct the sequence of events that took place during a network-based security incident Discover the source of security policy violations, vulnerabilities, or information assurance breaches Investigate individuals suspected of crimes

Format of expert report

usually list all items, documents, and evidence considered; detail tests performed and analysis done, and conclusion. Should also list entire curriculum vitae (CV)-documentation that details your experience and qualifications in an appendix. CV should include every publication, award and credential earned and very detailed work and education history. In most jurisdictions if it is not in the report, it cannot be presented during trial so thoroughness is essential. Be able to back up everything that you say with well-respected references to support claims.

2017

v 10.12 ( Sierra)

2001

v10.0 (Cheetah)

2011

v10.7 (Lion)

EnCase Network boot disk

very similar to Encase boot disk but allows you to perform process over a crossover cable between investigator's computer and suspect computer

FakeAV:86

virus that purports to be a free antivirus scan but is a Trojan first appeared in 2012

USA Patriot Act (2001)

was passed into law as a response to the terrorist attacks of September 11, 2001. The Act: Reduced restrictions on law enforcement agencies' intelligence gathering within the United States Expanded the Secretary of the Treasury's authority to regulate financial transactions Broadened the discretion of law enforcement and immigration authorities in detaining and/or deporting immigrants suspected of terrorism and related acts Expanded the definition of terrorism to include domestic terrorism, thus enlarging the number of activities to which the PATRIOT Act's extended law enforcement powers can be applied In May of 2011, President Barack Obama signed a four-year extension of three key provisions in the USA PATRIOT Act: roving wiretaps, searches of business records, and conducting surveillance of individuals suspected of terrorist-related activities not linked to terrorist groups. gives law enforcement dramatically enhanced powers for information gathering and should be a part of the knowledge base for any forensic investigator.

fyre standard

what was the requirement for evidence to be admissible in court? - Scientific evidence must be "generally accepted" by experts in the particular field of study.

$I AND $R

when files are moved to Recycle Bin, the original file is renamed starting with $R, followed by a series of random characters but maintain original file extension. a new file is also created beginning with $I

1990

windows 3.0

1992

windows 3.1 released

GroupWise Post Office Database

wphost.db

If the forensic workstation is a Windows machine

you can use the Windows Registry to prevent the workstation from writing to the mobile device. Before connecting to a Windows machine, find the Registry key HKEY_LOCAL_MACHINE\System\CurrentControlset\StorageDevicePolicies, set the value to 0x00000001, and restart the computer. This prevents that computer from writing to mobile devices that are connected to it.

steganalysis tools

• StegSecret • StegSpy • Invisible Secrets • MP3Stego


Kaugnay na mga set ng pag-aaral

Chapter 49: Immunologic Agents and Chapter 51: Immunomodulating Drugs

View Set

Prep U- Chapter 58: Assessment & Management of Patients With Breast Disorders

View Set

Prin. Bus. Fin. Modul 1 "Building A Balanced Budget" { Mr. Bayaborda }

View Set

System Analysis and Design: Project Management (CH4)

View Set

Sped 212 Module 1 real study guide

View Set

magyar igék ragozása 1. -conjugation 1. (regular verbs + -ít and verbs ending in 2 vowels)

View Set

Real Estate Final Exam (Charles Barnes)

View Set

Care of Patients With Vascular Problems (Iggy ch. 36)

View Set

ap world history chapter26 key terms

View Set