CHFI - C702

International Mobile Equipment Identifier (IMEI)

15-digit GSM-based unique number on handset that identifies mobile equipment. Obtained with *#06# Format is AA BBBBBB CCCCCC D AA: Reporting body ID that allocated the Type Allocation Code (TAC) BBBBBB: remainder of the TAC (FAC) CCCCCC: Serial sequence of the Model (SNR) D: Luhn check digit of entire model or 0 (CD)

Mobile international subscriber directory number (MSISDN)

15-digit number used for international identification of mobile phone numbers, and it contains the country code and nation-wide destination code.

International Mobile Subscriber Identity (IMSI)

15-digit subscriber identification number that defines a subscriber in the wireless world, including the country and mobile network to which the subscriber belongs.

PDF

25 50 44 46

WMV

30 26 B2 75 8E 66 CF 11

BMP

42 4d

GIF

47 49 46

MP3

49 44 33 03

JNT

4E 42 2A JNT

Software Write-Blocker

Placed and used on the acquisition system to prevent writes to source data

PDF password recovery

PDF Password recovery, PDF Password Genius, SmartKey, Tenorshare, Guaranteed

Exploit

Part of the malware that contains code or sequence of commands that can take advantage of a bug or vulnerability in a digital system or device.

Payload

Part of the malware that performs desired activity when activated.

Application Password Cracking

Passware Kit, SmartKey, Advanced Office Password Recovery(all versions of Office), Office password recovery,

Debian/Ubuntu Linux Configuration File

/etc/apache2/apache2.conf

FreeBSD Configuration File

/etc/httpd/conf/httpd.conf

RHEL/Red Hat/CentOS/Fedora Linux Configuration File

/usr/local/etc/apache22/httpd.conf

Debian/Ubuntu Linux: Access Logs

/var/log/apache2/access.log

Debian/Ubuntu Linux: Error Logs

/var/log/apache2/error.log

FreeBSD Access Logs

/var/log/httpd-access.log

FreeBSD Error Logs

/var/log/httpd-error.log

RHEL/Red Hat/CentOS/Fedora Linux Access Logs

/var/log/httpd/access_log

RHEL/Red Hat/CentOS/Fedora Linux Error Logs

/var/log/httpd/error_log

Linux Log Files

/var/log/messages Global system messages /var/log/dmesg Kernel ring buffer information /var/log/cron Information about the cron job in this file /var/log/user.log All user level logs /var/log/lastlog Recent login information /var/log/boot.log Information logged on system boots

EnablePrefetcher

0:prefetch disabled 1:application prefetch enabled 2:boot prefetch enabled 3:application and boot prefetch enabled

Mac Boot Process

1. Activation of BootROM, which initializes system hardware and selects an operating system to run. 2. BootROM performs POST to test some hardware interfaces required for startup. 3. On PowerPC-based Macintosh computers, Open Firmware initializes the rest of the hardware interfaces. 4. On Intel-based Macintosh computers, EFI initializes the rest of the hardware interfaces. 5. After initializing the hardware interfaces, the system selects the operating system. 6. If the system contains multiple operating systems, it allows the user to choose the particular operating system by holding down the Option key. 7. Once the BootROM operation is finished, the control passes to the BootX (PowerPC) or boot.efi (Intel) boot loader, which is located in the /System/Library/CoreServices directory. 8. The boot loader loads a pre-linked version of the kernel, which is located at /System/Library/Caches/com.apple.kernelcaches . 9. Once the essential drivers are loaded, the boot loader starts initialization of the kernel, Mach and BSD data structures, as well as the I/O kit. 10. The I/O kit uses the device tree to link the loaded drivers to the kernel. 11. The launchd, which has replaced the mach_init process, runs startup items and prepares the system

dcfldd offers that are not possible with dd

1. Hashing on-the-fly - dcfldd can hash the input data, helping to ensure data integrity 2. Status output - dcfldd can update the user of its progress in terms of time or data left 3. Flexible disk wipes - dcfldd can be used to wipe disks quickly, and with a known pattern if desired 4. Image/wipe Verify - dcfldd can verify that a target drive is a bit-for-bit match 5. Multiple outputs - dcfldd can output to multiple files or disks at the same time 6. Split output - dcfldd can split output to multiple files with more configurability than the split command 7. Piped output and logs - dcfldd can send all its log data and output to commands as well as files natively

Checklist to Prepare for a Computer Forensics Investigation - 1

Do not turn the computer off or on, run any programs

Rules of Forensic Investigation (9)

Document the procedures applied on the evidence

fsck

File system consistency check and repair

Hardware Write-Blocker

Placed between the suspect hard drive and the acquisition system

raw format

creates simple, sequential, flat files of a data set or suspect drive. Advantages: Data transferring is fast Can ignore minor data read errors on the source drive A Universal acquisition format that most of the forensic tools can read Disadvantages: Takes same storage space as that of original disk or data set Some tools like freeware versions may not collect bad sectors on the source drive

Process Dumper (PD)

forensically dumps the memory of a running process

dd(source)

from where to read the data

temporal analysis

fundamentals of reconstruction - It produces a sequential event trail, which sheds light on important factors such as what happened and who was involved

Get-BootSector

parse GPTs of both types of harddisks, formatted with either UEFI or MBR

net view <IP address>

review file shares to ensure their purpose

Federal Rules of Evidence

rules governing evidence allowed in a federal court

GoAccess

s an open source real-time web log analyzer and interactive viewer that runs in a terminal in *nix systems or through your browser.

Operating System Layer

scheduling multiple tasks, memory management tasks, synchronization, and priority allocation. It also provides interfaces for communication between application layers, middleware layers, and hardware.

Setting Windows registry key

"HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate" to 1 disables updating of the last-accessed timestamp

IIS Log Files

%SystemDrive%\inetpub\Logs\LogFiles

DumpChk

(the Microsoft Crash Dump File Checker tool) is a program that performs a quick analysis of a crash dump file.

Linux Boot Process

1. BIOS stage a. It initializes the system hardware. b. The BIOS retrieves the information, stored in the CMOS chip and then performs a POST test. c. BIOS starts searching for the drive or disk which contains the operating system in a standard sequence. [page 194] 2. Bootloader Stage a. Load the Linux kernel and optional initial RAM disk. b. Load pre-cursor software in a virtual file system called the initrd image or initial RAMdisk c. System prepares to deploy the actual root file system. d. System detects the device that contains the file system and loads the necessary chapters. e. Lastly, load the kernel into the memory. [page 194] 3. Kernel Stage a. Virtual root file system executes the Linuxrc program. This generates the real file system for the kernel and later removes the initrd image. b. Kernel searches for new hardware and loads any suitable device drivers found. c. mounts the actual root file system and then performs the init process. d. init reads the file "/etc/inittab" and uses this file to load the rest of the system daemons. This prepares the system and the user can log in and start using it. e. Bootloaders for Linux are LILO (Linux Loader) and GRUB (Grand Unified Bootloader). These bootloaders allow the user to select which OS kernel to load during boot time.

Android Boot Process

1. Boot ROM is activated and loads Boot Loader into RAM 2. Boot Loader initializes and then starts the Kernel 3. Kernel initializes interrupt controllers, memory protections, caches, and scheduling. System can use virtual memory and launch the user space process (init) 4. Init process launches and is first process on device, parent process. Next init initializes Zygote, runtime, and daemon processes; the Android logo appears 5. Zygote is used to spin up new VMs for each app that is started; a new DVM with code sharing across the vms. 6. Runtime requests Zygote launch system server; which includes: power manager, battery service, and Bluetooth

iOS Boot Process

1. BootRom initializes some components and checks signature of LLB (lower level bootloader) 2. LLB is loaded and checks signature of iBoot (stage-2 boot loader) 3. iBoot is loaded and checks kernel and device tree signatures (Not booted in Device Firmware Upgrade DFU mode) 4. Kernel and device trees load. Kernel checks signatures of all user applications

Investigation Best Practices

1. Get authorization to conduct the investigation, from an authorized decision maker 2. Document all the events and decisions at the time of the incident and incident response 3. Depending on the scope of the incident and presence of any national security issues or life safety issues, the first priority is to protect the organization from further harm

iOS Architecture

1. No access directly to hardware 2. OS contains 4 abstraction layers (500MB+) 3. Core OS-low-level services- 4. Core services-foundation to upper layers. iCloud, dispatch, in-app purchases, etc 5. Media services-audio, video, animation, graphics, etc. OpenGL ES, AL, etc 6. Cocoa Touch layer-framework for app development UIKit 7. Uses C-based libSystem libraries like BSD sockets, POSIX threads, and DNS

Volatile Data Collection Methodology

1. Preparation 2. Documentation 3. Policy Verification 4. Strategy 5. Volatile Data Collection Setup 6. Volatile Data Collection Process

detect rootkits by examining the registry

1. Run regedit.exe from inside the potentially infected OS. 2. export HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM hives in text file format. 3. Boot into a clean CD (such as WinPE). 4. Run regedit.exe. 5. Create a new key such as HKEY_LOCAL_MACHINE\Temp. 6. Load the Registry hives named Software and System from the suspect OS. The default location will be c:\windows\system32\config\software and c:\windows \system32\config\system. 7. Export these Registry hives in text file format. (The Registry hives are stored in binary format and Steps 6 and 7 convert the files to text.) 8. Launch WinDiff from the CD, and compare the two sets of results to detect file-hiding malware (i.e., invisible inside, but visible from outside).

Windows Boot Process

1. System switches ON, CPU sends a Power Good signal to mboard and checks for computer's BIOS firmware. 2. BIOS starts a POST and load all the firmware settings from nonvolatile memory on the mboard. 3. If POST is successful, add-on adapters perform a self-test for integration with the system. 4. The pre-boot process will complete with POST, detecting a valid system boot disk. 5. After POST, the computer's firmware scans boot disk and loads the master boot record (MBR), which search for basic boot information in Boot Configuration Data (BCD). 6. MBR triggers Bootmgr.exe, which locates Windows loader (Winload.exe) on the Windows boot partition and triggers Winload.exe. 7. Windows loader loads the OS kernel ntoskrnl.exe. 8. Once the Kernel starts running, the Windows loader loads HAL.DLL, boot-class device drivers marked as BOOT_START and the SYSTEM registry hive into the memory. 9. Kernel passes the control of boot process to the Session Manager Process (SMSS.exe), which loads all other registry hives and drivers required to configure Win32 subsystem run environment. 10. Session Manager Process triggers Winlogon.exe, which presents the user logon screen for user authorization. 11. Session Manager Process Initiates Service control manager, which starts all the services, rest of the non-essential device drivers, the security subsystem LSASS.EXE and Group policy scripts. 12. Once user logs in, Windows creates a session for the user. 13. Service control manager starts the Explorer.exe and initiates the Desktop Window Manager (DMW) process, which set the desktop for the user.

ZIP

50 26 03 04

DOCX/PPTX/XLSX

50 4B 03 04

EPUB

50 4B 03 04 09 00

RAR

52 61 72 21 1A 07

PNG

89 50 4E

SnowBatch

A Windows-based image conversion and file conversion application that converts large batches of image or document files from one format to another.

Obfuscator

A program to conceal the malicious code of a malware via various techniques

RAID 5

A technique that stripes data across three or more drives and uses parity checking, so that if one drive fails, the other drives can re-create the data stored on the failed drive. RAID 5 drives increase performance and provide fault tolerance. Windows calls these drives RAID-5 volumes.

Windows Page File

A temporary or permanent file on a hard drive used by Microsoft Windows operating system that serves as additional memory when RAM is not available HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

Downloader

A type of Trojan designed to transfer other malware onto a PC via Internet connection.

Kibana

A web UI for Elasticsearch

Live Data Acquisition

Acquiring data with computer powered on.

Resetting Admin passwords

Active@ Password changer, Windows Recovery Bootdisk, Windows Password Recovery Lastic

Rule 1003

Admissibility of Duplicates

Rule 1004

Admissibility of Other Evidence of Content

Unified Extensible Firmware Interface (UEFI)

Allows for disks larger than 2T and allows users to have 128 partitions on windows. More secure than MBR. Uses CRC to ensure data integrity and CRC32 checksum for header and partition table

SHA-256

An implementation of SHA-2 using a 256-bit hash.

Advanced Forensic Format (AFF)

An open-source data acquisition format that stores image data and metadata. File extensions include .afd for segmented image files and .afm for AFF metadata.

Network Forensics Analysis

Analyst Interface provides visualization of the evidence graph and reasoning results to the analyst, who passes the feedback to the graph generation and reasoning components. Evidence Collection the collection of intrusion evidence from networks and hosts under investigation. Evidence Preprocessing the analysis of assertive types of evidence, such as IDS alerts, into the appropriate format and reduces the repetition in low-level evidence by aggregation. Evidence Depository collected intrusion evidence is stored in the evidence depository. Evidence Graph Generation generates and updates the evidence graph using intrusion evidence from the depository. Attack Reasoning process of automated reasoning based on the evidence graph. Attack Knowledge Base includes knowledge of prior exploits. Asset Knowledge Base includes knowledge of the networks from the fundamentals and hosts under investigation. TOOLS: GFI EventsManager, Eventlog Analyzer, Kibana, Syslog-ng, RSYSLOG, Firewall Analyzer, SEC, OSSEC, Ipswitch Log Management, Snare, Loggly, Sumo Logic, ArcSight, Logscape, LogRhythm, Sawmill, McAfee log manager, LogMeister, Sentinel, TripWire, etc.

Incident Analyzer

Analyzes the incidents based on their occurrence. He or she examines the incident with regard to its type, how it affects the systems, different threats, and vulns associated with it

Rooting Tools

Android OneClickRoot Kingo Android ROOT Towelroot RescuRoot iOS PANGU JAIL BREAK Redsn0w Sn0wbreeze GeekSn0w

Other Log Analyzer tools

Apache Log Viewer WebLog Expert AWStats Nagios Splunk Webalizer

DropBox

Artifacts Left by Dropbox Client When a user installs Dropbox the files are saved at C:\Program Files (x86)\Dropbox Configuration is stored C:\Users\<username>\AppData\Local\Dropbox\instance(n) The system uses C:\Users\<username>\Dropbox as the default folder to sync files.***YOU CAN USE "WhatChanged" as a tool to see what programs add to the registry or Magnet IEF for other data gathering on pcs, phones, and tablets***

Google Drive

Artifacts Left by Google Drive Client When a user installs Google Drive the files are saved at C:\Program Files (x86)\Google\Drive Configuration and Logs are storedC:\Users\<username>\AppData\Local\Google\Drive\user_default The system uses C:\Users\<username>\Google Drive as the default folder to sync files.

Dealing with Powered Off Computers

At this point of the investigation, do not change the stat of any electronic devices or equipment

Dropper

Attackers need to install the malware program or code on the system to make it run and this program can do the installation task covertly.

Rule 502

Attorney-Client Privilege and Work Product; Limitations on Waiver

RAID 2

Bit-level striping with dedicated Hamming-code parity. OBSOLETE.

EnablePrefetcher - 2

Boot Prefetch Enabled

EnablePrefetcher - 3

Boot and Application Prefetch Enabled

/boot

Boot loader files eg. kernels, initd

The investigator must follow the steps before performing a forensic investigation:

Build a Forensics Workstation (sec 2.1 pg 1003) Investigators build forensic workstations to perform forensic investigation on mobile devices. The workstation includes hardware and software tools in the lab such as laptop or desktop computer, USB connector, FireWire, mobile forensics toolkit, cables (including Bluetooth and IR), SIM card reader, and micro-SD memory card reader. Build the Investigation Team (sec 2.2 pg 1004) The investigation team consists of persons who have expertise in responding, seizing, collecting, and reporting evidences from the mobile devices. Includes the expert witness, evidence manager, evidence documenter, evidence examiner/investigator, attorney, photographer, incident responder, decision maker, and incident analyzer. Review Policies and Laws (sec 2.3 pg 1005) Before starting the investigation process, investigators need to understand the laws pertaining to the investigation. They must also be aware of the potential concerns associated with Federal laws, State statutes, and local policies and laws before beginning the investigation. Notify Decision Makers and Acquire Authorization (sec 2.4 pg 1005-1006) Decision makers are authorities who implement the policies and procedures for handling an incident. The decision maker must be notified for the authorization when written incident response policies and procedures do not exist. Risk Assessment (serc 2.5 pg 1006) Risk assessment measures the risk associated with the mobile data, estimating the likelihood and impact of the risk. Risk assessment is an iterative process and it assigns priorities for risk mitigation and implementation plans. Build a Mobile Forensics Toolkit (sec 2.6 pg 1006) Investigators require a collection of hardware and software tools to acquire data during the investigation. The investigator needs to use different tools to extract and analyze the data, depending on the make and model of the phone seized.

RAID 3

Byte-level striping with dedicated parity. OBSOLETE, replaced with RAID 5.

Windows Vista, 7, 8, and 10 File Deleted

C:\$Recycle.Bin Files are named $Ry.ext "y" is sequence number and "ext" is original extension For the first document file deleted on C: drive would be: $R0.doc

Collect the database files (.mdf) and log files (.ldf) from

C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA

Collecting SQL Server Trace Files

C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\LOG

The default path to the data directory is mentioned below for the windows based machines

C:\ProgramData\MySQL\MySQL Server 5.n\ (or) C:\mysql\data

Windows 98 and earlier (FAT) File Deleted

C:\Recycled (4GB limit) Files are named Dxy.ext "x" is drive, "y" is sequence number(0-??) and "ext" is original extension. For the first document file deleted on C: drive would be: Dc0.doc

Windows 200-, XP, NT(NTFS)

C:\Recycler\S- (based on windows SID) When a user deletes a file or folder, the OS stores all the details of the file such as its complete path, including the original file name, in a special hidden file called "Info" or "Info2" in the Recycle Bin folder. In Windows newer than Vista and XP, the OS stores the complete path and file or folder name in a hidden file called INFO2. INFO2 contains various details of deleted files such as: original file name, original file size, the date and time of deletion, unique identifying number, and the drive number that the file came from.

ISO 9660

CD format to support PC file systems on CD media. Supplanted by the Joliet format and then the UDF format.

Mozilla Firefox

Cache Location: C:\Users\<Username>\AppData\Local\Mozilla\Firefox\Profiles \XXXXXXXX.default\cache2 Cookies Location: C:\Users\<Username>\AppData\Roaming\Mozilla\Firefox\Profiles\XXXXXXXX.default\cookies.sqlite History Location: C:\Users\<Username>\AppData\Roaming\Mozilla\Firefox\Profiles\XXXXXXXX.default\places.sqlite

MDF

Calculator-view MD5 hash to compare to provide hash value

Rule 614

Calling and interrogation of witnesses by court

Mobile Hardware Tools:

Cellebrite UFED System Secure ViewKit for Forensics DS-Device Seizure & Toolbox USB reader for SIM cards iGo DC Lab Power Supply 0-15V/3A Digital Display with Backlight Paraben's Phone Recovery Stick

Syslog-ng

Centralized syslog collector and syslog replacement

Checklist to Prepare for a Computer Forensics Investigation - 7

Compile a list of names, e-mails, and other info of those with whom the subject might have communicated

Rules of Forensic Investigation (5)

Comply with the standards

/sys

Contains system info (devices, kernel, etc.)

Rules of Forensic Investigation (3)

Create a chain of custody document

Checklist to Prepare for a Computer Forensics Investigation - 10

Create a list of keywords or phrases to use when searching for relevant data

DOC/PPT/XLS

D0 CF 11 E0

cron

Daemon to execute scheduled commands

Rule 1001

Definitions

FAT

Designed for small disks with simple structures. Stores all files at beginning of the volume

Cylinders, Heads, and Sectors (CHS)

Determine the sector addressing for individual sectors on a disk

Rule 705

Disclosing the Facts or Data Underlying an Expert's Opinion

RAID 0

Disk Striping - It is the simplest RAID level, which does not involve any redundancy and fragments the file into user-defined stripe size of the array

img_stat

Display details of an image file

Openfiles

Displays files opened by remote users for a file share.

dmesg

Displays the contents of the kernel ring buffer.

Bit-Stream disk-to-disk

EnCase, SafeBack, Norton Ghost

/bin

Essential command binaries that need to be available in single user mode; for all users

/dev

Essential device files. Ex: /dev/null

eventvwr.msc

Event Viewer

Rule 608

Evidence of Character and Conduct of Witness

Rules of Forensic Investigation (7)

Evidence should be strictly related to the incident

Authentic Evidence

Evidence that can be verified, as to questions such as its source, relevance to the case, authorship, and path of transmission.

Evidence Examiner/Investigator

Examines the evidence acquired and sorts the useful evidence.

.edb file

Exchange 2007's database engine is referred to as the Extensible Storage Engine (ESE). ESE is a transactional database that writes information into RAM memory and into a log file. Once it is in the log file, it will be written to disk. There are a number of files used to store information:

18 USC 1029

Fraud and related activity in connection with access devices

18 USC 1030

Fraud and related activity in connection with computers

Steganalysis Tool

Gargoyle, StegAlyzerAS/RTS, StegExpose, StegAlyzerSS, Steganography Studio, Virtual Steganographic Lab (VSL), ImgStegano

Rule 402

General Admissibility of Relevant Evidence

shared files and folders in the following registry root key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Shares

NTFS

High performance, self repaiting with advanced features like file level security, compression, and auditing. Supports larger and more powerful volume storage solutions like RAID

Rules of Forensic Investigation (6)

Hire professionals for analysis of evidence

Rule 801

Hearsay

Rule 803

Hearsay Exceptions - Availability of Declarant Immaterial

Rule 804

Hearsay Exceptions; Declarant Unavailable

Folder Steganography

Hides data in folders. Invisible secrets4

Google Chrome

History, Downloads, Cookies Location: C:\Users\{user}\AppData\Local\Google\Chrome\User Data\Default Cache Location: C:\Users\{user}\AppData\Local\Google\Chrome\User Data\Default\Cache

/root

Home directory for the root user

/etc

Host-specific system-wide configuration files

Checklist to Prepare for a Computer Forensics Investigation - 6

If possible, obtain passwords to access encrypted or password-protected files

Checklist to Prepare for a Computer Forensics Investigation - 8

If the computer is accessed before the forensic expert is able to secure a mirror image, note the user(s) who accessed it, what files accessed, and when access occurred. If possible, find out why the pc was accessed

Dealing with Networked Computer

If the victim's computer has an Internet connection, the first responder must follow the following procedure in order to protect the evidence: • Unplug the network cable from the router and modem internet can make it vulnerable to further attack • Don't use the pc for evidence search because it may alter or change the integrity of the existing evidence • Unplug all the cords and devices connected to the computer and label them for later identification • Unplug the main power cord from the wall socket • Pack the collected electronic evidence properly and place it in a static-free bag • Keep the collected evidence away from magnets, high temperature, radio transmitters, and other elements that may damage the integrity of the evidence • Document all the steps that involved in searching and seizing the victim's computer for later investigation

Rule 609

Impeachment by Evidence of a Criminal Conviction

Ntdll.dll

Internal support functions and system service dispatch stubs to executive functions

Proprietary Format

Is a file format that is designed to work specifically with the software application that created it.

L0phtCrack

Is a password auditing and recovery application. It uses multiple assessment methods to assist administrators in reducing security risks.

Handy Recovery

Is used on windows to recover data from power outtages, software faults, virus attacks.

Internal Phone Memory

It includes data stored in RAM, ROM, or flash memory. It stores the Mobile phone's OS, applications, and data. The investigator can extract information from internal phone memory using AT 43 commands with the help of a USB cable, infrared, or Bluetooth.

Mobile subscriber identification number (MSIN)

It is a 10-digit number MIN (mobile identification number) that helps identify the mobile phone service provider within a mobile carrier network.

Libc

It is a C system library tuned for embedded Linux-based devices

Malicious Code

It is a piece of code that defines basic functionality of the malware and comprises commands that result in security breaches.

MIME

It is an Internet standard that extends the email format for supporting the following: • Text in non-ASCII character sets • Attachments like application programs, images, audio, video, etc. other than text • Multiple part message bodies • Non-ASCII character set header information

/lib

Libraries essential for the binaries in /bin/ and /sbin/.

Packer

It is software that compresses the malware file to convert the code and data of malware into an unreadable format.

WebKit

It is the browser engine used to display web pages

Static Data Acquisition

It is the process of acquiring the non-volatile or unaltered data remains in the system even after shutdown. Investigators can recover such data from hard drives as well as from slack space, swap files, and unallocated drive space. Other sources of non-volatile data include CD-ROMs, USB thumb drives, smartphones, and PDAs. The static acquisition is usually applicable for the computers the police had seized during the raid and include an encrypted drive.

LogonSessions

It lists the currently active logged-on sessions and, if you specify the -p option, it can provide you the information of processes running in each session.

Passware Search Index Examiner

It makes all the data indexed by Windows Search accessible. Requires only one file from the target PC, a Windows Desktop Search Database (.edb)

FreeType

It renders the bitmap and vector fonts

win32k.sys

Kernel mode portion of the windows subsystem, contains the graphics device interface

Rules of Forensics Investigation

Limit access and examination of the original Record changes made to the evidence files Create a chain of custody document Set standards for investigating the evidence Comply with the standards Hire professionals for analysis of evidence The evidence should comply with the jurisdiction standards Document the procedures applied on the evidence Securely store the evidence Use recognize tools for analysis

Rules of Forensic Investigation (1)

Limit access and examination of the original evidence

Rule 105

Limited Admissibility

Log Management Tiers

Log Generation Log Analysis and Storage Log Monitoring

Log Management Functions

Log Parsing Event Filtering Event Aggregation Log Rotation Log Archival & Storage Log Compression Log Reduction Log Conversion Log Normalization Log File Integrity Checking Log Reproting Log Clearing

Checklist to Prepare for a Computer Forensics Investigation - 9

Maintain a chain of custody for each piece of original media, indicating where the media has been, whose possession it has been in, and the reason for that possession

MD5

Message Digest 5. A hashing function used to provide integrity. MD5 uses 128 bits. A hash is simply a number created by applying the algorithm to a file or message at different times. The hashes are compared to each other to verify that integrity has been maintained.

RAID 1

Mirroring - generally executes mirroring as it duplicates or copies the drive data on to two different drives using hardware RAID controller or a software

LogMeister

Monitors standard and custom Windows event logs, a wide range of text logs, syslog, XML log streams, RSS feeds and Windows firewall logs.

/media

Mount points for removable media such as CD-ROMs

If Monitor is Switched ON and the Display is Blank

Move the mouse slightly. If the screen does not change, do not perform any other keystroke. Photograph the screen

Event Correlation Approaches

Neural Network approach Codebook-Based; stores sets of events in codes Rule-Based; uses rules to correlate events Field-Based; uses and compares fields in the data for correlation Automated Field correlation; compares some or all fields and determines correlation across these fields Packet Parameter/Payload Correlation; compares packets with signatures (IPS/IDS) Profile/Fingerprint; collect data to see if system was used as a relay or comp'd host Vulnerability-based; helps map IDS events to vulnerability scanner output Open-Port based; determine risk of attack by evaluating list of open ports 30 Bayesian Correlation; predicts next steps based on statistics and probability Time or role-based approach; monitors computer and user behavior for anomalies Route correlation; extracts attack route info to single out other attack data

Checklist to Prepare for a Computer Forensics Investigation - 5

Once the machine is secured, obtain info about the machine, the peripherals, and network where connected

OSSEC

Open Source HIDS Security

Generic Forensic Zip (gfzip)

Open format for compressed and signed files that uses SHA-256 Embeds user metadata with file metadata and signs with x.509

Rule 701

Opinion Testimony by Lay Witness

/opt

Optional application software packages

Checklist to Prepare for a Computer Forensics Investigation - 4

Perform a premilinary assessment of the crime scene and identify the type of data you are seeking, the information you are looking for, and the urgency level of the examination

EnablePrefetcher - 0

Prefetch Disabled

EnablePrefetcher - 1

Prefetch Enabled

Rule 104

Preliminary Questions

42 USC 2000AA

Privacy Protection Act, special steps to take during seizure that don't prevent freedom of expression

Bit-stream disk-to-image

ProDiscover, EnCase, FTK, TSK, X-Ways, ILook

SHA-1

Produces a 160-bit hash value and is used in DSS

Injector

Program that injects the exploits or malicious code available in the malware into other vulnerable running processes and changes the way of execution to hide or prevent its removal.

Fourth Amendment

Protects against unreasonable search and seizure

Rule 102

Purpose and Construction(Just)

ausearch

Queries auditd logs for events based on different criteria

Guidance Software's EnCase

Rapidly acquire data from variety of devices and unearth potential evidence with disk-level forensic analysis. Produce comprehensive reports on your findings and maintain the integrity of your evidence in a format the courts have come to trust

Rules of Forensic Investigation (2)

Record changes made to the evidence files

RecoverMyFiles

Recover deleted files emptied from recycle bin, accidental format, hard disk crash, etc.

quick recovery

Recovers files that have been lost, deleted, corrupted, or even deteriorated. Can also recover encrypted files.

Crypter

Refers to a software program that can conceal existence of malware.

Rule 106

Remainder of or Related Writings or Recorded Statements

Rule 901

Requirement of Authentication or Identification

Rule 1002

Requirement of the Original

Incident Responder

Responsible for the measures taken when an incident occurs, securing the incident area and collecting the evidence that is present at the crime scene. He or she should disconnect the system from other systems to stop the spread of an incident

Rule 103

Rulings on Evidence

/run

Run-time variable data; information about the running system since last boot eg current logged in users and running daemons

Mobile Software Tools

SEARCH Investigative Toolbar SIMiFOR ASC 001Micron Data Recovery *SIM Explorer BitPim *Oxygen Forensics Analyst Paraben's Sim Card Seizure *MOBILedit! Forensic TULP2G iDEN Phonebook Manager SUMURI's PALADIN floAt's Mobile Agent XRY Logical & XRY Physical

SQLite

SQLite is the database engine that stores data in Android devices OpenGL/ES and SGL: used to render 2D (SGL) or 3D (OpenGL/ES) graphics to the screen

Rule 101

Scope(Proceedings)

/usr

Second major hierarchy. User's system resources including user binaries

Checklist to Prepare for a Computer Forensics Investigation - 2

Secure any relevant media including hard drive, cell phones, DVDs, USB drives, etc subject may have used

Rules of Forensic Investigation (10)

Securely store the evidence

Rules of Forensic Investigation (4)

Set standards for investigating evidence

/srv

Site-specific data which are served by the system.

EXT4

Supports maximum individual file sizes up to 16T and overall volumes of about size 1 EiB(exbibyte)

Advanced Forensic Framework 4 (AFF4)

Supports more file formats than AFF and much larger capacities Image signing and cryptography and is transparent to clients

Checklist to Prepare for a Computer Forensics Investigation - 3

Suspend document destruction and recycling that may pertain to relevant media or users at the time of issue

/mnt

Temporarily mounted filesystems.

/tmp

Temporary files used by the system

Hal.dll

The Hardware Abstraction Layer dynamic link library allows the OS kernel to communicate with hardware.

Ntoskrnl.exe

The Windows OS kernel.

GUID Partition Table (GPT)

The area of a large hard disk (> 2TB) outside a partition that stores partition information and boot loaders.

history

The command history checks and lists the Bash shell command used. This command helps the users for auditing purposes

mount

The command mount causes mounting of a file system or a directory structure, making it accessible

Complete Evidence

The evidence must either prove or disprove the consensual fact in the litigation

Rules of Forensic Investigation (8)

The evidence should comply with jurisdiction standards

Decision Maker

The person responsible for authorization of a policy or procedure during the investigative process. Based on the incident type, makes decision about the policies and procedures to handle the incident

Primary Data Files (MDF)

The primary data file is the starting point of a database and points to other files in the database. Every database has an MDF. The MDF stores all the data in the database objects (tables, schema, indexes, etc.).

Dynamic Analysis

The process of evaluating behavior, e.g., memory performance, CPU usage, of a system or component during execution.

File Carving

The process of reassembling computer files from fragments in the absence of file system metadata.

Secondary Data Files (NDF)

The secondary data files are optional. While a database contains only one primary data file, it can contain zero/single/multiple secondary data files.

Transaction LOG Data Files (LDF)

The transaction log files hold the entire log information associated with the database. The transaction log file helps a forensic investigator to examine the transactions occurred on a database, and even recover data deleted from the database.

Abbreviated dialing numbers (ADN)

These are three-digit dialing numbers. communication in emergency

Network Layer

To communicate with the network, the data must pass through various layers to reach the destination. The data travels over network layers to reach its destination.

PWdump7

Tool used to dump password hashes from the SAM file.

If Monitor is Switched OFF and Display is Blank

Turn the monitor ON, move the mouse slightly, observe the changes from a blank screen to another screen, and note the changes and photograph the screen

Normalization

Types of Event Correlation - after data is transmitted, return to common format use

Cross-Platform

Types of Event Correlation - different OS for desktop, server and network gear

Data Reducation

Types of Event Correlation - reducing or removing data for faster correlation

Same-Platform

Types of Event Correlation - same OS

Transmission of Data

Types of Event Correlation - transmitting securely with authentication and encryption

UFS

Unix File System

Rules of Forensic Investigation (11)

Us recognized tools for analysis

Get-PartitionTable

Used for obtaining details about partitions.

FAT32

Utilizes space 10-15% more effectively due to use of smaller clusters. Very robust and has lesser failure rate than FAT16 devices. No restriction on number of root folder entries

Reports can be categorized as:

Verbal - board, jury, managers=formal Written - court, under oath = formal Further division of the previous categories includes: • Formal • Informal It is advisable to include the contents of an informal written report in an informal verbal report and the essentials such as the subject system, tools used, and findings should be summarized in it. If the produced informal written report is destroyed then it is considered as destruction or concealing of evidence, which in legal terms is known as spoliation.

net session

Verify the users using open sessions

Ntkrnlpa.exe

Windows XP physical address support program for accessing more than 4 GB of phsyical RAM

Edge stores history records, Cookies, HTTP POST request header packets and downloads in:

\Users \user_name\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Edge cached files location:

\Users \user_name\AppData\Local\Packages \Microsoft.MicrosoftEdge_xxxx\AC\#!001\MicrosoftEdge\Cache\

ESE Database

\Users \username\AppData\Local\Packages \Microsoft.MicrosoftEdge_xxxxx\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\xxxxx\DBStore\spartan.eb

Edge last active browsing session data location:

\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\MicrosoftEdge\User\Default\Recovery\Active\

RAID 10

a combination of RaID 1 and RaID 0 that requires at least four disks to work as an array of drives and provides the best redundancy and performance.

Unicode

a computing industry standard for the consistent encoding, representation, and handling of text expressed in most of the world's writing systems.

RoadMASSter-3 X2

a forensic ruggedized portable lab for hdd data acquisition and analysis.

Image MASSterTM Wipe PRO

a hard Drive Sanitization Station.

EASEUS Data Recovery Wizard

a hard drive data recovery software to recover data lost from PCs, laptops, or other storage media because of deleting, formatting, partition loss, OS crash, virus attack, etc...Supports large hard disk, can specify recovery file types for precise search results, allows you to preview files before recovering.

PC-3000 Flash

a hardware and software suite for recovering flash- based storage

Sparse File

a type of computer file that attempts to use file system space more efficiently when blocks allocated to the file are mostly empty.

When Destruction of Evidence is Imminent

a warrantless seizure of that evidence is justified

Deep Log Analyzer

a web analytics solution for small and medium sized websites

Electronic Storage Device Warrant

allows the first responder to search and seize the victim's computer components such as HW/SW, Storage devices, Documentation

PsLogList

allows users to login to remote systems in situations when current set of security credentials would not permit access to the Event Log. It retrieves message strings from the computer on which the event log resides. It shows the contents of the System Event Log on the local computer and allows formatting of Event Log records.

RSA NetWitness Investigator

collects and analyzes network data in real time to enhance a security team's capabilities to detect and respond to today's advanced threats

Admissible Evidence

acceptable or valid, especially as evidence in a court of law.

Logical Block Addressing (LBA)

addresses data by allotting a sequential number to each sector

chain of custody

administers the collection, handling, storage, testing, and disposition of evidence. It helps to ensure protection against tampering or substitution of evidence

Service Provider Search Warrant

allows first responders or investigators to consult the service provider and obtain the available victim's computer information and Service records, Billing records, Subscriber information

Logcheck

allows system Admins to view log files, which are produced by hosts under their control.

Uuencode

also known as UNIX-to-UNIX encoding or Uuencode/Uudecode, is a utility for encoding and decoding files shared between users or systems using the UNIX operating systems. It is also available for all other operating systems, and many e-mail applications offer it as an encoding alternative, especially for e-mail attachments. While sending e-mails with attachments, if the recipient(s) do not have an MIME-compliant system, the Uuencode should be used to send the attachment as an e-mail note.

Nibble

also known as half-byte or tetrade is a collection of four bits or half of an octet in computing common representation of a byte

Static Analysis

analysis of a program by examining it, but without running it.

Get-GPT

analyze the GUID Partition Table data structure of the hard disk

DBCC LOG

command allows investigators to view and retrieve the active transaction log files for a specific database.

FSUM

command line utility for file integrity verification. It offers a choice of 13 hash checksum functions for file message digest and checksum calculation

Tracks

are concentric rings on the platter that store data; each has smaller partitions called disk blocks or sectors

Clusters

are the smallest accessible/logical storage units on the hard disk

SQLCMD

command-line application that comes with Microsoft SQL Server and exposes the management features of SQL Server. It allows SQL queries to be written and executed from the command prompt. -e is used to echo input -s is used for column separation -E is used for trusted connection

Database Consistency Checker (DBCC)

commands may give the investigator valuable insight into what is happening within the Server system.

ViaExtract ADB

bypass Android passcode

dd(bs)

byte size(usually some power of 2, not less than 512 bytes

HashMyFiles

calculate MD5 hash on one or more files. Can also display MD5 hashes of files or folders

Event Aggregation

called event de-duplication. It compiles the repeated events to a single event and avoids duplication of the same event

Data Recovery Stick

can recover deleted files.

dir

check file space usage to look for sudden decrease in free space

lusrmgr.msc

check for creation of new accounts in administrator group

net use

check if the sessions have been opened by other systems

Platters

circular metal disks mounted into a drive enclosure

The Sleuth Kit

cmd line tools and a C library to analyze disk images and recover files from them.

Internal Attacks

considered as a primary threat, refer to attacks by disgruntled individuals working in the same firm or same household as the victim

HKEY_USERS

contains information about all the currently active user profiles on the computer.

HKEY_LOCAL_MACHINE

contains most of the configuration information for installed software which includes the Windows OS as well, and the information about the physical state of the computer which includes bus type, installed cards, memory type, startup control parameters and device drives.

HKEY_CURRENT_USER

contains the configuration information related to the user currently logged on. Wallpaper, screen colors, display settings, etc..

dd(conv)

conversion options

FileMerlin

converts word processing, xls, ppt, and database files between a wide range of file formats

AccessData FTK

court-cited digital investigations platform that provides processing and indexing up front, so filtering and searching is fast. FTK can be setup for distributed processing and incorporate web-based case management and collaborative analysis.

HashCalc

created MD5 hash for files, text and hex strings; 13 different algorithms

BIOS Parameter Block (BPB)

data at sector 1 in the volume boot record and explains the layout

FTK Imager

data preview and imaging tool that enables analysis of files and folders on local hard drives, CDs/DVDs, network drives. Bit to bit

External Memory

data stored in SD card, MiniSD Card, MicroSD, etc. It stores personal information such as audio, video, and images.

SIM Card Memory

data stored in the SIM card memory like address books, messages, and service-related information.

Service Provider Network (SPN)

defines SIM card Service Provider Mobile Country Code (of a SIM user internationally on a GSM network.

RAPID IMAGE 7020 X2

designed to copy one "Master" hard drive to up to 19 "Target" hard drives

PC-3000 Data Extractor

diagnoses and fixes file system issues, so that the client's data can be obtained

Autopsy

digital forensics platform and gui for other digital forensic tools

fsstat

display details associated with the file system

istat

display details of a meta-data structure(inode)

Pslist.exe

displays basic information about the already running processes on a system, including the amount of time each process has been running. -x details about threads and memory, -t task tree, -d detail, -m memory, -e exact match for process name

PsLoggedOn

displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one.

Stat

displays file or file system status

net sessions

displays information about all logged in sessions of the local computer.

readelf

displays information about one or more ELF format object files.

Handle

displays information about open handles for any process. -a all types, -c close, -l sizes, -y no prompt, -s print count, -u username, -p processes, name

net file

displays the names of all open shared files on a server

Reliable Evidence

evidence that possesses a sufficient degree of likelihood that it is true and accurate

Paraben's Email Examiner

examines email formats including Outlook (PST and OST), Thunderbird, Outlook Express, Windows mail and more. It allows to analyze message headers, bodies and attachments. It recovers email in the deleted folders, supports advanced searching, reporting and exporting to PST and other formats and supports all major email types that are stored on local computers for analysis, reporting, and exporting/conversion.

CD File System (CDFS)

file system for the Linux operating system transfers all tracks and boot images on a CD, as normal files. These files can then be mounted (for example, for ISO and boot images), copied, and played. Goal was to unlock information in old ISO images.

JPEG (lossy) compression

file type for images, can achieve 90% compression. The first bits of a file represent the file type and files start with hex value ff d8 ff

Open Files

files that contain data on transactions that have been started, but not yet fully processed

nbstat -na

find if tcp or udp ports have unusual listening

schtasks.exe

find scheduled and unscheduled tasks on the local host

relational analysis

fundamentals of reconstruction - it correlates the actions of suspect and victim

functional analysis

fundamentals of reconstruction - it provides a description of the possible conditions of a crime. It testifies to the events responsible for a crime in relation to their functionalities

Radio Interface

gateway, and network interface: A mobile device communicates with the network operator with some interfaces, such as radio interface, gateway, and network interface, to establish safe and secure communication.

Evidence Documenter

gathers info and documents it from incident occurrence to the end of the investigation.

Hardware Layer

hardware such as a display device, keypad, RAM, flash, embedded processor, and media processor, which are responsible for mobile operation.

Evidence Manager

has all the information about the evidence:name, evidence type, time, source of evidence, etc. manages and maintains a record of the evidence such that it is admissible in the court of law.

Criminal Case

involve actions that are against the norms of society, the burden of proving the accused guilty lies entirely on the prosecution

Nbtstat

helps to troubleshoot NetBIOS name resolution problems. When a network is functioning normally, NetBIOS over TCP/IP (NetBT) resolves NetBIOS names to IP addresses. -a remote name, -A ip address, -c cache, -n names, -r resolved, -S sessions.

Apache core elements are

http_protocol, http_main, http_request, http_core, a lloc, and http_config.

Mobile Forensics

includes extraction, recovery, and analysis of data from the internal memory, SD cards, and SIM cards of mobile devices. Forensics experts analyze the phone by examining the incoming and outgoing text messages, pictures stored in the memory of the phone, call logs, email messages, SIM data, deleted data, etc., in an attempt to trace the perpetrators of crimes that involve the use of mobile phones.

Civil Case

involves a plaintiff and defendant, wherein the plaintiff registers the case and is responsible for the burden of proof, while the authority hears both parties and passes the judgement based on the evidence presented

Integrated Circuit Card Identifier (ICCID)

is a 19 or 20-digit unique identification/serial number printed on the SIM to identify each SIM internationally. 89 44 245252 001451548 Industry Identifier Country Issuer ID Individual Account ID

DevCon

is a command-line tool that displays detailed information about devices on computers running Windows operating system. DevCon can be used to enable, disable, install, configure, and remove devices.

PsFile

is a command-line utility that can retrieve the list of remotely opened files on a system and allows investigator to close open files

ProDiscover

is a comprehensive digital forensics software that empowers investigators to capture key evidence from computer systems.

Documentation of the Electronic Crime Scene

is a continuous process during the investigation, making a permanent record of the scene. It includes photographing and sketching of the scene

Forensic Toolkit (FTK)

is a court-cited digital investigations platform built for speed, stability and ease of use. It provides comprehensive processing and indexing up front, so that filtering and searching is fast.

Extensible Storage Engine (ESE)

is a data storage technology from MS to store and retrieve data sequential access. This helps the server to store various files, messages etc. and access folders, text messages, attachments, etc. for email service provision. These files have the extension .edb and can provide valuable case evidences in forensic investigations. The database is in the form of a B-Tree structure and has a hexadecimal file signature.

Ophcrack

is a free GUI driven Windows password cracker based on rainbow tables

PALADIN

is a modified "live" Linux distribution based on the PALADIN Toolbox.

Oxygen Forensic Kit

is a ready-to-use and customizable mobile forensic solution for field and in-lab usage. Allows extraction of data from the device but also creates reports and analyzes data in the field.

LSASecretsView

is a small utility that displays the list of all LSA secrets stored in the Registry on your computer.

Stellar Phoenix Deleted Email Recovery

is a software that safely recovers lost or deleted emails from MS Outlook data (PST) files and Outlook Express data (DBX) files.

Paraben's Chat Stick

is a thumb drive device that will search the entire computer and scan it for chat logs

PMDump

is a tool that lets you dump the memory contents of a process to a file without stopping the process. This tool is highly useful in forensic investigations.

Dalvik Virtual Machine (DVM)

is a type of the Java virtual machine responsible for power management and memory management.

Chain of custody document

is a written record consisting of all the processes involved in the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. It also includes the details of people, time and purpose involved in the investigation and evidence maintenance processes.

Kernel for PST Recovery

is able to repair corrupted PST file and recover all email items from them. It successfully fixes errors resulted due to damaged or corrupted PST file, virus attacks, deleted emails, broken PST files, header corruption, disk corruption, errors due to large PST file size and others.

X-Ways Forensics

is an advanced platform for digital forensics examiners. It runs on all available version of Windows. It claims to not be very resource hungry and to work efficiently.

Privacy Eraser

is an anti-forensic solution to protect the privacy of the user by deleting the browsing history and other computer activities. The software implements and exceeds the US Department of Defense and NSA clearing and sanitizing standards, giving you the confidence that once erased, your file data is gone forever and can never be recovered.

TEMPEST

is an unclassified short name referring to investigations and studies of compromising emanation

mysqldump

is command line utility is used to take a backup of the database.

Best Evidence Rule

is designed to prevent any alteration of digital evidence, either intentionally or unintentionally. It ensures that the court is considered only the best evidence related to a specific matter or particular computer crimes

Andriller

is software utility with a collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices.

Data Acquisition

is the first pro-active step in the forensic investigation process. The aim of forensic data acquisition is to extract every bit of information present on the victim's hard disk and create a forensic copy to use it as evidence in the court. In some cases, data duplication is preferable instead of data acquisition to collect the data. Investigators can also present the duplicated data in court.

Root Cause Analysis

is the most complex part in event correlation. During a root cause analysis, the event correlator identifies all the devices that became inaccessible due to network failures

Media sanitization

is the process of permanently deleting or destroying data from storage media. NIST SP 800-88 Guidelines= Clear, Purge, Destroy

BinHex

is the short form for "binary-to-hexadecimal." It is a binary-to-text encoding system used on Mac OS to send binary files via e-mails. This system is similar to Uuencode, but BinHex combines both "forks" of the Mac file system including extended file information.

Mysqldbexport

is used to export metadata or data, or both from one or more databases

18 USC 2252A

law about child pornography

Get-MBR

legacy MBR cmdlet

Attorney

legal advice about the investigation, and legal issues involved in the forensics investigation process

The Sleuth Kit(TSK)

library and collection of command line tools that allow investigating disk images

Master Boot Code

loads into BIOS and initiates system boot process

net start

look for unusual network services

Bypass/reset BIOS password

manufacturer's backdoor password password-cracking software (CmosPwd, DaveGrohl) 20 reset CMOS or remove battery professional service keyboard buffer overload

NTFS(Deleted File)

marks the index field in the MFT with a special code. The computer now looks at the clusters occupied by that file as being empty. Until these clusters are overwritten, the file can be recovered

Media framework

media codecs that allow the record and playback of all the media

18 USC 2252B

misleading domains on internet

ProcDump

monitor applications for CPU spikes and generating crash dumps during a spike so that an administrator or developer can determine the cause of the spike.

dd(skip)

number of blocks to skip at the start of the output

Curriculum vita (CV)

of an expert witness is helpful in qualifying his/her testimony by acknowledging his/her previous professional experiences.

Expert Writer

offers a formal opinion as a testimony in a court of law

Tableau T8-R2 Forensic USB Bridge

offers secure, hw based write blocking of USB storage devices

External Attacks

originate from outside the organization or can be remote in nature. Such attacks occur when there are inadequate information security policies and procedures

FSUTIL

performs tasks related to file allocation table (FAT) and NTFS file systems, such as managing reparse points, managing sparse files, or dismounting a volume.

Photographer

photographs the crime scene and all evidence. Should have an authentic certifcation

Recycle Bin

place to store files that are marked for deletion. The exception are large files from removable

EnCase Forensic

popular multi-purpose forensic platform that includes many useful tools to support several areas of the digital forensic process. It also generates an evidence report. EnCase Forensic can help investigators acquire large amounts of evidence, as fast as possible from laptops and desktop computers to mobile devices. EnCase Forensic directly acquires the data and integrates the results into the cases.

Believable Evidence

present evidence in a clear manner to the jury and obtain expert opinions where necessary

18 USC 1361-2

prohibit malicious mischief

Core Java

provides almost all the functionalities stated in Java software edition libraries

ZX-Tower

provides secure sanitization of hard disk

WriteProtect-DESKTOP

provides secure, read-only write-blocking of suspect hard drives.

Phone API

provides telephony services related to the mobile carrier operator such as making calls, receiving calls, and SMS. All phone APIs appear at the application layer.

Cain & Abel

pw recovery for MS OS. Using snigging, dictionary, brute-force, and cryptanalysis attacks. Also record VoIP, decode scrambled passwords, recovery wireless keys, reveal password boxes, uncover cached passwords and analyze routing protocols

Advance Disk Recovery

quick or deep scan for lost or deleted files

Undelete Plus

recover files from Recycle Bin

Recuva

recover lost pictures, music, docs, video, email, or other file type from all types of media

Bad Sectors

refer to the portions of a disk that are unusable due to some flaws in them and do not support the read or write operations. The data stored in bad sectors is not completely accessible. Bad sectors might be due to configuration problems or any physical disturbances to the disk.

Master Boot Record(BPB)

refers to a hard disk's first sector or sector zero that specifies the location of an operating system for the system to load into the main storage

Microsoft Security ID

refers to a unique identification number that Microsoft assigns to a Windows user 22 account for granting the user access to a particular resource.

Administrative Investigation

refers to an internal investigation by an organization to discover if its employees, clients and partners are abiding by the rules or policies. ex Banking, Coperate Fraud SOX

OFFSET

refers to either the start of a file or the start of a memory address

Event masking

refers to missing events related to systems that are downstream of a failed system. It avoids the events that cause the system to crash or fail.

Non-volatile Data

refers to permanent data stored on secondary storage devices, such as hard disks and memory cards.

Volatile Data

refers to the temporary information on a digital device that requires a constant power supply and is deleted if the power is interrupted

The Frye Standard

related to the admissibility of scientific examinations or experiments in legal cases. According to this act, any kind of expert opinion based on scientific techniques is admissible, if the technique involved is acceptable by the relevant scientific community.

ListDLLs

reports DLLs loaded into processes. Processname, Pid, Dllname, -r relocated, -u unsigned, -v version

GUI API

responsible for creating menus and sub-menus in designing applications. It acts as an interface where the developer has a chance of building other plugins.

Bit

short for binary digit, the smallest unit of unit of information on a machine

Byte

short for binary term is a digital information unit of data that consists of eight bits

Process Explorer

shows the information about the handles and DLLs of the processes which have been opened or loaded.

Communication API

simplifies the process of interacting with web services and other applications such as email, internet, and SMS.

HKEY_CLASSES_ROOT

subkey HKEY_LOCAL_MACHINE\Software and contains file extension association information and also programmatic identifier (ProgID), Class ID (CLSID), and Interface ID (IID) data.

HKEY_CURRENT_CONFIG

stores information about the current hardware profile of the system. It is also a pointer to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\CurrentControlSet\HardwareProfiles\Current

FRED

systems are optimized for stationary laboratory acquisition and analysis. It will acquire data directly from IDE/EIDE/ATA/SATA/ATAPI/SAS/Firewire/USB hard drives and storage devices and save forensic images to Blu-Ray, DVD, CD, or hard drives.

Gargoyle Investigator Forensic Pro

t is designed for forensic laboratories, law enforcement, field investigators, advanced private investigators, and enterprise cyber security personnel.

FAT(Deleted File)

the OS replaces the first letter of the deleted filename with E5H. Corresponding clusters of that file are marked unused, even though they are not empty. Until these clusters are overwritten, the file can still be recovered

Event filtering

the event correlator filters or discards the irrelevant events.

Exhibit Number

the process of tagging evidence with sequential number, which includes case and evidence details

The Daubert Standard

the rule of evidence regarding the admissibility of the expert witnesses' testimony during the federal legal proceedings. The trial judges should analyze the proffered expert witnesses to decide whether their testimony is both "relevant" and "reliable".

Sectors

the smallest physical storage units located on a hard disk platter and are 512 bytes long.

Slack Space

the space left over from the end of the file to the end of the cluster.

encase

the tool allows an investigator to review or process information in a Windows environment

ASCII

the universally recognized raw text format that any computer can understand

IExplore

to bypass iPhone passcode

Tasklist

tool displays the list of applications and services along with the Process IDs (PID) for all tasks that running on either a local or a remotely connected computer.

Netstat

tool helps in collecting information about network connections operative in a Windows system. The most common way to run Netstat is with the -ano switches. These switches tell the program to display the TCP and UDP network connections, listening ports, and the identifiers of the processes (PIDs). -r routing table, -e ethernet stats, -p Protocol Process Information

Cellebrite UFED Cloud Analyzer

tool provides forensic practitioners with instant extraction, preservation, and analysis of private social media accounts -- Facebook, Twitter, Kik, Instagram -- file storage and other cloud-based account content that can help speed investigations.

Mobile network code (MNC)

two-digit network identification number used along with the MCC printed on SIM. It used to identify the SIM user on a mobile phone network.

Electronic Serial Number (ESN)

unique, 32-bit number attached on a chip inside a CDMA phone by manufacturer. There are two formats: 8 bits manufacturer code and 24 bits for serial number OR 14 bits for manufacturer code and 18 bits serial number

ZFS

used by Sun. High storage capacity, data protection, compression, volume management, integrity checks, deduplication, encryption, and auto repair

Swatch Tool

used for monitoring log files produced by UNIX's syslog facility

Nuix Corporate Investigation Suite

used to collect, process, analyze, review, and report evidence

DisableLastAccess - Registry Entry

used to disable the updating of last access time on files, Can invoke using the fsutil command

AutoRuns Tool - Registry Entry

used to identify tasks or programs that run at startup or on a regular schedule

/home

user home directories

R-Drive Image

utility that provides creation of disk image files for backup or duplication purposes.

/var

variable files whose contect is expected to continually change during normal operations of the system - such as logs, spool files, and temporary e-mail files

/proc

virtual filesystem documenting kernel and process status as text files

18 USC 2702

voluntary disclosure of contents to government and non-government entities

Zamzar

web application to convert files

dd(target)

where to write the data

Computer Forensic Tool Testing Project(CFTT)

which establishes a methodology for testing computer forensic software tools for development of general tool specifications, test procedures, test criteria, test sets, and test hardware

ClearPageFileAtShutdown - Registry Entry

will clear the page file at system shutdown; possibly deleting valuable data

Surface Manager

windows owned by different applications on different processes

Capsa

with support for over 300 network protocol

globally unique identifier (GUID)

• 128-bit unique number generated by windows used to identify COM DLLs, primary key values, browser sessions, and usernames

Types of File Systems

• Disk File System-used to store data on disks or other media • Network File System-used to access files on other computers or a NAS. NFS, CIFS, or GFS • Database File System-used to store and manage files stored on a computer or server • Flash File System-stores files or data in flash memory devices • Tape File System-stores data/files on tape in self-describing form; very slow [page 197] • Shared Disk File System-external disk array or SAN accessed by servers or workstations • Special Purpose File System-organizes files during run time and uses them for tasks. UNIX uses this.

Preserving Electronic Evidence

• Document the actions and changes observed on the monitor, system, printer, or other electronic devices • Verify that the monitor is ON, OFF, or in sleep mode • Remove the power cable, depending on the power state of the computer, i.e., ON, OFF, or in sleep mode • Do not turn ON the computer if it is in the OFF state • Take a photo of the monitor screen if the computer is in the ON state • Check the connections of the telephone modem, cable, ISDN, and DSL • Remove the power plug from the router or modem • Remove any portable disks that are available at the scene to safeguard potential evidence • Keep the tape on drive slots and the power connector • Photograph the connections between the computer system and the related cables, and label them • Label every connector and cable connected to the peripheral devices

Computer Forensics Investigation Methodology

• First Response • Search and Seizure • Collect the Evidence • Secure the Evidence • Data Acquisition • Data Analysis • Evidence Assessment • Documentation and Reporting • Testify as an Expert Witness

Microsoft Edge

• Microsoft Edge Cache Location: C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache Cookies Location: C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies History Location: C:\Users \Admin\AppData\Local\Microsoft\Windows\History

The standard order of trial proceedings includes

• Motion in Limine (Motion in Beginning): This is a handwritten list of objections to a certain testimony. It is a special hearing on the acceptability of evidence or restriction of evidence. It is usually done a day or two before the beginning of the trial proceedings. This allows the judge to determine if the evidence should be allowed without the jury's presence. • Opening Statement: An opening statement is important because it offers an outline of the case. • Plaintiff and Defendant: A plaintiff is a person who initiates the lawsuit, claiming for damages; whereas the defendant is the person who is answerable to the plaintiff's complaints or claims. The attorney and the opposing counsel presents the case, explains what, when, where, and how it happened. • Rebuttal Session: The rebuttal session is the cross-examination of the expert witness by both the plaintiff and the defendant. • Jury Orders: The judge educates the jury about the law points related to the case. They can be presented either before or after the closing statements. These are intended to assist the jury with the application of certain specific laws to the details involved in the case, which is then read and approved by the jury. • Closing Arguments: After the presentation of all the evidence, both the plaintiff and defendant have the chance to present the summarized closing statements of the case. The attorney and the opposing counsel can suggest solutions for the case but must leave the verdict to be decided by the jury.

Steps involved in investigating e-mail crimes and violations

• Obtain a Search Warrant • Examine e-mail messages • Copy and print the e-mail messages • View the e-mail headers • Analyze the e-mail headers • Trace the e-mail • Acquire e-mail archives • Examine e-mail logs