Computer Forensics

• The application of computer for investigating

computer based crime
• It is primarily concern with the systematic
”identification”, ”acquisition”, ”prevention”,
and “Analysis” of digital Evidence, typically
after an unauthorized access to computer or
unauthorized use of computer has taken
place.
• Computer Forensics: It is the lawful and
ethical seizure, acquisition, analysis, reporting
and safeguarding of data and meta data from
digital devices which may contain the
information.
• Digital Forensics: It is the use of scientifically
derived and proven method towards the
preservation, collection, validation,
identification, analysis, interpretation,
documentation and presentation of digital
evidence derived from digital sources.
 Role of Digital forensics:
• Uncover and document evidence and leads
• Conform evidence discovered in the other
ways(E-discovery)
• Assist in showing a pattern of events
• Connect attack and victim computer
• Reveal an end to end path of events leading to a
compromise attempt
• Extract the data that may be hidden, deleted or
otherwise not directly available.
 Scenarios involved in Digital forensics:
• Employee Internet abuse
• Data Leak & Data Breach
• Industrial spying
• Damage Assessment
• Criminal Fraud and Deception cases
• Criminal Cases
• Copyright violation
 Chain of custody
• The basic idea behind ensuring "chain of custody” is to ensure
that the “evidence “ is NOT tampered with. The recovery of a
“Crime Weapon” at the murder scene would be an example of
“chain of custody”.
• Chain of Custody refers to the logical sequence that records
the sequence of custody, control, transfer, analysis and
disposition of physical or electronic evidence in legal cases.
Each step in the chain is essential as if broke, the evidence may
be rendered inadmissible. Thus we can say that preserving the
chain of custody is about following the correct and consistent
procedure and hence ensuring the quality of evidence.
• Importance of maintaining Chain of Custody?
• Importance to Examiner:
• To preserve the integrity of the evidence.
• To prevent the evidence from contamination, which can alter the
state of the evidence.
• In case you obtained metadata for a piece of evidence but unable to
extract any meaningful information from the metadata. In such a
case, the chain of custody helps to show where possible evidence
might lie, where it came from, who created it, and the type of
equipment used. This will help you to generate an exemplar and
compare it to the evidence to confirm the evidence properties.
• Importance to the Court: If not preserved, the evidence submitted in
the court might be challenged and ruled inadmissible.
• Chain of Custody Process
• In order to preserve digital evidence, the chain of custody should span from the
first step of data collection to examination, analysis, reporting, and the time of
presentation to the Courts. This is very important to avoid the possibility of any
suggestion that the evidence has been compromised in any way.
• Data Collection: This is where chain of custody process is initiated. It involves
identification, labeling, recording, and the acquisition of data from all the possible relevant
sources that preserve the integrity of the data and evidence collected.
• Examination: During this process, the chain of custody information is documented
outlining the forensic process undertaken. It is important to capture screenshots
throughout the process to show the tasks that are completed and the evidence uncovered.
• Analysis: This stage is the result of the examination stage. In the Analysis stage, legally
justifiable methods and techniques are used to derive useful information to address
questions posed in the particular case.
• Reporting: This is the documentation phase of the Examination and Analysis stage.
Reporting includes the following:
– Statement regarding Chain of Custody.
– Explanation of the various tools used.
– A description of the analysis of various data sources.
– Issues identified.
– Vulnerabilities identified.
– Recommendation for additional forensics measures that can be taken.
• The Chain of Custody Form
• In order to prove a chain of custody, you’ll need a form that lists out the details of how
the evidence was handled every step of the way. The form should answer the following
questions:
• What is the evidence?: For example- digital information includes the filename, md5 hash,
and Hardware information includes serial number, asset ID, hostname, photos,
description.
• How did you get it?: For example- Bagged, tagged or pulled from the desktop.
• When it was collected?: Date, Time
• Who has handle it?
• Why did that person handled it?
• Where was it stored?: This includes the information about the physical location in which
proof is stored or information of the storage used to store the forensic image.
• How you transported it?: For example- in a sealed static-free bag, or in a secure storage
container.
• How it was tracked?
• How it was stored?: For example- in a secure storage container.
• Who has access to the evidence?: This involves developing a check-in/ check-out process.
• The CoC form must be kept up-to-date. This means every time the best evidence is
handled off, the chain of custody form needs to be updated.
• Procedure to establish the Chain of Custody
• In order to assure the authenticity of the chain of custody, a series
of steps must be followed. It is important to note that the more
information Forensic expert obtains concerning the evidence, the
more authentic is the created chain of custody. You should ensure
that the following procedure is followed according to the chain of
custody for electronic devices:
• Save the original material
• Take photos of the physical evidence
• Take screenshots of the digital evidence.
• Document date, time, and any other information on the receipt of
the evidence.
• Inject a bit-for-bit clone of digital evidence content into forensic
computers.
• Perform a hash test analysis to authenticate the working clone.
• How can the Chain of Custody be assured?
• A couple of considerations are involved when dealing with digital evidence and Chain of Custody. We
shall discuss the most common and globally accepted and practiced best practices.
• Never ever work with the Original Evidence: The biggest consideration that needs to be taken care of
while dealing with digital evidence is that the forensic expert has to make a full copy of the evidence
for forensic analysis. This cannot be overlooked as when errors are made to working copies or
comparisons need to be done, then, in that case, we need an original copy.
• Ensuring storage media is sterilized: It is important to ensure that the examiner’s storage device is
forensically clean when acquiring the evidence. Suppose if the examiner’s storage media is infected
with malware, in that case, malware can escape into the machine being examined and all of the
evidence will eventually get compromised.
• Document any extra scope: During the process of examination, it is important to document all such
information that is beyond the scope of current legal authority and later brought to the attention of
the case agent. A comprehensive report must contain following sections:
– Identity of the reporting agency.
– Case identifier.
– Case investigator.
– Identity of the submitter.
– Date of receipt.
– Date of report.
– Descriptive list of items submitted for examination: This includes the serial number, make, and model.
– Identity and signature of the examiner
– Brief description of steps taken during the examination: For example- string searches, graphics image searches,
and recovering erased files.
– Results.
• Consider the safety of the personnel at the scene: It is very important to
ensure that the crime scene is fully secure before and during the search. In
some cases, the examiner may only be able to do the following while onsite:
– Identify the number and type of computers.
– Interview the system administrator and users.
– Identify and document the types and volume of media: This includes removable
media also.
– Determine if a network is present.
– Document the information about the location from which the media was removed.
– Identify offsite storage areas and/or remote computing locations.
– Identify proprietary software.
– Determine the operating system in question.
• The Digital evidence and Digital Chain of Custody are the backbones of any
action taken by digital forensic specialists. In this article, we have examined
the seriousness of the digital evidence and what it entails and how slight
tampering with the digital evidence can change the course of the forensic
expert’s investigation.
• Case study:
• The following is an example of chain of custody involving the recovery
of a gun at a murder scene:
• An officer on the scene points out a gun to the forensics technician
• The technician photographs the gun in place, then picks it up, puts it
into a bag, and labels it
• The technician transports the gun to the lab for testing, including
collecting fingerprints from it
• The technician then logs the gun and any other evidence into the
evidence room, where a clerk carefully logs it in
• The evidence clerk stores the evidence until needed, usually at trial.
• Only people with good reason may look at or access the evidence, and
a careful log is kept
 Cyber forensics and Digital evidence
• Cyber forensics can be divided in to domains:
– Computer Forensics
– Network Forensics
Digital evidence is different from physical
evidence.
• Digital evidence is much easier to
change/manipulate
• Perfect digital copies can be made without
harming original.
• Integrity of the digital evidence can be proven.
• Image form
• There are many forms of cyber crimes
• Sexual harassment cases-memos, letters, E-Mails
• Obscene chats or embezzlement cases-spreadsheets, memos, letters
• Emails and Chats-frauds through cases-spreadsheets, memos, letters.
• In case of computer crime/cyber crime, computer forensics helps.
• Computer forensics experts know the techniques to retrieve the data from files listed in standard
directory search, hidden files, deleted files, deleted E-mail and passwords, login IDs,encrypted
files, hidden partitions.
• Computer systems have the following:
1.Logical file systems that consist of
• 1.File system:includes files,directories and folders,FAT
• 2.RAM
• 3.Physical storage media
• (a)Slack space
• (b)Unallocated space
2.User created files: Address books, audio/video files,calenders,db files,spreadsheets,Emails,Internet
bookmarks, document and textfiles
3.Computer created files:Backups,cookies,configuration files, History files,log filrs,swap
fles,temperory files ,etc..
4.Computer networks:It consist of application layer,Transport layer,Network layer and data link layer.
• The rules for evidence:
• According to "Indian evidence act 1872,”evidence
“means
1.All statements which the court permits or requires
to be made before it by witness, in relation to
matters of fact under inquiry, are called oral
evidence
2.All documents that are produced for the inspection
of the court are called documentary evidence.
 Digital Evidence
• Contexts for identifying a digital evidence:
• Physical Context: It must be definable in its physical form, that is it should
reside on a specific piece of media
• Logical Context: It must be identifiable as to its logical position, that is, where
does it reside relative to the file systems.
• Legal Context: We must place the evidence in the correct context to read its
meaning.
Physical Logical Legal
Context Context Context
•

Media
Data

Information

Evidence
 Forensics analysis of Email
• Role of Email in Investigation
• Emails play a very important role in business communications and have emerged
as one of the most important applications on internet. They are a convenient
mode for sending messages as well as documents, not only from computers but
also from other electronic gadgets such as mobile phones and tablets.
• The negative side of emails is that criminals may leak important information about
their company. Hence, the role of emails in digital forensics has been increased in
recent years. In digital forensics, emails are considered as crucial evidences and
Email Header Analysis has become important to collect evidence during forensic
process.
• An investigator has the following goals while performing email forensics −
• To identify the main criminal
• To collect necessary evidences
• To presenting the findings
• To build the case
• Challenges in Email Forensics
• Email forensics play a very important role in investigation as most of the
communication in present era relies on emails. However, an email forensic
investigator may face the following challenges during the investigation −
• Fake Emails
• The biggest challenge in email forensics is the use of fake e-mails that are created
by manipulating and scripting headers etc. In this category criminals also use
temporary email which is a service that allows a registered user to receive email at
a temporary address that expires after a certain time period.
• Spoofing
• Another challenge in email forensics is spoofing in which criminals used to present
an email as someone else’s. In this case the machine will receive both fake as well
as original IP address.
• Anonymous Re-emailing
• Here, the Email server strips identifying information from the email message
before forwarding it further. This leads to another big challenge for email
investigations.
• Techniques Used in Email Forensic Investigation
• Email forensics is the study of source and content of email as evidence to identify
the actual sender and recipient of a message along with some other information
such as date/time of transmission and intention of sender. It involves investigating
metadata, port scanning as well as keyword searching.
• Some of the common techniques which can be used
for email forensic investigation are
• Header Analysis
• Server investigation
• Network Device Investigation
• Sender Mailer Fingerprints
• Software Embedded Identifiers
• In the following sections, we are going to learn how to
fetch information using Python for the purpose of
email investigation.
• Various approaches that are used for e-mail forensic are

• Header Analysis – Meta data in the e-mail message in the form of control
information i.e. envelope and headers including headers in the message body
contain information about the sender and/or the path along which the message
has traversed. Some of these may be spoofed to conceal the identity of the sender.
A detailed analysis of these headers and their correlation is performed in header
analysis.
• Bait Tactics – In bait tactic investigation an e-mail with http: “<img src>” tag having
image source at some computer monitored by the investigators is send to the
sender of e-mail under investigation containing real (genuine) e-mail address.
When the e-mail is opened, a log entry containing the IP address of the recipient
(sender of the e-mail under investigation) is recorded on the http server hosting
the image and thus sender is tracked. However, if the recipient (sender of the e-
mail under investigation) is using a proxy server then IP address of the proxy server
is recorded. The log on proxy server can be used to track the sender of the e-mail
under investigation. If the proxy server’s log is unavailable due to some reason,
then investigators may send the tactic e-mail containing a) Embedded Java Applet
that runs on receiver’s computer or b) HTML page with Active X Object. Both
aiming to extract IP address of the receiver’s computer and e-mail it to the
investigators.
• Server Investigation – In this investigation, copies of delivered e-mails and
server logs are investigated to identify source of an e-mail message. E-mails
purged from the clients (senders or receivers) whose recovery is impossible
may be requested from servers (Proxy or ISP) as most of them store a copy
of all e-mails after their deliveries. Further, logs maintained by servers can
be studied to trace the address of the computer responsible for making the
e-mail transaction. However, servers store the copies of e-mail and server
logs only for some limited periods and some may not co-operate with the
investigators. Further, SMTP servers which store data like credit card
number and other data pertaining to owner of a mailbox can be used to
identify person behind an e-mail address.
• Network Device Investigation – In this form of e-mail investigation, logs
maintained by the network devices such as routers, firewalls and switches
are used to investigate the source of an e-mail message. This form of
investigation is complex and is used only when the logs of servers (Proxy or
ISP) are unavailable due to some reason, e.g. when ISP or proxy does not
maintain a log or lack of co-operation by ISP’s or failure to maintain chain of
evidence.
• Software Embedded Identifiers – Some information about the creator of
e-mail, attached files or documents may be included with the message by
the e-mail software used by the sender for composing e-mail. This
information may be included in the form of custom headers or in the form
of MIME content as a Transport Neutral Encapsulation Format (TNEF).
Investigating the e-mail for these details may reveal some vital
information about the senders e-mail preferences and options that could
help client side evidence gathering. The investigation can reveal PST file
names, Windows logon username, MAC address, etc. of the client
computer used to send e-mail message.
• Sender Mailer Fingerprints – Identification of software handling e-mail at
server can be revealed from the Received header field and identification
of software handling e-mail at client can be ascertained by using different
set of headers like “X-Mailer” or equivalent. These headers describe
applications and their versions used at the clients to send e-mail. This
information about the client computer of the sender can be used to help
investigators devise an effective plan and thus prove to be very useful.
 RFC2822
• This standard specifies a syntax for text messages
that are sent between computer users, within the
framework of "electronic mail" messages. This
standard supersedes the one specified in Request
For Comments (RFC) 822, "Standard for the Format
of ARPA Internet Text Messages", updating it to
reflect current practice and incorporating
incremental changes that were specified in other
RFCs.
• Examples of invalid email
 Digital Forensics Life Cycle
• The process model for understanding a seizure
and handling of forensics evidence legal
framework. The cardinal rules to remember are
that evidence:
• Is admissible
• Is authentic
• Is complete
• Is reliable
• Is understandable and believable.
 Phases of Digital/Computer forensics
• Preparation of Identifications
• Collection of records
• Storing & Transporting
• Examination/Investigation
• Analysis. Interpretation & Attribution
• Reporting
• Testifying
Collection of records
Storing & Transporting
 Analysis
• 1.Media Analysis
• 2.Media management analysis
• 3.File system analysis
• 4.Application analysis
• 5.Network Analysis
• 6.Image Analysis
• 7.Video Analysis
Precautions to be taken while collecting
electronic evidence
 Network forensics
• Network forensics is a sub-branch of digital
forensics relating to the monitoring and analysis
of computer network traffic for the purposes of
information gathering, legal evidence, or intrusion
detection.
• Unlike other areas of digital forensics, network
investigations deal with volatile and dynamic
information. Network traffic is transmitted and
then lost, so network forensics is often a pro-
active investigation.
• Network forensics generally has two uses.
• The first, relating to security, involves monitoring a network
for anomalous traffic and identifying intrusions. An attacker
might be able to erase all log files on a compromised host;
network-based evidence might therefore be the only
evidence available for forensic analysis.
• The second form relates to law enforcement. In this case
analysis of captured network traffic can include tasks such
as reassembling transferred files, searching for keywords
and parsing human communication such as emails or chat
sessions
• Systems used to collect network data for forensics use
usually come in two forms:
• "Catch-it-as-you-can" – This is where all packets passing
through a certain traffic point are captured and written to
storage with analysis being done subsequently in batch
mode. This approach requires large amounts of storage.
• "Stop, look and listen" – This is where each packet is
analyzed in a rudimentary way in memory and only
certain information saved for future analysis. This
approach requires a faster processor to keep up with
incoming traffic.
• Ethernet
• Wireshark, a common tool used to monitor and record network traffic
• Apt all data on this layer and allows the user to filter for different events. With these tools, website pages, email
attachments, and other network traffic can be reconstructed only if they are transmitted or received
unencrypted. An advantage of collecting this data is that it is directly connected to a host. If, for example the IP
address or the MAC address of a host at a certain time is known, all data sent to or from this IP or MAC address
can be filtered.
• To establish the connection between IP and MAC address, it is useful to take a closer look at auxiliary network
protocols. The Address Resolution Protocol (ARP) tables list the MAC addresses with the corresponding IP
addresses.
• To collect data on this layer, the network interface card (NIC) of a host can be put into "promiscuous mode". In so
doing, all traffic will be passed to the CPU, not only the traffic meant for the host.
• However, if an intruder or attacker is aware that his connection might be eavesdropped, he might use encryption
to secure his connection. It is almost impossible nowadays to break encryption but the fact that a suspect's
connection to another host is encrypted all the time might indicate that the other host is an accomplice of the
suspect.
• TCP/IP
• On the network layer the Internet Protocol (IP) is responsible for directing the packets generated by TCP through
the network (e.g., the Internet) by adding source and destination information which can be interpreted by
routers all over the network. Cellular digital packet networks, like GPRS, use similar protocols like IP, so the
methods described for IP work with them as well.
• For the correct routing, every intermediate router must have a routing table to know where to send the packet
next. These routing tables are one of the best sources of information if investigating a digital crime and trying to
track down an attacker. To do this, it is necessary to follow the packets of the attacker, reverse the sending route
and find the computer the packet came from (i.e., the attacker).
• Encrypted Traffic Analytics
• Given the proliferation of TLS encryption on the internet, as of April 2021 it is
estimated that half of all malware uses TLS to evade detection.[6] Encrypted
traffic analysis inspects traffic to identify encrypted traffic coming from malware
and other threats by detecting suspicious combinations of TLS characteristics,
usually to uncommon networks or servers.[7] Another approach to encrypted
traffic analysis uses a generated database of fingerprints, although these
techniques have been criticized as being easily bypassed by hackers[8][9] and
inaccurate.
• The Internet
• The internet can be a rich source of digital evidence including web browsing,
email, newsgroup, synchronous chat and peer-to-peer traffic. For example, web
server logs can be used to show when (or if) a suspect accessed information
related to criminal activity. Email accounts can often contain useful evidence;
but email headers are easily faked and, so, network forensics may be used to
prove the exact origin of incriminating material. Network forensics can also be
used in order to find out who is using a particular computer[10] by extracting user
account information from the network traffic.
 Approaching a Computer forensics
Investigation
• Secure the subject from tampering &
unauthorized access.
• Take a copy of hard disk
• Identify and recover all the files
• Access hidden, protected & temp files
• Study special areas of disk
• Investigate on the settings
• Consider the other general factors
• Create detailed and considered report
Typical elements addressed in a forensics
investigation engagement contract

• 1.Authorization
• 2.Confidentiality
• 3.Payment
• 4.Consent and Acknowledgment
• 5.Limitation of Liability
Solving a computer forensics case
 Network Hacking steps
• Step1: Foot printing
• Step2: Scanning & probing
• Step3: Gaining Access.
• Step4: Privilege escalation.
• Step5: Exploiting
• Step6: Retracting
• Step7: Installing Backdoors
 Forensics in Social Networking Sites
• Who posted the offending content?
• Is there a real live person to whom the offending
content can be attributed?
• Can we identify the time frame associated with
posting?
• How much of the offending content exists across
the entire social networking platform?
• Is there any other evidence?
• How accurate is the reported physical location?
Traditional Approach for forensics analysis
 Challenges of Computer Forensics
• Technical Challenges: Understanding of raw data and its
structure
– ASCII
– HTML files
– Windows registry
– Network Packets
– Source code
1. Identifying known network packets using IDS Signature
2. Identifying unknown entries during log processing
3. Identifying known files using hash databases
4. Sorting files by their types
 Challenges of Computer Forensics
• Legal Challenges and Data Privacy Issues
• Identify relevant electronic evidence associated with
violation of laws.
• Identify and articulate probable cause necessary to
obtain a search warrant and recognize the limits
• Locate and recover relevant electronic evidence from
computer systems using tools
• Recognize and maintain a chain of custody
• Follow a documented forensics investigation process.
 Special Tools and Techniques
• Most tools have the same underlying principles:
– Creating forensics quality or sector by sector images
of media
– Locating deleted or old partitions
– Ascertaining date/timestamp information
– Obtain data from slack space
– Recovering or undeleting files
– Performing keyword search
– Recovering Internet history information
 Top tools for Digital Forensics
• Coroner toolkit
• Encase forensics
• Forensics toolkit
• I2 Analyst’s
• LogLogic’s
 Special Techniques
• Data Mining used in Cyber forensics:

– Entity Extraction
– Clustering Techniques
– Association Rule Mining
 Forensics Auditing
• Accuracy
• Authentication
• Integrity
• Non-repudiation
• Accountability
 Antiforensics
• Data distruction
• Data hiding
• Data Encryption
• Data Contraception