MIT School of Computing

Department of Information Technology

Second Year Engineering

23IT1109 - Cyber Security Essentials

Class - S.Y. (SEM-II)

Unit 4: Digital Forensics and Incident Response

AY 2024-2025 SEM-II
 MIT School of Computing
Department of Information Technology

Unit IV - Syllabus

Unit IV – Digital Forensics and Incident Response

Forensic Investigations: Digital evidence acquisition using tools like: FTK Imager, Autopsy.
Techniques: File carving for deleted file recovery, Memory analysis for malware detection.
Incident Response: Practical implementation of disaster recovery plans-Data backup and
restoration. Breach analysis and root cause identification.
Case Studies: Equifax breach response: Steps and tools used in forensic analysis.
 MIT School of Computing
Department of Information Technology

Introduction:

An Overview of the Forensic Investigation Process

 MIT School of Computing
Department of Information Technology

Step One: During identification, the investigator (or investigating team) must identify what
evidence is present on the device, where it is stored, and what format it is stored in.
Step Two: Preservation focuses on isolating the data, securing it, and preserving it, while
creating a copy, or image, that can be analyzed and investigated. This process, also known
as “imaging” a device, preserves the actual evidence in its original form, so it will be
admissible in court.
Step Three: During analysis, the forensic investigator reconstructs the fragments of data
and creates a holistic narrative of what happened during the crime (or other matter being
investigated).
Step Four: During Documentation, the investigator prepares a record of the data to be
presented in court (or in whatever other venue that the investigation is being resolved).
Step Five: In presentation, the investigator uses the documentation to explain the
conclusions they have drawn about the event in question in a compelling manner.
 MIT School of Computing
Department of Information Technology

Introduction to Digital Evidence Acquisition

• Digital evidence refers to any information or data of value to an investigation stored or

transmitted in digital form.
• Proper evidence acquisition is critical for ensuring data integrity and admissibility in legal
proceedings.
• Tools like FTK Imager play a vital role in forensic investigations by allowing forensic analysts to
acquire, preserve, and analyze data.
 MIT School of Computing
Department of Information Technology

FTK Imager Overview

FTK Imager (Forensic Toolkit Imager) is a popular forensic tool developed by AccessData.
It is used to:
• Acquire forensic images of storage devices.
• Verify the integrity of acquired images via hash functions.
• Preview data before acquisition.
• Extract and analyze specific files or partitions.
 MIT School of Computing
Department of Information Technology

Key Features of FTK Imager

• Forensic Image Acquisition:
• Supports multiple image formats (e.g., E01, AFF, RAW).
• Acquires physical (entire drive) or logical (specific partitions) images.
• Data Integrity Verification:
• Uses hash algorithms like MD5 and SHA-1 to ensure the integrity of acquired data.
• Data Preview:
• Allows examiners to preview files and file system structure before acquisition.
• Logical Evidence File Creation:
• Extracts individual files or directories into logical evidence containers.
• Disk Analysis:
• Examines file systems such as NTFS, FAT, and ext.
• Write-blocking:
• Ensures no changes are made to the original evidence during acquisition.
 MIT School of Computing
Department of Information Technology

Steps in Digital Evidence Acquisition Using FTK Imager

• Preparation:
• Ensure a forensic workstation is ready.
• Use a write-blocker to prevent accidental modification of the evidence.
• Document details of the evidence (e.g., make, model, serial number).
• Launching FTK Imager:
• Open the tool and ensure it is configured correctly.
• Connect the storage device to be imaged.

Source : https://www.youtube.com/watch?v=tz26WEvkSpY
https://www.youtube.com/watch?v=sSjVftmelzo
• Creating a Forensic Image:
Select the source (physical drive, logical partition, or directory).
Choose the desired image type (e.g., E01 or RAW).
Specify destination path and name for the forensic image.
Enable verification options (MD5/SHA-1 hashes).
• Verification:
After the imaging process, compare the hash of the source with the image file to confirm
integrity.
• Documentation:
Record all activities, including timestamps, tool versions, and hash values.
Store the forensic image securely with proper chain of custody documentation.
Case Study: Investigation of Unauthorized Data Access in a Corporate Environment
Scenario: An IT manager suspects that an employee, John Doe, has been accessing and
copying sensitive files to a USB drive without authorization. The company wants to
confirm this and gather admissible evidence.
Objective: Use FTK Imager to acquire a forensic image of John's computer and analyze it
for evidence of data exfiltration.
Step-by-Step Procedure Using FTK Imager:
Step 1: Prepare the Environment Install FTK Imager on a clean forensic workstation.
• Ensure you have:
• A write-blocker (if imaging from physical media).
• A storage drive to save the forensic image.
• A chain of custody form.
• Legal approval or warrant (if needed).
Step 2: Launch FTK Imager
Step 3: Select the Evidence Type Choose the source:
• For a live system: Select Physical Drive or Logical Drive.
• For a disk image (if already acquired): Select Image File.
• In this case, we're imaging John’s Logical Drive (C:)
Step 4: Select the Drive to Acquire
Step 5: Choose the Destination and Image Format
Step 6: Start Imaging
Step 7: Mount and Analyze the Image
Step 8: Recover Deleted Files
Step 9: Document Findings
Step 10: Chain of Custody & Reporting
Sample Forensic Report (Using FTK Imager)

A sample forensic report and a timeline template based on our FTK Imager case study of John
Doe. These are commonly used in actual digital forensic investigations.
• Case Title: Unauthorized Access & Data Exfiltration
• Case Number: 2025-CYBER-001
• Examiner: Alex Turner
• Date of Examination: April 10, 2025
• Tool Used: FTK Imager v4.x
• Evidence Number: EVID-JDOE-001
• Evidence Acquisition

Item Description
Device Dell Optiplex 7090 Desktop
Drive Imaged C:\ (System Drive)
Method Logical Drive Acquisition via FTK
Imager
Format E01 (EnCase Image File)
Hash Values MD5: e3b0c44298fc1c14...
SHA1: da39a3ee5e6b4b0d...
Write Protection Live image with verified hashes
Key Findings
a) USB Usage Detected
• setupapi.dev.log file showed insertion of SanDisk USB (Serial: 0A1234BC) on:
• March 28, 2025 at 14:42
• March 30, 2025 at 09:17
b) Copied Files Identified
• FTK Imager shows access to:C:\Users\JohnDoe\Documents\Q1_Financials.xlsx
• C:\Users\JohnDoe\Desktop\Client_List.pdfc)
c) Deleted File Recovery
Recovered deleted file:Confidential_Contract.docx (Deleted on March 30, 2025)d)
d)Internet History
Search queries related to:“how to copy files without leaving a trace”“delete USB logs
windows 10”
Autopsy: Digital Forensic Tool Overview
• Autopsy is an open-source digital forensics platform that simplifies the process of
analyzing digital evidence. It is widely used by forensic examiners, law enforcement,
and cybersecurity professionals for investigating digital crimes and incidents.
• Features
User-Friendly Interface:
Provides an intuitive graphical interface, making it easier for both novices and
professionals to analyze digital evidence.
Multi-Purpose Analysis Capabilities:
Examines file systems, images, and other data structures.
Supports investigation of hard drives, memory dumps, and network traffic.
Keyword Search:
Allows searching for specific terms or patterns (e.g., email addresses, names, or file
File Analysis:
Identifies and categorizes files (e.g., images, documents, archives).
Extracts metadata such as timestamps, geolocation, and file properties.

Deleted File Recovery:

Recovers deleted files from file systems like NTFS, FAT, ext, and HFS.

Timeline Analysis:
Provides a visual representation of events over time (e.g., file access, creation,
modification).
 Use Cases of Autopsy
• Criminal Investigations:
• Analyzes evidence from seized devices to identify illegal activities such as fraud,
cyberbullying, or possession of illicit content.
• Incident Response:
• Investigates system breaches, malware infections, and unauthorized access to corporate
systems.
• Civil Litigation:
• Assists in gathering digital evidence for disputes related to intellectual property theft,
employment law violations, and more.
• Data Recovery:
• Recovers lost or deleted data in cases of accidental deletion or hardware failure.
• Compliance Audits:
• Evaluates digital systems to ensure adherence to organizational and regulatory policies.
File Carving for Deleted File Recovery
• What is File Carving?
• File carving is the process of recovering files or data fragments based on file structure or
patterns without relying on file system metadata.
• Used to retrieve deleted, corrupted, or fragmented files from unallocated space or damaged
storage media.
• How File Carving Works
• File Signature Identification:
• Files typically have unique headers (start) and footers (end).
• Common examples:
• JPEG: Header (FFD8), Footer (FFD9)
• PNG: Header (89504E47), Footer (49454E44AE426082)
• Tools scan for these patterns in raw data to identify files.
• File Size Calculation:
• Some files contain metadata specifying their size, aiding in extraction.
• If no size information exists, tools use the distance between the header and footer.
Applications of File Carving
• Forensic Investigations:
• Recovering evidence from deleted files (e.g., images, documents).
• Data Recovery:
• Retrieving lost files due to accidental deletion or system crashes.
• Cybersecurity:
• Analyzing residual data for traces of unauthorized activities.
Tools for File Carving
• Scalpel: Open-source tool for file carving using pre-configured header
and footer patterns.
• PhotoRec: Specialized in recovering various file formats.
• FTK Imager: Includes limited file carving capabilities.
• Autopsy: Provides file carving functionality as part of its forensic suite.
Challenges in File Carving
• Fragmentation: Difficulty reconstructing fragmented files accurately.
• False Positives: Misinterpreting data patterns as valid files.
• Unsupported Formats: Some proprietary or obscure file types may lack
known signatures.
 Memory Analysis for Malware Detection
• What is Memory Analysis?
• Memory analysis involves examining a computer's volatile memory (RAM)
for forensic evidence, including traces of malware, encryption keys, or
active processes.
• Critical for investigating live systems or analyzing memory dumps.
• How Memory Analysis Works
• Acquiring a Memory Dump:
• Use tools to capture the RAM contents from a live system.
• Popular tools:
• DumpIt: Simple memory acquisition tool.
• FTK Imager: Can acquire live memory.
• LiME (Linux Memory Extractor): For Linux-based systems.
• Parsing the Memory Dump:
• Use a memory analysis tool to parse and extract useful information.
• Examples:
• Active processes
• Network connections
• DLLs or libraries loaded into memory
• Unpacked malware code
 Memory Analysis for Malware Detection
• Identifying Malicious Artifacts:
• Look for unusual or suspicious patterns, such as:
• Processes with anomalous behavior.
• Injected code segments or processes.
• Connections to known malicious IPs.
• Use indicators of compromise (IOCs) to identify threats.
• Dynamic Analysis:
• Analyze decrypted or unpacked malware that only exists in memory (e.g.,
fileless malware).
Applications of Memory Analysis

• Malware Detection:
• Identifying and analyzing fileless malware or obfuscated payloads.
• Incident Response:
• Investigating live attacks and understanding the extent of compromise.
• Threat Hunting:
• Searching for advanced persistent threats (APTs) in memory.
Tools for Memory Analysis

• Volatility:
• Open-source framework for memory forensics.
• Offers plugins for analyzing processes, network connections, and more.
• Rekall:
• Memory forensics framework with robust analysis features.
• Redline:
• Provides a user-friendly interface for investigating memory artifacts.
• Process Hacker:
• Lightweight tool for monitoring active processes and memory.
Challenges in Memory Analysis

• Acquisition Risks:
• Dumping memory may cause artifacts to be lost or overwritten.
• Volume of Data:
• Large memory dumps can be time-consuming to analyze.
• Encrypted or Packed Malware:
• Malware may evade detection by encrypting or obfuscating itself.
Incident Response: Practical Implementation of Disaster
Recovery Plans for Data Backup and Restoration

• Disaster recovery (DR) is a critical aspect of incident response, ensuring

that an organization can quickly resume operations after a disruption.
The data backup and restoration process is a foundational component of
disaster recovery, designed to protect against data loss and ensure
continuity.
Understanding Data Backup and Restoration

• Data Backup
• The process of creating copies of data to protect against loss, corruption,
or unauthorized modification.
• Backup copies are stored in secure locations, such as on-premises
storage, offsite facilities, or cloud environments.
• Data Restoration
• The process of retrieving and reinstating data from backups to restore
normal business operations after an incident.
Key Components of a Disaster Recovery Plan (DRP) for Data Backup

• Risk Assessment and Business Impact Analysis (BIA):

• Identify critical systems and data.
• Evaluate the potential impact of data loss on business operations.
• Backup Strategy:
• Backup Types:
• Full Backup: A complete copy of all data. Time-intensive but ensures comprehensive recovery.
• Incremental Backup: Backs up only data changed since the last backup. Faster but requires
multiple files during restoration.
• Differential Backup: Backs up data changed since the last full backup. Balances speed and
restoration complexity.
• Frequency: Establish backup schedules (e.g., daily, weekly) based on data volatility
and business requirements.
Applications of Memory Analysis

• Backup Storage:
• On-premises (e.g., NAS, external drives).
• Offsite (e.g., secondary data centers, cloud storage).
• Hybrid solutions for redundancy.
• Backup Tools and Technologies:
• Software: Veeam, Acronis, Commvault, Backup Exec, etc.
• Cloud Services: AWS S3, Azure Backup, Google Drive, etc.
• Encryption and Security:
• Encrypt backups to prevent unauthorized access.
• Use secure transfer protocols (e.g., SFTP, HTTPS).
Example Scenario: Ransomware Attack
Incident:
A ransomware attack encrypts critical business data, rendering systems inoperable.
Backup and Restoration Process:
Activate the DRP:
Notify the incident response team.
Isolate infected systems to prevent spread.
Identify Backup:
Locate the most recent, clean backup from before the ransomware encryption.
Restore Data:
Wipe affected systems to remove malware traces.
Restore data and systems from backup to a clean environment.
Verify:
Confirm that restored systems are operational and free of ransomware.
Resume Operations:
Bring systems back online and monitor for anomalies.
Tools for Backup and Restoration
• Enterprise Solutions: Veeam, Acronis, Commvault, Veritas.
• Cloud-Based Solutions: AWS Backup, Azure Backup, Google
Workspace Backup.
• Open-Source Tools: Bacula, Amanda, Duplicati.
 Breach Analysis and Root Cause Identification

Breach analysis and root cause identification are critical steps in

responding to and understanding a security breach. These processes
involve investigating how the breach occurred, determining its impact, and
identifying the underlying causes to prevent future incidents.
Tools for Breach Analysis
• Forensic Tools:
• FTK Imager: Disk imaging and file analysis.
• Volatility: Memory forensics.
• Autopsy: Comprehensive digital forensics platform.
• Log Analysis:
• Splunk: Log collection and analysis.
• ELK Stack (Elasticsearch, Logstash, Kibana): Centralized log analysis.
• Network Monitoring:
• Wireshark: Packet capture and analysis.
• Zeek (Bro): Network traffic analysis.
• Malware Analysis:
• Cuckoo Sandbox: Dynamic malware analysis.
• YARA: Rule-based malware identification.
Example Scenario: Phishing Attack Breach
Incident:
An employee clicks on a phishing email link, providing credentials to attackers.
Breach Analysis:
Detect: Unusual login activity detected on the employee’s account from an unfamiliar IP.
Trace:
Review email headers to identify the phishing source.
Analyze login logs for geolocation and timestamp of unauthorized access.
Analyze Malware:
Investigate if the phishing link deployed malware on the employee’s device.
Root Cause:
Lack of phishing awareness training.
Absence of multi-factor authentication (MFA) for account security.
Mitigation:
Implement MFA across the organization.
Conduct employee training on recognizing phishing attempts.
Deploy enhanced email filtering solutions.
Key Benefits of Root Cause Identification
• Prevents similar breaches in the future.
• Improves overall security posture.
• Helps meet compliance and regulatory requirements.
• Enhances incident response capabilities.
 Case Study: Equifax Breach Response (2017)
• The Equifax breach of 2017 is one of the most significant data breaches
in history, affecting approximately 147 million individuals. This case
provides valuable lessons on incident response and forensic analysis, as
well as the importance of proactive cybersecurity measures.
 Background

• Date of Breach: Discovered on July 29, 2017 (breach occurred from May 13 to July
30, 2017).
• Impact:
• Compromise of personal data including Social Security numbers, birth dates, addresses, and
driver’s license details.
• Credit card numbers of approximately 209,000 individuals exposed.
• Cause:
• Exploitation of a known vulnerability (CVE-2017-5638) in the Apache Struts web application
framework.
• Failure to patch the vulnerability in a timely manner.
Incident Response and Forensic Analysis
1. Initial Discovery and Containment
• Detection:
• Equifax detected suspicious activity on July 29, 2017, when an intrusion
detection system (IDS) flagged abnormal web traffic patterns.
• Immediate Actions:
• The affected web application was taken offline to prevent further access.
• Internal and external incident response teams were activated.
Steps in Forensic Analysis
A. Evidence Collection
Log Analysis:
Reviewed server and application logs to identify unauthorized access and
activity.
Identified anomalous queries and data exfiltration patterns.
Disk Imaging:
Created forensic images of affected servers for detailed offline analysis.
Network Traffic Monitoring:
Captured and analyzed network traffic during and after the breach period to
trace the attacker’s activities.
B. Attack Vector Identification
• Vulnerability Exploitation:
• Forensic analysis determined that attackers exploited a known vulnerability in
Apache Struts (CVE-2017-5638).
• The vulnerability allowed remote code execution, enabling attackers to deploy
malicious commands.
C. Data Exfiltration Analysis
• Data Transfer:
• Tracked the volume and destinations of outgoing data traffic.
• Identified unauthorized data transfers to external IP addresses controlled by
attackers.
D. Malware Analysis Tool Usage:
Analyzed any malicious payloads or tools left by attackers on
compromised systems.
Determined no custom malware was used; the attack primarily relied on
exploiting the unpatched vulnerability.
3. Root Cause Identification
Patch Management Failure:
The Apache Struts vulnerability had been disclosed publicly in March
2017, with a patch available.
Equifax failed to apply the patch to its systems promptly, leaving them
exposed for months.
Tools Used in Forensic Analysis
• Log Analysis Tools:
• SIEM (Security Information and Event Management) systems to aggregate and analyze logs.
• Splunk or similar platforms for querying and visualization of log data.
• Network Forensics Tools:
• Wireshark for packet analysis.
• NetFlow or similar tools for monitoring data flow patterns.
• File Integrity and Disk Imaging Tools:
• FTK Imager for capturing forensic images of affected servers.
• Autopsy for disk and file system analysis.
• Vulnerability Scanners:
• Nessus or Qualys to identify the unpatched Apache Struts vulnerability across systems.
• Incident Detection Systems:
• IDS/IPS solutions to flag anomalous traffic patterns during the breach.
 Response Outcomes
• Mitigation Steps Taken by Equifax
• Patch Deployment:
• Applied patches to all systems using the vulnerable Apache Struts version.
• Network Segmentation:
• Enhanced segmentation to limit lateral movement by attackers.
• Monitoring Enhancements:
• Deployed additional intrusion detection and prevention systems (IDPS).
• Third-Party Forensics:
• Engaged Mandiant (a cybersecurity firm) to assist in forensic analysis and breach mitigation.
• Public Notification:
• Announced the breach publicly on September 7, 2017.
• Consumer Protection Services:
• Offered free credit monitoring and identity theft protection for affected individuals.
Lessons Learned
• Failures Highlighted:
• Delayed Patching:
• Equifax failed to patch the known Apache Struts vulnerability in a timely
manner.
• Weak Asset Management:
• Lack of proper inventory management led to unpatched systems being
overlooked.
• Inadequate Monitoring:
• Existing monitoring systems failed to detect the breach until late in the
attack lifecycle.