Digital forensic

tutorial

MODULE 1
OMPUTER FORENSIC TODA

Cont..
Goal of Forensics Readiness
To collect acceptable evidence without
interfering with the business process
To gather evidence targeting the potential
crimes and disputes impact an
organization
To ensure that evidence makes a positive
impact on the outcome of any legal action
To allow an investigation to proceed at a
cost in proportion to the incident.

Cont..

Cont..
Cybercrime

Cont..

Cont..

Cont..

Cont..

MODULE 02
OMPUTER FORENSICS
VESTIGATION PROCESS

Management Aspects

Build a forensic workstation

Build the investigation Teams.
People involved in computer forensics.
Review polices & laws.
Forensic Laws
Notify decision makers & acquire
Authorization.

Cont..

Cont..

Cont..

Computer forensics investigation methodology

1. Search warrant & search without warrant.
2. Evaluate and secure the scene: forensic photography,
gathering preliminary information at the
scene (date &time, place and location of the
incident, evidence from volatile system &
non volatile system, details of the persons
present at the crime, Name & identification
of the person who can serve as potential
witness.) and
first Responder(first person, evidence and

Cont..
3. 1. Collect the Physical Evidence:o Electronic devices, physical evidence
(Removable media, cables, all computer
equipment, miscellaneous item, items
taken from the trash), detailed
information about the evidence,
o Handled carefully and
o Objects identified a evidence should be
tagged.

Cont..
3. 2. Collect electronic Evidence
List the systems involved incident from systems evidence
can be collected.
Obtain the relevant order of volatility
Record the extent of the systems clock drift.
Collect the evidence from the people who are part of the
incident
Capture the electronic serial number of the drive & other
user-accessible, host-specific data
Write protect and virus check all media to maintain the
integrity of the media

Cont..

4. Secure the Evidence:

o Place the evidence in a secured site
o Maintain the chain of custody to properly track the
evidence.
o Identify digital and non digital artifacts to separate the
evidence according to their behavior.
o Maintain a log book at the entrance to the lab to log in
the timings and name of the person visited.
o Place an intrusion alarm system in the entrance of the
forensic lab.
o Contact law enforcement agencies to know how to
preserve the evidence.
o Evidence management:- Protection, documentation,
evidence transfer and procedures

Cont..

5. Acquire the Data:- Duplicate the data bit by bit to preserve the original
data.
- The duplicated data is sent to the forensic lab for
further analysis.
- The data can be duplicate either through hardware or
software.
- Verify Image Integrity MD5, hashcalc, Md5sum,
etc
- Recover lost or deleted data
- Software's like Recover my files, digital rescue
premium etic.

Cont..
6. Analyze the Data:- Data analysis techniques depends on the scope of
the case or Clients requirements.
- Identify and categorize data in order of relevance.
- Data analysis tools forensic tools help in
sorting and analysis of a large volume of data to
draw meaningful conclusions.
- Example:- accessDatas FTK, Guidance
softwares EnCase forensics, The sleuth Kit,
etc.

Cont..
7. Assess Evidence and Case:o Evidence Assessment:
The digital evidence should be methodically
assessed with respect to the scope of the case to
determine the course of action.
Conduct a methodical assessment by reviewing the
search warrant or other legal authorization, case
detail, nature of the hardware and software,
potential evidence wanted, and the circumstances
surrounding the acquisition of the evidence to be
examined.

Cont..

o Case Assessment:
Review the case investigators request for service
Identify the legal authority for the forensic
examination request.
Document the chain of custody.
Discuss whether other forensic processes need to
be performed on the evidence ( e.g. DNA analysis,
fingerprint, tool marks, trace and questioned
documents)
Determine the potential evidence being required
(e.g.: photographs, spreadsheets, documents,
databases and financial records)

Cont..
Discuss the possibility of pursuing other investigative
avenues to obtain additional digital evidence (e.g.:
sending a preservation order to an internet service
provider (ISP), identifying remote storage locations,
obtaining email).
Consider the relevance of peripheral components to
investigation; e.g: in forgery or fraud cases, consider
non-computer equipment such as laminators, check
paper, scanners and printers(in child pornography
cases, consider digital cameras)
Determine additional information regarding the case :
e.g aliases, email accounts ISP used, names, network
configuration, system logs, passwords which may be
obtained through interviews with the system

Cont..

Cont..
8. Prepare the Final Report
1. Documentations in Each phase
Access the Data
o An initial estimate of the impact of he
situations
o Summaries of interviews with users and
system administrators
o Outcomes of any legal and third-party
interactions
o Reports and logs generated by tools used
during assessment phase
o A proposed course of action.

Cont..
Acquire the Data
o Create a check-in/check-out list of information
such as the name of person examining the
evidence, the exact date and time check out the
evidence and the exact date and time they return
it.
Analyze the Data
o Document the information regarding the number
and type of OS.
o Document the file content.
o Document the result of correlation of files to
installed applications.
o Document the users configuration settings.

2. Gather and organize information (contd)

Cont..

3. Writing the Investigation Report (Contd)

The report should be clear, concise and written for the
appropriate audience.
Information included in the report section is:
a) Purpose of Report clearly explain the objective of
report.
b) Author of report list authors and co-authors,
c) Incident summary introduce the incident &
explain its impact; explain clearly what the incident
was and how it occurred.
d) Evidence descriptions of the evidence that was
acquired during the investigation.

Cont..
e) Detail
o Detailed description of what evidence was
analyze & the analysis method were used &
explain the findings of the analysis.
o List of procedures were followed during the
investigation & any analysis techniques that were
used.
o Include proof of your findings, such as utility
reports & log entries.
f) Conclusion
o Summarize the outcome of the investigation
o Cite specific evidence to prove the conclusion
o The conclusion should be clear and
unambiguous

Cont..
g) Supporting documents
o Include any background information such as
network diagrams, documents that describe
the computer investigation procedures used
and overview of technologies that are
involved in the investigation.
o It is important that supporting document
provides enough information for the report
reader to understand the incident as
completely as possible.

Cont..
9. TESTIFY AS A EXPERT WITNESS
An expert witness is a person who has a thorough
knowledge of a subject & whose credentials can
convince others to believe his or her opinions on that
subject in a court of law.
The role of an Expert Witness
Investigate a crime.
Evaluate the evidence.
Educate the public and court.
Testify/give evidence in court.

MODULE 03
SEARCHING AND SEIZING COMPUTER
1.Searching and seizing computer without
a warrant.
2.Searching and seizing computer with a
warrant.
3.The Electronic Communications privacy
Act.
4.Electronic Surveillance in
communication Network .
5.Evidence.

Module 04
Digital Evidence

Digital Evidences is found in files such

as:Graphics files
Audio and video recording and file
Internet browser histories
Server logs
Word processing and spreadsheet files
Emails
Log files

Increasing Awareness of Digital Evidence

Government organizations are paying attention in
using digital evidence to identify terrorists activities
and prevent future attacks
Many organizations are taking into account the legal
remedies when attackers target their network and
focus on gathering the digital evidence in a way that
will hold up in court.
Businesses are facing the need for gathering evidence
on their networks in reply to computer crime.
As a result, there is a greater expectation that
computer forensic investigators have complete
knowledge of handling digital evidence.

Challenging Aspects of Digital Evidence

Forensics investigators face many challenges while
preserving the digital evidences:It is chaotic form of evidence and critical to handle it
correctly.
During the investigation it can be altered maliciously
or unintentionally without leaving any traces
Circumstantial which makes it difficult for a
forensics investigator to trace the systems activity.
It is an abstraction of some events, the resulting
activity creates data remnants that gives an
incomplete view of the actual evidence.

Characteristics of digital Evidence

Believable Evidence must be clear and understandable
by the judges
Reliable there must be no doubt about the authenticity or
veracity of the evidence.
Admissible Related to the fact
Authentic Evidence must be real and related to the
incident in the proper way.
Complete evidence must prove the attackers actions or
his innocence.

Fragility of Digital Evidence

Digital evidence is fragile or damage in nature.
After the incident, if a user Writes any data to
the system, it may overwrite the crime evidence.
During the investigation of the crime scene, if the
computer is turned off, the data which is not saved
can be lost permanently.
If the computer is connected to the internet, the
person involved in the crime may delete the
evidence by deleting the log files.

Anti-digital forensics
Overwriting data and metadata(wiping).
Obfuscation of data intended to confuse the forensic
analysis.
Exploitation of bugs in forensic tools forensic
imaging and analysis tools are programmed to misread
the files.
Hiding data (steganography, cryptography and lowtech methods) through low tech methods, data or
information is hidden from an examiner.

Type of Digital Data

Volatile Data
Non-volatile Data
Transient Data such as open network connection,
user logout, programs that reside in memory and
cache data.
Fragile Data information that is temporarily saved
on the hard disk and can be changed.
Temporarily accessible Data like encrypted file
system information
Active Data using the current system
Archival Data archival data manages data longterm storage & maintains records.
Backup Data copy of the system data.
Residual Date when ad document is deleted is
called residual data.

Rule of Evidence
Prior to the investigation process, it is
important that the investigator understands
the rules of evidence.
Rules of evidence govern whether, when,
how and for what purpose proof of a case
may be placed before a trier of fact for
consideration.
The trier of fact may be a judge or a jury,
depending on the purpose of the trial and
the choices of the parties.

Electronic Devices:Types and collecting potential evidence

Dongle copy protection software ported with device
Biometric Scanner
Smart car contains a microprocessor with stores encryption key
or password and digital certificate.
Answering Machine Evidence found in voice recordings such as: Deleted messages, last number called, Memo, Phone numbers,
Tapes
Digital camera Evidence is found in:
Images, removable cartridges. Video, sounds, Time and date
stamp
Handheld devices Evidence found in address book, appointment
calendars or information's, documents, emails, handwriting,
passwords, phone books, text messages and voice messages.
Modem Evidence is found on the device itself

Cont..
LAN Evidence is found on MAC
Routers, Hubs, and switches:
Router evidence is found in the configuration files.
Hubs and switches Evidence found on the devices themselves.
Network cable and connector evidence is found on the devices
Server evidence found on the computer systems.
Pager : It is a handheld and portable electronic device for sending and
receiving electronic messages that may be in the numeric form or
in alphanumeric form.
It contains Volatile evidence such as address information, text
messages, e-mails, voice messages and phone numbers,
Printer: Evidence is found through usage logs, time and date information
and network identity information, ink cartridges, and time and
date stamp,

Cont..

Removable storage device and media

Scanner
Telephone
Copier documents, user usage loges, Time and
date stamps
Credit Card Skimmers card expiration date,
users address, credit card numbers, users name
Digital watches address book, Notes,
Appointment calendars, phone numbers, emails
Facsimile (FAX) machines document, phone
numbers, film cartridge, send or receive logs.
Global positioning systems(GPS) previous
destinations, way points, routes, travel Loges.

Digital Evidence Examination process

Evidence Assessment
Evidence Acquisition
Evidence preservation
Evidence Examinations and analysis
Evidence Documentation and Reporting

Evidence Examination and Analysis

Examination:
Prepare working directory on separate media to evidentiary files and
data can be recovered and/or extracted.
Extraction have two types:- Physical and Logical Extraction
Physical extraction phase identifies and recovers data across the
entire physical drive without the file system.
Logical Extraction phase identifies and recovers files and data
based on the installed Operating system, file systems and
Applications.
Analyze:
Host data includes information about the OS and applications components
clock draft information, any data loaded into the host pc see if whether any
malicious application or processes are running or scheduled to run.
Storage Media offline info, data encryption was used, uncompressed any
compressed files, identify files of interest, metadata of files of interest, search
the contents of all gathered files, examine the registry the database that contain
windows configuration information,
Network Data Network service Loges, Firewall, Packet sniffer Logs

Cont..
Analysis of Extracted Data
Timeframe analysis
Date and time stamp contained in the file system metadata
(i.e. last modified, last accessed, created, changed, etc.)
Reviewing the system and application logs that present ,
these may included error logs, installation logs, connection
logs, security logs etc.
Data hiding analysis detecting and recovering such data
Data hiding analysis methods
1. Correlating the file headers to corresponding file
extensions to Identify any mismatches.
2. Presence of mismatches may indicate that the user
intentionally hid the data.
3. Gaining access to all password-protected, encrypted ,
and compressed files,
4. steganography

Cont..

Application and file analysis

Analyzing metadata, user-configuration setting,
examining user default storage location, reviewing
file name, examining the files content, identifying
the files with the installed application, identifying
unknown file types, relationships between files;
Ownership and possession identify the individuals
who created, modified or accessed a file, ownership
and knowledgeable possession of the questioned data
based on the analysis described including one or more
of the following factors:- particular date and time, non
default location, evidentiary value, deliberate attempt
to avoid detection, passwords themselves may indicate
possession or ownership, contents of a file

Evidence Examiner Report includes the following:

Take notes when discussing with the case

investigator.
Preserve a copy to the search authority and
chain of custody documentation.
Write detailed notes about each action taken.
OS name, software, and installed patches
Any irregularities encountered document
during the examination.
Date, time, complete description & result of
each action taken.

Electronic crime and Digital Evidence

consideration by Crime category

1. Online Auction fraud

2. Child Exploitation/Abuse
3. Computer Intrusion
4. Death Investigation
5. Gambling
6. Extorting
7. Economic fraud (Including online fraud and
counterfeiting).
8. Email Threats/harassment/ Stalking
9. Identity Theft(Hardware and software tools,
Identification Templates, Internet Activity related to
ID Theft & Negotiable Instruments).
10.Narcotics and prostitution

Cont..

Cont..

Cont..

8
6

9
9.
1

9.
2

Cont..
9.
3

9.
4

Cont..

1
0
10.
1

10.
2

Cont..

1
1

1
2

Chapter 5
First responder
First responder :
a person who arrives first at the crime scene and
accessed the victims computer system after
incident.
He/ she may be network administrator, law
enforcement officer or investigation officer

Roles of first Responder

Identify the crime scene.
Protecting the crime scene.
Preserving temporary and fragile evidence.
Collecting the complete information about
the incident.
Documenting all the findings
Packaging and transporting the electronic
evidence.

Evidence collecting Tools and Equipment

Cont..
3

Cont..
5

Conducting preliminary interview

Conducting Preliminary Interviews

Interviews and identify all persons(witnesses and

others) collect information from individuals like:
Owners or users of electronics devices found at the
scene.
User name and internet service provider
Passwords required to access the system, software or
data.
Purpose of using the system.
Automatic applications in use.
Unique security schemes or destructive devices.
Web mail and social networking website account
information
Any offsite data storage.
Documents explaining the hardware or software

Module 6
Computer forensic Lab

7
Understanding Hard disks
& File systems
Module

1.Hard disk drive overview

2.Disk partition and boot processing
3.Understanding file systems
4.RAID storage system.
5.File system analysis using the
Sleuth kit (TSK)

Disk drive overview

Cont..

Cont..

Cont..

Cont..

Cont..

Cont..

Cont..

Cont..

Cont..

Cont..

Cont..

Cont..

Cont..

Cont..

Cont..

Cont..

Disk partitions and

Boot process

Understanding file systems

Cont..

RAID storage system

Cont..

Cont..

Cont..

Cont..

Cont..

Cont..

Module 8:
Window forensics

Cont..
Collecting volatile information

Cont..

1. System time :- D:\>date /t & time /t

2. Logged-On users :- Tool and commands PsLoggedOn, net sessions, Logon
Sessions.
Syntax: psloggedon [-] [-1] [-x] [\\computername | username]

example:- c:\>c:\users\...\Desktop\windows forensics

tools\psloggedon.exe

syntax: c:\>net sessions and/or

c:\users\hackers\Desktop\logonSessions>logonsessions.
3. Open files collect the information tools and commands:
1. Net file command, PsFile utility and openfile command
Syntax: net file [ID [/close]], eg:- c:\>net file
Syntax: psfile [\\RemoteComputer [-u Username [-p password]]], eg:
c:\>psfile.
Syntax: openfiles /parameter [arguments], eg: openfies /disconnect,
openfiles /query, openfiles /Local01.

Cont..
4.

Network information collection

NetBIOS name table cache maintains a list of connection made to other
systems using NetBIOS.
Syntax: c:\>Nbtstat [ [-a RemoteName] [-A IP address] [ c] [-n] [-R] [RR] ]-s] [-S] [interval]]
Example: c:\>NBTSTAT -c

5. Network connection collect information

This allows you to locate Syntax: c:\> Netstat ano to display TCP &
UDP, eg: c:\>netstat ano and c:\>Netstat r to displays the routing
table and shows the presistent routes enabled on the system.
o. Logged attacker
o. IRCbot communication internet relay and chat
o. Worms logging into command and control server

Cont..

6. Process information collection:

Using task manager
Tasklist It provide output formatting table, CSV and list
formats
Syntax: c:\>tasklist /v
Pslist diplay basic running processes information on a system
Syntax: c:\>c:\users\...\Desktop\windows forensic tools\ps
tools\PsList.exe or c:\pslist -x
Listdlls shows the modules or DLLs that are in use by a
process and actual code that is used.
Syntax: c:\>c:\users\...\Desktop\windows forensic tools\ps
tools\ListDLLs.exe
Handle shows information about the openfiles, ports, registry
and threads
Syntax: c:\>handle [[-a] [-u] | [-c <handle> [-y] | [-s] [-p
<process name>|<pid>> [name].
c:\>c:\users\...\Desktop\windows forensic tools\ps
tools\PsList.exe

Cont..
7. Process-to-port Mapping
Netstat command
Syntax: c:\>netstat o to display the process ID of the
process.
Fport reports all open TCP/IP and UDP ports and maps
them to the owning application
Syntax: c:\> c:\users\...\Desktop\windows forensic tools\ps
tools\Fport.exe
8. Process Memory:- running processes could be suspicious or
malicious in nature, to gather information use tools such as
pmdump, process Dumper, userdump, etc.
Syntax: c:\> :\> c:\users\...\Desktop\windows forensic tools\ps
tools\userDump.exe

Cont..

9. Network Status collect about the status of the network

interface cards(NIC) whether the system is connected to the
wireless access point and what IP address is being used.
Tools the network status detection are:
Ipconfig command Ipconfig.exe is a utility native to
windows systems that displays information about NIC.
Syntax: c:\>Ipconfig /all
PromiscDetect tool detects if the NIC is in
promiscuous mode.
Syntax: c:\> c:\users\...\Desktop\windows forensic
tools\ps tools\PromiscDetect.exe.
Promqry tool run against remote systems to
determine the active network interfaces.
Syntax:c:\> c:\users\...\Desktop\windows forensic
tools\ps tools\Promqry.exe

Cont..

10. Other Important information

Clipbord contents area of memory where data can be stored for future use
and Data found in the clipboard such as information or intellectual property
theft, fraud, or harassment.
Free clipboard Viewer 2.0
Service/Driver information when the system starts, services and drivers are
started automatically based on entries in the registry. Not all the services are
installed by the user/system admin, some malware installs itself as a service or
system driver, check service/device information for any malicious program
installed.
Syntax: c:\>tasklist /SVC
Command history
Use the doskey /history .
Syntax:c:\>doskey /history
Mapped Drives drives could be mapped with malicious intent
Shares Gets the information regarding the shared resources
Key_LOCAL_MACHINE\System\currentControlSet\Services\lanmanser
ver\Shares key

Collecting
Non-volatile information

1. Examine File system

Run DOS command prompt dir /o:d under c:%systemroot
%/system32>
Enables the investigator to examine time and data of installation of
OS, service packs, patches, and subdirectories that automatically
update
2. Registry settings Use Reg.exe command. Some important
Registry values that need to be noted:
ClearPageFileAtShutdown registry value tells the operating
system to clear the page file when the system is shut down and
page file remains on the hard drive. This can be IM
conversations, decrypted passwords and other strings & bits.

Cont..
DisableLastAccess windows has ability to disable
updating of the last acces times on files. On windows
2003
HKEY_LOCCAL_MACHINE\System\currentcontrolse
t\control\filesystem\disablelastacess value to 1 and in
window xp & 2003 setting can be queried or enabld via
the fsutil command
AutoRuns registry are referred as autostart locations
to automatically start applications. This application is
start when the system boots, user logs in and the user
takes a specific action. Collect information from specific
keys and values with the help of reg.exe or autoruns
tools,

Cont..
Microsoft security ID the path of access ID is :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\win
dows NT\currntversion\profileList and Magical jelly
Bean keyfinder reveals window 7 cd-key
Event Logs choose which data have to be collected
depending on the instance that occurred. To retrieve the
event records use psloglist.exe and copy .evt files from the
system.
Index.dat file is used by internet Explorer web browser
as an active database. It is a repository of redundant
information, such as visited web URLs, search queries,
recently opened files, and form auto-complete information.
Separate index.dat files exist for the internet Explorer
history, cache and cookies.

Cont..
3. Devices and other information collect non-volatile

information from hard drive installed in the system

Use the DevCon tool to document devices that are attached
to windows system
Syntax: DevCon resources =ports and DevCon listclass
usb 1394
Example: c:\devcon\i386>devcon resources =ports or
c:\devcon\i386>devcon listclass usb 1394

Slack Space :
refers to portions of a hard drive,
non-contiguous file allocation leaves more trailing
clusters leaving more slack space
DRIVESPY tool collects all the slack space.
Virtual memory :
It is logical memory to use a large range of memory
Can be scanned to find out the hidden running process.
Use X-ways forensic tool to scan virtual memory

Cont..

4. Swap File is a space on a hard disk used as the virtual memory

extension of a computer s RAM.
Contains information about:
Files opened and their contents, websites visited, online
chats, emails sent and received
On windows, the swap file is a hidden file in the root
directory called pagefile.sys
The registry path of swap file is:
HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset
\control\Session on manager\memory management.
5. Windows Search Index :- maintains a record of any document
or application on the pc.
It maintains email messages, calendar events, contacts and
media files store on the PC.
By default windows search indexes only contents of each
users Documents and Favorites
Use passware search index examiner

Cont..
7. Collecting hidden partition information:
Hidden partition is a logical section of a disk which is not accessible to the
operating system.
Hidden partition may contains files, folders, confidential data or store backup
Tools like Partition Logic helps to collect information from hidden partition.
Partition ligic can create, delete, erase, format, defrag. Resize, copy and move
partitions.
8. Hidden alternate data stream (ADS ): User can hide data in alternate data streams.
ADS can created by running command like notepad visible.txt:hidden.txt
Use more<visible.txt:hidden2.txt> newfile.txt command to copy the ADS
information into new file.
Use tools streamArmor

Cont..

9. Web browser cache, cookies and Temporary Files

Web browser cache
It allows users to cache the contents of web pages locally
to speed future access to regularly visited sites.
Download content remains on the hard drive until deleted.

Data remain in the unallocated space of the hard drive

even after the cache is deleted.
Cookies
Small packages of data to track, validate and maintain
specific user information
May have an expiration date at which the browser deletes
them
Without expiration date cookies are deleted at he end of a
user session.
User may also delete cookies data.
After deleting cookies, data may remain in the
Unallocated space of the hard drive.

Cont..
Temporary Files
These files are created by a program when it
cannot allocate enough memory for the tasks or
when the program is working on large set of
data.
In general when a program terminates, temp
files are deleted, some program create temp
files and leave them behind

Windows memory analysis

1. Memory Dump: memory dump file records information that help to

identify the reason why the computer stops
unexpectedly includes all information regarding stop
messages, stopped processor and a list of loaded
drivers.
Kernel memory dump: gets created in the %systemroot
% folder as memory dump file by default.
Memory Dump gets under startup and recovery dialog
box.
Eprocess structure forensic tool to forensic investigation
Eprocess contents can view Microsoft debugging
tools and LiveKD.exe
Dt a b v EPROCRSS to view all the content of
the Eprocess block

Cont..

Collecting process memory

Available in a RAM dump file tools are:
Dmpdump.exe
Process dumper (pd.exe)
Userdump.exe
Adplus.vbs script
Use debugging tools to analyze the dump files.
Other helpful tools includes:
BinText extract ASCII, Unicode and
resource strings from the dump file.
Handle.exe39 provide a list of handles that
opened by the process.
Listdlls.exe40 show full path and module
loaded by a process.

Windows Registry analysis

Cont..
Role in the registry function of the system:
1. HKEY_USERS : contains all the actively loaded user profiles.
2. HKEY_CURRENT_USER : It is the active, loaded user profile for the currently
logged on user.
3. HKEY_LOCAL_MACHINE : contains a vast array of configuration information of
hardware and software setting .
4. HKEY_CURRENT_CONFIG : contain the hardware profile information used during
startup.
5. HKEY_CLASSES_ROOT : contain configuration information relating to
application is used to open various files on the system.

Windows
file
analysis
1. Recycle bin it allows user to retrieve and restore files.

It is renamed using : D<original drive letter of file> <#>.<original

extension> when a file is moved to the recycle bin.
A record is added to the INFO2 file within the directory.
System Restore points (Rp.log files) the restore point log file
located
System Restore points(change.log.x Files) located in the restore
point directories.
2. Prefetch File
the cache manager checks hard page faults and soft page faults .
It is written to a .pf file in the windows\prefetch directory.
The registry key path:
HKEY_LOCAL_MACHINE\SYSTEM\controlset00x\control\ses
sion manager\memory management\prefetchparameters. Value
tells which form of prefetching the system :
0 : prefetching is disabled
1 : Application prefetching is enabled
2 : boot prefetching is enabled
3: Both application and boot prefetching are enabled

Cont..
3. Shortcut Files the files with the extension .lnk. It is created on the system in
the recent folder and it provides information about files or network shares.
4. Word document compound document based on the Object Linking and
Embedding (OLE) technology. Use wmd.pl and oledmp.pl scripts to list OLE
streams.
5. PDF document portable document format files can contain metadata, use
pdfmeta.pl and pdfdmp.pl scripts to extract metadata form pdf files.
6. Image Files like JPEG contain the photographers information such as location
where the picture was taken. Use tools such as Exifer, IrfanView and the
Image::MetaData::JPEG perl module to view, retrieve and modify metadata
embedded in jpeg image file.
7. File signature Analysis collecting information from the first 20 bytes of a file
helps to determine type and function of the file. Use prodiscover tools for file
signature analysis.

Executable File analysis:

1. Static Analysis
Collecting information without actually running or
launching the file under any circumstances.
2. Dynamic analysis
Involves launching an executable file in a controlled and
monitored environment so that its effects on system can be
observed and documented
Steps of documentation before Analysis :
1. Full path and location of the file.
2. MAC timestamp
3. The system information where file was stored
The operating system and version
File system
User accounts
IP address
4. Any references to that file within the file system or registry
5. Details about who found it and when

Cont..

Static Analysis process:

1. Scan the suspicious file with antivirus software such

as Norton, AVG, McAfee
2. Search for strings run suspicious files through
tools such as strings.exe and BinText to extract all
ASCII and Unicode strings
3. Analyze PE Header use Peview tool to view the
PE(portable executable) header. A file signature of
the PE file consist of 64 byte structure called the
IMAGE_HEADER. This structure are the first 2 byte
and last DWORD(e_lfanew) value that refers to the
address of the new EXE header. e_lfanew value is
defined in the ntimage.h header file

Cont..

4. Analyze Import Tables

information about DLLs and function accessed by the
executing program is needed for OS.
This information is maintained in the import table and
the import address table of the executable file.
Use the Dependency Walker tool
Collect the networking code from the import table of
the DLLs.
5. Analyze Export Tables
DLLs provide functions that other executable files can
import.
DLLs maintain a table of functions available in their
export table.
Collect the information about chained or cascading
DLL dependencies with the help of tools like
dependency walker.

Cont..

Dynamic Analysis process:

Steps in dynamic analysis process:
1. Creating Test Environment.
Run the malware to be tested on a different system
Do not connect the test system to the victim system through
the network.
Reinstall OS after each test.
Work on the visual platform.
Use virtualization tools such as Bochs, parallels, Microsoft's
virtual PC, vmware
2. Collecting information using Tools
Use network sniffer tools such as wireshark to know network
connectivity information.
3. Process of Testing the Malware.
Ensure that all monitoring tools are updated and configured
properly.
Create log storage location.
Prepare malware to be analyzed.
Enable real-time monitoring tools.

Metadata

Metadata refers to data about data, It describes how and when

and by whom a particular set of data was collected and how the
data is formatted. Tool Metadata analyzer
It is important to collect the data as it gives the information
about:
Hidden information about the document.
Who tried to hide, delete or obscure the data.
Correlated documents from different sources.
Type of Metadata
Descriptive Metadata
Discovery and identification includes the information
such as title, abstract, author and keywords.
Structural Metadata
Information that facilitates the navigation and
presentation of electronic resources
Administrative Metadata
Manage a resource such as when and how it was created

Cont..

Event Logs:
Event logs record a variety of day-to-day events that
occur on the windows system.
The Registry key maintains the event log
configuration:HKEY_LOCAL_MACHINE\SYSTEM\currentcotrol
set\services\Eventlog
Vista uses a XML format for storing events
Use wevtutil command to retrieve information
about the windows Event Log.
C:\>wevtutil el to display a list of available
Events logs on the system
C:\>wevtutil gl log name to list configuration
about a specific event log. Example: c:\>wevtutil gl
system or C:\>wevtutil el

Cont..

IIS Logs:
The IIS web server logs are maintained in the %winDir
%\system32\Log file directory.
The log files are ASCII text format which implies that they
are easily opened and searchable.
Access the console by choosing:
Start Run type either iis.msc or inetmgr
Start control panel Administrative Tools Internet
Services Manager
Search the logs that are created daily and stored in the
format exyymmdd.log, where:
Yymmdd stands for year, month and day
Ex refers to the extended format.
Each file name of the log is prefixed with the following
letters:
C = client actions
S = server to server actions
Sc = server to client actions

Cont..

Parsing FTP Logs:

FTP stands for File Transfer Protocol
FTP logs are stored in:
%winDir
%\System32\LogFiles\MSFTPSVC1\exyymmdd.lo
g
Parsing DHCP Server Logs
When a DHCP Server is providing the service and
listening for requests on the network, a requesting host
requests an IP address.
DHCP service activity logs are stored in the following
location by default:
C:\%SystemRoot%\System32\DHCP
Logs are stored on a daily basis in the following
format:

Cont..
Parsing windows Firewall Logs
The firewall logs are present in the %systemRoot
%\pfirwall.log
The path and name setting of firewall log are
stored in the objects.data file.
Using the Microsoft Log parser
Use log parser tool to extract log files, xml files
and csv files
The command used for the log parser is :
Logparser.exe o:DATAGRID select * from
system

Module 9

Data Acquisition and duplication

1. Data acquisition
1. Static acquisition
Acquiring non-volatile data from Power off or
shutdown system such ah hard drives, CD-ROM, USB,
etc.
2. Live acquisition
Acquiring volatile data from running computer such as
registries and RAM
2. Data Duplication
. Preserves the original evidence
. Evidence can be duplicated with no degradation from copy
to copy.

Cont..

Data Acquisition Formats:

1. RAW Format
Fast data transfers
Can ignore minor data read error on source drive
Might not collect bad sectors on the source drive
2. Proprietary Format
Ability to split an image into smaller segmented
files.
Save space on the target drive
File size limitation
3. Advanced Forensics Format(AFF)
No size restriction for disk-to-image
Open source for multiple computing platforms and
OSes

Module 10
Recovering deleted Files and Deleted partitions
What happens when a file is Deleted in windows?
When a file is deleted, the OS system marks the files name
in MFT with a special character that indicates that the file
has been deleted.
The first letter of a file name is replaced by a hex byte code
E5h
What happens when a partition is deleted?
All data on that deleted partition or logical drive is lost.
Deleting a partition on a dynamic disk can delete all the
dynamic volumes on the disk, thus leaving the disk in a
corrupt state.
N.B: Deleted file and partition can be recovered by using
software

Module 11
Forensics Investigation Using AccessData FTK

Create images, analysis the registry , decryption, identify steganography and

password cracking.
Utilizing a back-end database to handle large data set

Module 12
Forensic investigation using Encase
Encase Forensic features:
Preserve data in an evidence file format
Recover files and partitions detect deleted files
by parsing event logs, file signature
Acquire data from disk or RAM, images, email,
internet artifacts, web history and cache,
compressed files, backup files, encrypted files,
RAID, workstations, server and more

Module 13

Steganography and Image file forensics

Steganography:
A technique of hiding secret message within an ordinary
message and extracting it at the destination.
Utilizing a graphic image as a cover is the most popular method
of concealing data in files.
Legal use of steganography is law enforcements agencies us
steganography to:
Watermark intermediation martial after authorization and
under pubic prosecutor control with predefined marks.
Trace trade materials
Build an international data bank to collect data on the
trading controlled by investigative bodies.
Provide network nodes where trade material is monitored.
Unethical use of Steganography
Viruses, criminal communications, fraud, hacking,
electronic payments, harassment, intellectual property

Cont..
steganography is applicable to the following areas:
Broadcast monitoring (Gibson, pattern
recognition)
Cover communication
Ownership assertion
Fingerprinting (Traitor tracking)
Authentication(original vs. forgery)
Access control system for Digital content
Distribution
Steganographic file system
Media bridging
Copy prevention or control (DVD)
Metadata Hiding (Tracking Information)

Cont..

Classifications of stegagnography
1. Technical Steganography
1. Invisible Ink
Method with the longest tradition
2. Microdots
Method to hide up to one page in a dot
3. Computer-based methods
Uses redundant information in texts, pictures, sounds,
video, etc.
2. Linguistic Steganography :- written language to hide the message
in the carrier in some non-obvious ways. Have to parts:
1. Semagrams
1. Visual semagrams use innocent-looking or everyday
physical objects to convey a message, such as doodles or
the positioning of items on a desk or website.
2. Text Semagrams hide a message by modifying the
appearance of the carrier text such as subtle changes in the
font size or type, adding extra spaces, or different
flourishes in letters or handwritten text

Cont..
2. Open codes :- designed pattern on the document that is
unclear to the average reader
1. Jargon code a group of people can understand but is
meaningless to others
2. Covered ciphers hidden openly in the carrier medium
so that anyone who knows the secret of how it was
concealed can recover it.
1. Null ciphers is an ancient form of encryption where
the plaintext is mixed with a large amount of noncipher material
2. Grille Ciphers a grille is created by cutting holes in
a piece of paper and when the receiver places the grille
over the text, the intended message can be retrieved.

Cont..

Module 14
Application password cracker

Module 15
Log capturing and event correlation
1.Computer security logs
2.Loges and legal Issues
3.Event correlation
4.Log capturing and Analysis Tools
5.Log management
6.Time synchronization
7.Centralized logging and syslogs

Module 16

Network forensic, investigating logs and network Traffic

1.Network forensics
2.Network attacks
3.Log Injection Attacks
4.Investigating and analyzing logs
5.Investigating network traffic
6.Traffic capturing and analysis tools

Cont..
Network Forensics
Identifying criminal activity and the people
behind it.
Can defined as the sniffing, recording,
acquisition and analysis.
It allows investigators to inspect network traffic
and logs identify and locate the attack system.
Can tells:
Source of security incidents and network
attacks.
Path of the attack.
Intrusion techniques used by attackers.

Cont..

Module 17
Investigating wireless attacks

Cont..
Wi-Fi Discovery tools:
inSSIDer
GPS Maping tools: WIGLE, Skyhook,

Module 18
Investigating web attacks

Web attack detection Tools

1. Web Application Security Tool:
Acunetix Web Vulnerability Scanner
Falcove Web Vulnerability scanner
Netsparker
N-stalker web Application security scann
Sandcat
Wikto
WebWatchBot
OWASP ZAP
SecuBat Vulnerability Scanner
Websecurify
HackAlert
WebCruiser

Cont..

dotDefender
IBM AppScan
ServerDefender VP
2. Web Log Viewer
Deep log analyzer
WebLog Expert
AlterWind Log Analyzer
Webalizer
eWebLog Analyzer
Apache Logs Viewer (ALV)
Awstats
3. Web attack Investigation Tools:
Paros Proxy
Scrawlr

Cont..
Tools for Locating IP Address
Whois Lookup
SmartWhois
ActiveWhois
LanWhoIs
CountryWhois
CallerIP
Real Hide IP
IP Address Manager
Pandora FMS

Module 19
Tracking Emails and Investigating Email Crimes

Module 20
Mobile Forensic

Cont..

Acquire Data from:

SIM cards
Unobstructed mobile devices
Obstructed mobile devices
Memory cards
Synched Devices
Network Operator:- calls made/received, message traffic,
data transferred and connection location/timing. Home
location Register (HLR) provides:
Customers name and address
Billing name and address
Users name and address
Telephone number(MSISDN)
IMSI
SIM serial number
PIN/PUK for the SIM
Subscriber services allowed.

Cont..

Mobile forensic Software and Hardware tools:

Software Tools
Oxygen Forensic Suite 2011
MObILedit! Forensic
BitPim
SIM Analyzer
SIMCon
Phone View
Elcomsoft Blackberry Backup Explorer etc.
Hardware Tools
Secure View Kit
Deployable device Seizure (DDS)
Parabens Mobile Field Kit
PhoneBase
Xact System
Longicube CellDEk
RadioTactics ACESO etc.

Module 21
Investigative Reports
Computer Forensic Report:

Module 22
Becoming an Expert Witness

THE END