Network Forensics

(IT433)

Lecture 1: Introduction
Dr. Hosny Ahmed Abbas
 01007478550
 hosny.abbas@fci.luxor.edu.eg
Information Technology Luxor Faculty of Computers and Information
 Topics to be covered
 What is meant by Forensics?
 Forensic Investigation
 Forensic Science Principles
 Digital Forensics
 Digital Forensics Terms
 Digital Forensics Types of Crimes
 Incident Response
 Digital Forensics and Incident Response (DFIR)
 The Digital Forensic Process
 Some Computer Forensics Tools

Lecture 1: Introduction 2 Luxor Faculty of Computers and Information

 What is meant by Forensics?

Lecture 1: Introduction 3 Luxor Faculty of Computers and Information

 What is meant by Forensics?
Reactive Proactive

Crime Scene Plane Black Box

Lecture 1: Introduction 4 Luxor Faculty of Computers and Information

 What is meant by Forensics?
 The word “forensics” means the use of science and technology to
investigate and establish facts in criminal or civil courts of law.
 The word forensic comes from the Latin term forēnsis, meaning
"of or before the forum".
 Forensics is the procedure of applying scientific knowledge for the
purpose of analyzing the evidence and presenting them in court.
 Investigating the crime scene to find the root causes behind a
crime.
 Forensic science technicians aid criminal investigations by
collecting and analyzing evidence.
 Many technicians specialize in either crime scene investigation or
laboratory analysis.
Lecture 1: Introduction 5 Luxor Faculty of Computers and Information
 What is meant by Forensics?
 In modern use, the term forensics is often used in place of
"forensic science."
 The case would be decided in favor of the individual with the best
argument and delivery.
 This origin is the source of the two modern usages of the word
forensic—as a form of legal evidence; and as a category of public
presentation.

Forensics = Forensic Science

Lecture 1: Introduction 6 Luxor Faculty of Computers and Information

 Forensic Investigation
 The Forensic Investigation is often necessary when gathering the
evidence required to present a successful case to a court.
 A forensic investigation is an investigation that involves some form
of scientific method or other skill to make a determination about
something that happened in the past.
✔ the identification of potential evidence;
✔ the acquisition of that evidence;
✔ analysis of the evidence;
✔ and production of a report

Forensic Investigation
Lecture 1: Introduction 7 Luxor Faculty of Computers and Information
 Forensic Investigation
 An investigation is a systematic examination, typically with the
purpose of identifying or verifying facts.
 A key objective during investigations is to identify key facts related
to a crime or incident.
 5WH defines the objectives of an investigation as who, where,
what, when, why.

Forensic Investigation
Lecture 1: Introduction 8 Luxor Faculty of Computers and Information
 Forensic Investigation
 Crime reconstruction is the determination of the actions and
events surrounding the commission of a crime.
 The objective is to establish a hypothesis about the event or
sequence of events and then to test whether the hypothesis is
possible or not.

Lecture 1: Introduction 9 Luxor Faculty of Computers and Information

 Forensic Science Principles
There are 7 basic principles of forensic science which include
1. Law of Individuality
2. Law of Progressive change
3. Principle of Comparison
4. Principle of Analysis
5. Locard’s principle of Exchange
6. Law of Probability
7. Law of Circumstantial facts.

Lecture 1: Introduction 10 Luxor Faculty of Computers and Information

 Forensic Science Principles
 Law of Individuality
Every object whether natural or man-made has a unique quality or
characteristic in it which is not duplicated in any other object.

Lecture 1: Introduction 11 Luxor Faculty of Computers and Information

 Forensic Science Principles
 Law of Progressive change
Everything changes with the passage of time.

Lecture 1: Introduction 12 Luxor Faculty of Computers and Information

 Forensic Science Principles
 Principle of Comparison
Only the likes can be compared.

Lecture 1: Introduction 13 Luxor Faculty of Computers and Information

 Forensic Science Principles
 Principle of Analysis
There can be no better analysis than the sample analyzed.

Lecture 1: Introduction 14 Luxor Faculty of Computers and Information

 Forensic Science Principles
 Locard’s principle of Exchange
Whenever two entities come in contact with each other, they
exchange the traces between them.

Lecture 1: Introduction 15 Luxor Faculty of Computers and Information

 Forensic Science Principles
 Law of Probability
All identifications definite or indefinite, made consciously or
unconsciously are on the basis of probability

Lecture 1: Introduction 16 Luxor Faculty of Computers and Information

 Forensic Science Principles
 Law of Circumstantial facts.
Facts do not lie, men can and do.

A man wearing mask robbed a bank money with serial numbers matching that of
the stolen money was found

This indirect evidence is also called circumstantial evidence.

Lecture 1: Introduction 17 Luxor Faculty of Computers and Information

 Digital Forensics
 Refers to forensic science applied to digital information.
 Digital investigation refers to investigations in the digital domain.

Lecture 1: Introduction 18 Luxor Faculty of Computers and Information

 Digital Forensics

Lecture 1: Introduction 19 Luxor Faculty of Computers and Information

 Digital Forensics Terms
 Digital archaeology refers to digital traces in computer systems created
by human behavior.
 Digital geology refers to digital traces created by the computer
systems themselves as part of their inherent processes.
 The goal of digital forensics is usually to gather facts about human
behavior (Digital archaeology )!
 But it is a prerequisite to understand how the computer systems
behave (i.e., digital geology) in order to interpret digital evidence.
 Digital forensics is that it is commonly applied both in criminal law and
in private law.
 Public and private companies and organizations depend upon digital
forensics as a tool for supporting legal action in the case of an
incident.
Lecture 1: Introduction 20 Luxor Faculty of Computers and Information
 Digital Forensics Terms
 The location of the incident is referred to as the scene of the
incident.
 A digital device is a physical object, such as a laptop, a
smartphone, or a car.
 A digital device necessarily contains one or more storage media,
such as a hard drive or memory, referred to as digital media.
 The digital media contain data, stored in binary format, referred to
as digital data.
 Forensic analysts often work with discrete collections of digital
data, referred to as digital objects.

Lecture 1: Introduction 21 Luxor Faculty of Computers and Information

 Digital Forensics Terms
 Our ability to capture digital evidence in real life is far from
perfect.
 An investigation is forensically sound ‫ سليم او مقبول‬if it adheres to
established digital forensics principles, standards, and processes.
 Evidence integrity refers to the preservation of evidence in its
original form.
 Data inevitably ‫ ال محالة‬changes in live computer systems and
networks during investigations.
 Chain of custody ‫ سلسلة العناية‬refers to the documentation of
acquisition, control, analysis, and disposition of physical and
electronic evidence.

Lecture 1: Introduction 22 Luxor Faculty of Computers and Information

 Digital Forensics Terms
 Digital evidence is defined as any digital data that contains reliable
information that can support or refute a hypothesis of an incident
or crime.
 Digital evidence is information stored or transmitted in binary
form that may be relied on in court. It can be found on a computer
hard drive, a mobile phone, among other places.
 Digital Evidences are hard to get and easy to destroy.
 We aim to process and store digital evidence in a way that is
consistent with the principles of evidence integrity and chain of
custody.
 A number of digital evidence storage and exchange formats have
been developed to support this.
Lecture 1: Introduction 23 Luxor Faculty of Computers and Information
 Digital Forensics Terms
 Evidence dynamics is any influence that adds, changes, relocates a digital
evidence.
 Types of digital evidences:
✔ Logs (OS logs, Database logs, Email logs, Software logs, Network logs, etc.)
✔ Video footage and images (CCTV footage, videos recorded on a mobile device,
digital camera footage, voice recordings, etc.)
✔ Archives (Zip/Rar/similar files, Databases, Backups, Text files, Documents, Source
codes, videos, images, etc.)
✔ Active data (Email clients, Image viewers, Word processors, Scanners, etc.)
✔ Metadata (Exchangeable Image File Format (EXIF) data)
✔ Residual data (invisible data: deleted or overwritten data that may contain digital
evidence if successfully recovered.
✔ Volatile data (invisible data that don’t be written on the disk, ex. Some viruses in
RAM)
✔ Replicant data (invisible data: Web cache and cookies, Temporary directories, etc.)
Lecture 1: Introduction 24 Luxor Faculty of Computers and Information
 Digital Forensics Terms
 With the right digital forensics tools, it’s possible to retrieve most
if not all types of files, even if they have been overwritten,
corrupted, or intentionally deleted, so be sure to have one on
hand at all times.

Lecture 1: Introduction 25 Luxor Faculty of Computers and Information

 Digital Forensics Types of Crimes
In reality, digital evidence is present in crimes of almost
every kind.
 Cybercrime
Advanced cybercrime (or high-tech crime)—sophisticated attacks
against computer hardware and software
 Cyber aided crime
Traditional crimes that make use of the Internet in some way
 Crimes with digital evidence
Suspect may have a set of digital devices.

Lecture 1: Introduction 26 Luxor Faculty of Computers and Information

 Incident Response
 Incident response (IR) is a business’s plan when
experiencing a cyber security attack.
 A cyber incident could be defined as any event that
compromises the confidentiality, integrity, or availability
of data or information.
 Incident response (IR) plans are designed to keep IT
infrastructure running while minimizing an incident’s
negative effect.
 Digital forensics is a branch of forensic science that
examines digital technology.
Lecture 1: Introduction 27 Luxor Faculty of Computers and Information
 Digital Forensics and Incident Response (DFIR)

 After a cyber security incident, most people’s top priority

is getting back up and running.
 However, it is also essential to find out what was done
and how to prevent it from happening again.
 Digital Forensics and Incident Response (DFIR) is a field
within cybersecurity that focuses on the identification,
investigation, and remediation of cyberattacks.
 DFIR is a comprehensive forensic process that
investigates an attack and helps determine an intrusion’s
complete life cycle, leading to a final root cause analysis.
Lecture 1: Introduction 28 Luxor Faculty of Computers and Information
 Digital Forensics and Incident Response (DFIR)

The Value of Integrated Digital Forensics and Incident

Response (DFIR):
 Respond to incidents with speed and precision
 Follow a consistent process when investigating and evaluating incidents
 Minimize data loss or theft, as well as reputational harm, as a result of a
cybersecurity attack
 Strengthen existing security protocols and procedures through a more
complete understanding of the threat landscape and existing risks
 Recover from security events more quickly and with limited disruption to
business operations
 Assist in the prosecution of the threat actor through evidence and
documentation

Lecture 1: Introduction 29 Luxor Faculty of Computers and Information

 The Digital Forensic Process
 The digital forensic process is a recognized scientific and forensic
process used in digital forensics investigations.
 Typically consists of four main steps: Collection, Examination,
analysis and Reporting.

Lecture 1: Introduction 30 Luxor Faculty of Computers and Information

 Some Computer Forensics Tools
 Imaging Tools
✔Access Data FTK imager
 Analysis Tools
✔Autopsy
 Registry Files Analysis
✔AccessData Registry Viewer
 File Recovery
✔ MyRecover
 Password Cracking
 AccessData Password Recovery Toolkit (PRTK)
Lecture 1: Introduction 31 Luxor Faculty of Computers and Information
 FTK Imager

Lecture 1: Introduction 32 Luxor Faculty of Computers and Information

 Autopsy

Lecture 1: Introduction 33 Luxor Faculty of Computers and Information

 Lab Assignments
1. Install FTK imager if it is not already installed on your PC
2. Create a raw image of your stick disk using FTK imager.
3. Also capture a memory image of your PC using FTK imager.
4. Install Autopsy Image Mounter if it’s not already installed on your
PC?
5. Create a new case with Autopsy and start analyzing your stick disk
image.
6. Tag some files or pictures in the mounted image
7. Generate a final report for your case
8. View the image system registry files (SYSTEM, SOFTWARE)
using AccessData registry viewer.
Lecture 1: Introduction 34 Luxor Faculty of Computers and Information
 References
1. Joakim Kävrestad - Fundamentals of Digital Forensics-Springer (2018)
2. John Sammons - The Basics of Digital Forensics_ The Primer for Getting
Started in Digital Forensics-Syngress (2012)
3. Bill Nelson, Amelia Phillips, Christopher Steuart - Guide to Computer
Forensics and Investigations, 4th Edition-Course Technology (2009)
4. Ric Messier - Network Forensics-Wiley (2017)
5. Samir Datt - Learning Network Forensics-Packtpub (2016)
6. Sherri Davidoff, Jonathan Ham - Network Forensics_ Tracking Hackers
through Cyberspace-Prentice Hall (2012)
7. Internet

Lecture 1: Introduction 35 Luxor Faculty of Computers and Information

Thank You