Introduction to Computer Forensics

Questions and Answers

Computer forensics primarily deals with physical evidence like fingerprints and footprints.

False (B)

Computer forensics is solely used for catching hackers.

False (B)

The Electronic Communications Privacy Act (ECPA) regulates how law enforcement can access electronic communications, ensuring some level of digital privacy.

True (A)

Integrity, in the context of forensic investigations, means that investigators are allowed to tamper with evidence to get the most accurate outcome.

False (B)

Browsing history and cookies stored on a computer are not considered types of digital evidence.

False (B)

The chain of custody is only important if you analyze the evidence.

False (B)

If the chain of custody for digital evidence is broken, its validity can be challenged in court.

True (A)

Malware solely spreads through physical USB drives.

False (B)

Live acquisition refers to capturing data from a powered-off computer system.

False (B)

Volatile data, such as RAM contents, remains intact even when a system is powered down.

False (B)

Memory dumps are used to capture the contents of a system's RAM.

True (A)

Process tracing involves solely examining the metadata of files on a system.

False (B)

Network traffic analysis involves monitoring and capturing network communication to identify suspicious connections and data transfer.

True (A)

Live disk imaging creates a snapshot of only the file system metadata of a running system.

False (B)

Capturing volatile data is not essential because it cannot disappear.

False (B)

Static acquisition involves creating a bit-by-bit copy of a running system.

False (B)

A forensic image allows investigation without affecting the original evidence.

True (A)

The chain of custody is not relevant in static acquisition.

False (B)

dd is a specialized commercial forensics tool and not a command line utility.

False (B)

Hashing is not a necessary step in digital forensics investigations.

False (B)

MD5 is currently considered a secure hashing algorithm for forensic purposes.

False (B)

SHA-512 is a hashing algorithm that provides less security against collisions compared to SHA-256.

False (B)

File system analysis involves examining the structure and organization of data on a storage device, which includes its metadata.

True (A)

Common file systems include only NTFS, FAT32 and ex1.

False (B)

When you delete a file it is automatically and permanently removed from the storage device.

False (B)

File carving is primarily used to recover files using file system metadata.

False (B)

Logical damage to a file system cannot render a device inaccessible.

False (B)

Data reconstruction involves piecing together fragmented or incomplete data to restore a file.

True (A)

Email forensics focuses solely on the content of emails.

False (B)

Email spoofing involves disguising an email's origin to appear as though it came from a legitimate source.

True (A)

Cookies cannot be used to track user behavior.

False (B)

Wireshark is a tool that analyzes email files, but not network traffic.

False (B)

Network forensics involves examining network traffic to identify evidence of suspicious activity.

True (A)

Tcpdump only works on Windows-based systems.

False (B)

Malware includes only viruses.

False (B)

Worms require human interaction to spread across networks.

False (B)

Rootkits are detectable by standard antivirus software.

False (B)

Hashing algorithms do not create a fixed size output.

False (B)

Steganography focuses on making data unreadable.

False (B)

LSB (Least Significant Bit) insertion changes data in images and videos so that they cannot be viewed.

False (B)

Flashcards

What is computer forensics?

The scientific discipline of collecting, preserving, analyzing, and presenting digital evidence for legal proceedings.

What is cybercrime?

Investigating crimes like hacking, malware, fraud, and online scams.

What are corporate investigations?

Investigating employee misconduct, data breaches, or IP theft within a company.

What is civil litigation?

Gathering digital evidence for lawsuits involving contracts or IP.

What is accident reconstruction?

Analyzing technology-related accidents, like car crashes, for evidence.

What is identification?

Who is responsible for the crime?

What is recovery?

Can we get the stolen information back?

What is prevention?

How can we stop this from happening again?

What is prosecute?

Can we build a case to bring the criminal to justice?

What is the Fourth Amendment?

Protects against unreasonable searches and seizures, requiring a warrant.

What is ECPA?

Regulates law enforcement access to electronic communications.

What is CFAA?

Makes unauthorized computer access illegal.

What is DMCA?

Protects copyrighted materials from illegal copying/distribution.

Child Protection Act

Prohibits child pornography production and distribution.

What is integrity?

Preserve evidence and prevent tampering.

What is objectivity?

Remain impartial and unbiased.

What is confidentiality?

Keep info confidential.

What is transparency?

Document everything clearly.

What is respect for privacy?

Respect individuals' privacy rights.

What are files?

Documents, spreadsheets, presentations, images, videos, etc.

What are Emails?

Sent and received electronic messages including attachments.

Browsing History

Record of visited websites, searches, and stored cookies.

What are System Logs?

Records of system events, errors, and security information.

Network Traffic

Data flowing over a network, including IP addresses.

What is chain of custody?

Detailed record of evidence handling (who, when, where, what).

What is proof of authenticity?

Proving evidence is real/unaltered.

What is unbroken link?

Clear link between evidence and crime scene.

Avoiding legal challenges

Prevents challenges to validity of evidence.

What is hacking?

Unauthorized computer system access.

What is malware?

Damages, steals or disrupts computer systems.

What is fraud?

Using computers for financial crimes.

What is identity theft?

Stealing someone's personal information.

What is Child Pornography

Involves sexually explicit images.

Live Acquisition

Capturing data from running comp to preserve volatile

Volatile Data

Data disappears quickly like RAM content, running processes

Memory Dumps

Capturing RAM contents w/ Volatility, WinDbg to preserve volatile data

Process Tracing

Analyzing actions, behavior of running processes to identify suspicious activity

Network Traffic

Monitoring network for data communication to identify malicious activities

Static Acquisition

Bit-by-bit copy down sys for forensic image creation

EnCase?

Commercial forensics software for disk imaging, data analysis

Study Notes

Introduction to Computer Forensics

• Computer forensics is the scientific discipline of collecting, preserving, analyzing, and presenting digital evidence for legal proceedings.
• It involves dealing with digital traces left on computers, phones, and networks, similar to a detective's work but with digital evidence.
• Computer forensics experts are trained to find, interpret, and present digital evidence in a way that stands up in court.

Scope of Computer Forensics

• Computer forensics is used in various situations, not just for catching hackers.
• Usage includes cybercrime, corporate investigations, civil litigation, and accident/incident reconstruction.
• Cybercrime: Investigating crimes like hacking, malware attacks, fraud, and online scams.
• Corporate Investigations: Investigating employee misconduct, data breaches, or intellectual property theft.
• Civil Litigation: Gathering evidence related to contracts, intellectual property, or other disputes in lawsuits.
• Accident and Incident Reconstruction: Investigating accidents involving technology, like car crashes.

Purpose of Computer Forensics

• The goal of computer forensics is to answer questions.
• These question include identifying who is responsible for a crime, recovering stolen information, preventing future incidents, and building a case for prosecution.

Laws Governing Digital Evidence

• Fourth Amendment: Protects people from unreasonable searches and seizures, requiring a warrant or probable cause for investigators to search a computer.
• Electronic Communications Privacy Act (ECPA): Regulates how law enforcement can access electronic communications like emails, texts, and phone calls to ensure privacy.
• Computer Fraud and Abuse Act (CFAA): Makes it illegal to access computer systems without authorization.
• Digital Millennium Copyright Act (DMCA): Protects copyrighted materials from being copied or distributed illegally.
• Child Protection Act: Prohibits the production, distribution, and possession of child pornography.

Ethical Guidelines for Forensic Investigators

• Includes integrity to preserve evidence, objectivity to remain impartial, confidentiality to protect information, transparency to document all actions, and respect for privacy to avoid violating rights.

Types of Digital Evidence

• Common evidence types include files (documents, spreadsheets, presentations, images, videos), emails, browsing history, system logs, and network traffic.

Chain of Custody

• The chain of custody is a detailed diary of evidence's journey, documenting who collected, handled, or analyzed the evidence, when actions were taken, where the evidence was located, and what changes were made.
• It helps prove authenticity, establish a clear link between evidence and the crime, and avoid legal challenges based on tampering.

Common Cybercrimes

• Common cybercrimes include hacking, malware, fraud, identity theft, and child pornography.
• Hacking involves unauthorized access to computer systems and networks to steal data or disrupt services.
• Malware involves using malicious software to damage, steal, or disrupt computer systems.
• Fraud involves using computers to commit financial crimes like identity theft or online scams.
• Identity theft involves stealing someone's personal information to impersonate them and commit fraud.
• Child pornography involves producing, distributing, or possessing sexually explicit images of children.

Digital Evidence Collection and Preservation: Live Acquisition

• Live acquisition is the process of capturing data from a running computer system, including volatile data that could be lost if the system is powered down.

Live Acquisition Basics

• Live acquisition refers to capturing data from a running computer system including volatile data that could be lost if the system is powered down.
• It preserves the system’s state and activity at a specific moment.
• Live acquisition is necessary to preserve volatile data like RAM contents, running processes, open network connections, and registry settings.
• It helps prevent tampering by capturing the system's state before any modifications occur and enables real-time analysis to understand ongoing cyberattacks.

Tools and Techniques

• Memory Dumps: Capture system's RAM to preserve running processes and open files, requires tools like Volatility or WinDbg.
• Process Tracing: Analyzes running processes to identify suspicious activity by examining process lists, memory usage, and network activity.
• Network Traffic Analysis: Monitors and captures network communication to identify suspicious connections and data transfer using packet analyzers like Wireshark.
• Live Disk Imaging: Creates a snapshot of the entire running system with specialized tools and expertise, allowing for complete snapshot without interrupting the system.

Preserving Volatile Data

• Because failing to capture volatile data can result in a loss of critical evidence, making it difficult to reconstruct events.
• Strategies for capturing and analyzing memory contents:
• Memory Dumps: Extracts and analyzes RAM contents using tools like Volatility or WinDbg.
• Process Dumps: Capture specific processes in memory to examine their activity.
• Memory Analysis Tools: Identifies malware, analyzes the system’s state, and recovers deleted/corrupted files using specialized software.

Hands-on: Live Acquisition

• Use a Virtual Machine or a Practice Environment:
• Practical experience is essential for developing skills with live acquisitions.
• Set up a virtual machine to practice live acquisition techniques without risking damage to a real system.
• For example, VMware Workstation or VirtualBox to create a virtual machine running Windows or Linux.
• It is important to choose a suitable tool for live acquisition, like Volatility, WinDbg, or a specialized live imaging tool, like Volatility.
• Practice with chosen tools to perform live acquisition tasks on the virtual machine.
• It is also important to analyze/document the results of live acquisition and document findings.

Key Takeaways

• Live acquisition is critical for preserving volatile data, preventing tampering, and gaining real-time insights into system activity.
• Understanding how to perform live acquisitions effectively is essential for computer forensic investigators.
• Experiementing using virtual machines is crucial for developing skills and knowledge.

Project Ideas

• Live Acquisition Case Study: Simulation that involves performing live acquisition on a virtual machine to identify real time evidence after a cyberattack incident.
• Comparison of Live Acquisition Tools: Compare different tools based on features, capabilities, and suitable scenarios.

Digital Evidence Collection & Preservation: Static Acquisition

• Static acquisition involves creating a pristine copy of a storage device to ensure integrity/authenticity for investigation.

Static Acquisition Basics

• Static acquisition involves creating a bit-by-bit copy of a powered-down system/storage device (like a hard drive, SSD, USB drive).
• Why is Static Acquisition Essential?
• Preservation of Evidence: Safeguards original evidence by creating a separate copy to prevent alteration/modification.
• Investigation Without Affecting the Original: Image can be analyzed extensively without compromising the original device.
• Chain of Custody: Creating a forensic image is a critical step that is documented throughout an investigation.

Tools for Static Acquisition

• EnCase provides features to create forensic images, analyze file systems, and identify hidden/deleted data.
• FTK (Forensic Toolkit) offers features for disk imaging, data recovery, file system analysis, and reporting.
• Using dd (Command Line Utility) creates bit-by-bit copies of disk drives for forensic imaging.
• Sleuth Kit's range of tools provides for disk imaging, file system analysis.

Hashing

• Hashing is a cryptographic process that generates a unique, fixed-length string (hash value) for any input data, serving as a fingerprint.
• Hashing helps verify image integrity, establish authenticity, and document chain of custody by using hash values.
• It is important to Verification of Image Integrity by comparing the hash value of the original data and the hash value of the forensic image, investigators can ensure that the image is an exact copy and that no changes were made during the acquisition process.
• Algorithms include Message Digest Algorithm (MD5), Secure Hash Algorithm 1 (SHA-1), Secure Hash Algorithm 256 (SHA-256), and SHA-512.

Hands-on: Disk Imaging and Hashing

• Practical experience with disk imaging/hashing is essential for real-world investigations.
• Set up virtual/physical computer environment for forensic training.
• Choose a tool (EnCase, FTK, or dd).
• Create a forensic image.
• Calculate hash values using the same/separate hashing tool (md5sum or sha256sum).
• Lastly, compare the hash values.

Key Takeaways

• Static acquisition is a fundmental technique for preserving digital evidence, ensuring the integrity and authenticity.
• Hashing is crucial for verifying the integrity of forensic images and establishing the chain of custody.
• Practice with forensic imaging tools/hashing utilities is essential.

Data Recovery and Reconstruction

• The ability to recover/reconstruct data from damaged/deleted files is crucial for uncovering evidence/building a strong case.

File System Analysis

• File system analysis involves examining organization of data on storage device, such as metadata like names, sizes, location, timestamps and attributes.
• Understanding of file system, file system structure, and metadata.
• Identifying deleted files, hidden data.
• Key concepts include NTFS, FAT32, ext2/ext3/ext4 and what each file system provides.
• Tools like EnCase, FTK, and Sleuth Kit are used to examine file system structures and recover hidden data.

File Carving

• File carving recovers deleted files by searching raw disk data for headers/footers.
• Process - file signatures: headers/footers that identify format and type. Then forensic tools scan to identify potential deleted files.
• The tool reconstructs the deleted files by extracting the data between the header and footer.

Hands-on: Using Forensics Tools for File Carving

• Establish a practice environment using a virtual machine/controlled system containing deleted files.
• Use forensic tools like EnCase, FTK, or Sleuth Kit that have file carving capabilities.
• Perform file carving on the target disk/partition to recover deleted files.

Data Recovery from Damaged Devices

• Data recovery from damaged storage devices can be challenging because of physical, logical damage, to the file system.
• Data corruption occurs to power failures, malware attacks, or other events, making data recovery a complex task.
• Tools like Specialized Data Recovery Software handle various file systems, data corruption scenarios, and physical damage.
• Or by Disk Imaging and File Carving create a forensic image of the damaged device and use file carving techniques to extract files.

Data Reconstruction

• Data reconstruction involves piecing fragmented/incomplete data to restore file or set of files.
• Key techniques involve file system analysis, metadata, and file carving for signatures.
• You can also use data recovery software to reconstruct fragmented/corrupted files.

Case Study: Recovering Data from a Corrupted Hard Drive:

• Company computer hard drive corrupted due to power surge.

1. Create a forensic image.
2. Analyze the file system.
3. File Carving.
4. Data Reconstruction.
5. Verification.

Email and Internet Analysis

• Email / Internet Analysis helps analyze email messages and metadata to uncover evidence of fraud and other illigal activity.

Email Forensics

• The process of examining email messages & metadata to uncover criminal activity or misconduct.
• It analyzes email headers, attachments, content, time stamps, senders and recipients.
• Email Headers: Provide details like the origin, destination, and routing, can be used to trace the email's path and identify its origin.
• Email Content: Can reveal intentions, communication patterns, or evidence of criminal activity if scanned.
• Emails content must be scanned for Malware, Malicious Documents, or Stolen data.
• Email Spoofing: Disguising the email's origin to appear legitimate.
• Phishing: A form of social engineering that uses deceptive emails to trick recipients into providing sensitive information, such as login credentials or financial details.
• Tools: Specialized software tools like EnCase, FTK, etc.

Internet Forensics

• It analyzes Browsing history, cookies, cache data to reconstruct/ identify evidence of cybercrime.
• Browsing History: Websites visited, search queries, and pages viewed can reveal users' online patterns.
• Activity: To watch for Malware, phishing attempts, or data exfiltration.

Steps for Email / Internet Analysis

• Set up a practical environment with a dataset.
• Use tools like Encase, FTK or MailXaminer as brower forensics software.
• Be sure to analyze the email data and use a browser forensics tool to scan website visits and data.

Network Forensics

• Network forensics involves examining network traffic to identify evidence of cybercrime.

Capturing/Analyzing Network Traffic using Packet Analyzers

• Packet Analyzers, like Wireshark, capture/analyze network packets to understand communication flow, identify suspicious activity.
• Network Traffic Capture has uses for capturing network traffic from interfaces, taps, or capture files.
• Traffic Analysis: Using Wireshark’s looking for patterns and anomalies.
• Identify: Unusual Traffic Volumes and Protocol Anomalies can indicate malicious activity/network problems.
• Tools: Wireshark, tcpdump, Network Security Monitoring, Security Information and Event Management Systems.

Hands-on: Using Wireshark to Capture and Analyze

• Capture traffic from a network interface/packet capture file.
• Filter traffic.
• Examine the contents of captured packets for intrusions.

Network Protocols

• Network protocols provide forensic evidence through Protocol Headers, Protocol Interactions, Protocol Anomalies.

Key Takeaways

• Packet analyzers (Wireshark) are essential tools for capturing & analyzing network traffic.
• Understanding the protocols & data provides valuable insights.
• Practical experience with Wireshark is crucial.

Malware Analysis

• Analyzing to protect against malicious software is crucial to stopping the threats.

Malware Types and Behavior

• Viruses: Programs that spread by attaching themselves to executable files.
• Worms: Self-replicating programs that spread across networks.
• Trojans: Malicious programs disguised as legitimate software.
• Malware: Data encryption, attackers seeking payment.
• Spyware: Secretly monitors user activity.
• Rootkits: Hides its presence on the system and gives attackers persistent access by manipulating system files.

How Malware Operates

• Injection such as email attachments, malicious websites, infected files or vulnerabilities in software.
• To stop it you need to recognize the infection rate, modification of system processes, modification of registry settings, creating hidden files.
• Command and control servers, peer-to-peer networks or hidden channels within the system.

Malware Analysis Techniques

• Static Analysis: Examining code without executing it to understand capabilities and intentions.
• Tools like Disassemblers convert machine code into assembly.
• Dynamic Analysis: Executing malware in a controlled environment to observe its behavior.
• Monitor the network traffic for any potential malicious actions.

To analyze a suspected malware sample…

• Set up your environment using specialized software or Virtual Machines.
• Load a malware sample. Isolate it properly! Then, monitor the activity / analyze findings of what that malware did.

Key Takeaways

• Static/dynamic analysis techniques provide insights.
• Sandbox environments safely analyze malware.

Hashing, Digital Signatures, and Steganography

Hashing Algorithms

• Mathematical functions take an input (data) of any size and produce a fixed-size output called a hash value or digest. Example MD and SHA.

Properties of Hash Functions

• One-way, Deterministic, Collision Resistance.
• Has uses for Data Integrity Checks, Passwords, and Digital Signatures.

Digital Signature Verification

• Authenticates & gives integrity to digital documents.
• Process is hashing, encryption, attachment, verification, comparison.
• Give benefits of Authenticity, Integrity, Repudiation.

Steganography

• Unlike cryptography, which focuses on encrypting data to make it unreadable, steganography aims to hide the very existence of the secret data.
• Hidden by Least Significant Bit (LSB) Insertion, Text Encoding, Spread Spectrum Techniques.
• Used to hide secret communication, protect sensitive information, digital water marking