Computer Crime & Digital Forensics PDF

COMPUTER CRIME & DIGITAL FORENSIC CHAPTER ONE : INTRODUCTION INSTRUCTOR : SAMUEL TAMIRAT PhD candidate MAIN POINT Computer crime Computer crime characteristic and category Computer Crime and Law Computer crime & Cyber security Computer crime & digital forensic investigation Digital Evidence Digital forensic investigation procedure COMPUTER CRIME Computer Crime = > Computer + Crime: Crime committed using computer A crime involving computers (digital device) where computer used as a tool or victim Computer crime proclamation (2006), High tech crime, IT crime, E-crime Computer Crime characteristics Trans nationalization Very sophisticated Highly Scalable (e.g. DOS vs DDOS attack) Difficult to know who is behind the crime Cheap and easy to commit COMPUTER CRIME CHARACTERISTICS Financially Motivated Steal Data/Information stored or transfer over the network Many cyber crimes have an international component Suspect –victim- server are in the same country Suspect- victim in one country and server in another country Suspect –victim- server in different country Different type of Individual/ organization commit crime COMPUTER CRIME CATEGORIES Novel/ Migrant Cyber Crime Novel: unique to the digital world (e.g. DOS) Migrant: exit before the internet and boost after the existence of internet (migrate from analog to digital) (e.g. Malware distribution) Crimes against CI / Crime against personal/ financial gain/ Content based Cyber Crime Crimes against CI: unauthorized access/ unauthorized modification (illegal hacking=illegal access (without no right, Exceeding access level), cracking=illegal access + damage/still) Crime against personal/ financial gain (e.g. computer fraud, spam) Content based Cyber Crime Child pornography Cyber terrorism COMPUTER CRIME CATEGORIES (CONT.…) Targeted/ Tools/ Incidental Targeted: focus on the target/Computer (e.g. DOS) Tools: make use of computer (e.g. child pornography) Incidental: e.g. (using eBaY to buy weapon) COMPUTER CRIME AND LAW Ethiopian Criminal Law Article (706, and 711) Hacking Penalized ACT Intentional Negligent Accidental Clearance Without authorization Exceeding authorization CYBER CRIME AND LAW (CONT.…,) Cyber Crime /2016 Criminalizing hacking and cracking Intentionally Without authorization In excess of authorization Crime against private Investigative and prosecutorial power It is federal police to investigate the cybercrime /2016 INSA limited to technical support/ expert witnesses /2016 INSA /Sudden Search / NISS involve in investigation when it is involved in cyber terrorism COMPUTER CRIME AND CYBER SECURITY Cyber Security : Attempt to protect networks, computer programs and data from attack, damage or unauthorized access. Confidentiality Authorized Person access confidential information Integrity Maintain Consistency, Accuracy and trustworthiness of data Availability Those who should have access data can access data when they want COMPUTER CRIME AND CYBER SECURITY(CONT.…) Cyber crime attack each area of the CIA model Confidentiality Stealing password Integrity Using a virus to modify data Availability DDOS attack Cyber crime happens when cyber security fails COMPUTER CRIME AND CYBER SECURITY (CONT.…) Cyber security focus on protection of data / information Confidentiality Identity management and access control Data encryption (Data at rest as well as in motion) Integrity Data encryption (Data at rest as well as in motion) Availability Consider Redundancy (failover, load balancing, RAID, Cluster) Disaster Recovery Software Solution (firewall) COMPUTER CRIME INVESTIGATION Computer crime investigation is very much like traditional investigation Investigation methods Interview / Interrogation Surveillance /intelligence gathering Forensics (Reconstruction) Attempt to reconstruct event (who, What, When,Where, why) Undercover investigation Investigator pretend to be a hacker selling malicious code DIGITAL FORENSICS INVESTIGATION Digital Investigation Process to answer questions about digital states and events Digital forensic Investigation Special case of digital investigation Use procedure and technique The collection, preservation, analysis and presentation of computer related evidence for court of law. Digital Evidence Data that proves or disproves a hypothesis that was formulated during an investigation REQUIRED CHARACTERISTICS FOR DIGITAL FORENSICS Observation Critical Thinking Relational Analysis Timeline Analysis Functional Analysis DIGITAL EVIDENCE Digital evidence is data that supports or refutes a hypothesis formulated during an investigation Evidence Direct: Direct describes an even or information (log file) Indirect: Data related to an even or information in a secondary way. Evidence need context DIGITAL EVIDENCE (CONT.…) Cause of Digital evidence distortion System Administrator Attackers/ hacker action Victim action Secondary transfer (mobile to PC ) Nature / weather DIGITAL EVIDENCE (CONT.…) Digital Forensic Admissibility Relevance to the charge under investigation Reliable Derived in forensically sound (preserve the original meaning of the data) manner Derived evidence should be Reliable Complete Accurate Abel to test and verified DIGITAL FORENSIC INVESTIGATION PROCEDURES Investigation procedures tip Every case is different Procedures depends on jurisdictions Driven by Requirement of judges DIGITAL FORENSIC INVESTIGATION PROCEDURES (CONT.…) 1. Basic Procedure 1. Acquiring data without altering or damaging the original 2. Verify recovered data is the same as original 3. Analyze the data without modifying it. 4. Clearly report findings DIGITAL FORENSIC INVESTIGATION PROCEDURES (CONT.…) 1. Identification Identify that a crime (or event) has taken place Crime detection Complaint Anomaly detection (IDS) Audit Analysis 2. Preservation Is the device on Chain of custody DIGITAL FORENSIC INVESTIGATION PROCEDURES (CONT.…) 1. Collection /collect suspect hardware/data  Legal authority  Scope  Volatile data  Static data  Verify collected data 2. Examination  Do not modify the data  Extraction (convert into human readable)  Examination checklist  Preprocessing  Filtering technique  Pattern matching  Hidden data discovery DIGITAL FORENSIC INVESTIGATION PROCEDURES (CONT.…) Analysis What the information tells How does it related to the hypothesis and to the overall question Data must be analyzed in context Analysis type Relational Analysis Functional analysis Temporal analysis DIGITAL FORENSIC INVESTIGATION PROCEDURES (CONT.…) Presentation Result must be communicated well Summary key result first Comprehensive report about all action Conclusion reached Ensure documentation is detailed so that it is reproducible by another investigator Decision DIGITAL FORENSIC Digital forensic teaches you How computer works how data is stored and accessed how to manage large amount of data how to think logically and objectively how to connect concepts how to write and communicate Prerequisites Operating system concepts. Linux command Line Windows command Line no need to know programming COMPUTER CRIME & DIGITAL FORENSIC CHAPTER TWO : DIGITAL FORENSIC TOOLS AND DATA ACQUISITION PROCESS INSTRUCTOR : SAMUEL TAMIRAT PhD candidate MAIN POINT Computer hardware Digital Forensic hardware & Tools Digital Forensic Software's Processing Scenes Chain of custody Data storage, structure and Aquzition Data recovery File system COMPUTER HARDWARE BASICS COMPUTER HARDWARE BASICS DIGITAL FORENSIC HARDWARE /TOOLS Forensic hardware: Refers to specialized tools and devices designed for use in digital forensics investigations. These hardware devices are crucial for acquiring, analyzing, and preserving electronic evidence from various digital sources. DIGITAL FORENSIC HARDWARE /TOOLS (CONT.…) 1. Write Blocker Purpose: Prevents any write operations to the evidence media, ensuring the integrity of the original data during acquisition. Examples: Tableau Write Blockers WiebeTech Write Blockers DIGITAL FORENSIC HARDWARE /TOOLS (CONT.…) 2. Imaging Device Purpose: Creates forensic images of storage devices to preserve original data for analysis without altering the source. Examples: Forensic Disk Duplicators Portable Forensic Imaging Devices DIGITAL FORENSIC HARDWARE /TOOLS (CONT.…) 3. Portable Forensic workstation Purpose: Compact and portable systems equipped with forensic software for on-site analysis. Examples: Forensic laptops configured with specialized software Portable workstations with built-in write-blockers DIGITAL FORENSIC HARDWARE /TOOLS (CONT.…) 4. Digital forensic Field kits Purpose: Comprehensive kits containing a range of tools for on-site forensic investigations. Examples: Write-blockers Imaging devices Forensic laptops Cables, adapters, and accessories DIGITAL FORENSIC SOFTWARE'S Disk Imaging and Analysis: EnCase Forensic: A widely used forensic tool for acquiring, analyzing, and reporting on digital evidence. It supports disk imaging, file recovery, and advanced analysis. AccessData Forensic Toolkit (FTK): A comprehensive forensic platform that includes features for disk imaging, data recovery, and advanced analysis of digital evidence. Memory Forensics: Volatility An open-source framework for memory forensics. It helps analyze the volatile memory (RAM) of a computer for evidence of running processes and system state. Rekall: Another open-source memory forensics tool that allows for the analysis of memory dumps. DIGITAL FORENSIC SOFTWARE'S (CONT.…) Networks Forensic Wireshark: A widely used network protocol analyzer that captures and inspects data on a network. It's commonly used for network forensics. NetworkMiner: A widely used network protocol analyzer that captures and inspects data on a network. It's commonly used for network forensics. Mobile Forensics: Cellebrite UFED (Universal Forensic Extraction Device): A tool for extracting and analyzing data from mobile devices, including smartphones and tablets. DIGITAL FORENSIC SOFTWARE'S (CONT.…) Forensic Analysis Suites: Autopsy: An open-source digital forensics platform that offers a graphical interface for the Sleuth Kit, allowing investigators to conduct in-depth analyses. SANS SIFT (SANS Investigative Forensic Toolkit): A collection of open-source tools for digital forensics analysis. PROCESSING THE SCENE Before acquiring digital evidence, it's essential to process the scene where the evidence is located. This involves Documentation: Record detailed information about the location of the digital evidence, the devices present, and the overall scene conditions. Photography and Videography: Capture images and videos of the scene to provide a visual record of the environment. Chain of Custody: Establish and maintain a chain of custody for all seized devices and evidence. This documentation tracks the handling, transfer, and storage of evidence from the scene to the forensic lab. Seizure and Labeling: Properly seize and label all digital devices, ensuring that each device is uniquely identified for later reference. CHAIN OF CUSTODY Chain of custody: is a record list of all persons who come in possession of an item of evidence. The goal is to maintain a document that includes exactly what happened to the evidence from the time it was found to the time it is presented to court. REQUIREMENT OF CHAIN OF CUSTODY List of evidence The location the item is stored Signature of the individual releasing the evidence to other individual or location. The signature of the individual receiving the evidence from another individual or location. Reason for the transfer. DATA STORAGE Digital data are basically a combination of 1 & 0. The data should be interpreted into human can make sense of. In computer data is represented into different layers Physical Layer Hard disk, RAM The image copy will be Bit by Bit copy Logical Layer Partition /Volumes (C drive, D Drive) The image copy will be what is there in the partition only File System A method to store date Installed in the partition File system types (FAT32,exFAT, NTFS, HFS) DATA STRUCTURE Data stored in a physical location (Hard Disk, RAM) Recovering the data for forensic require to organize data in known way and store it in known location A physical disk image is a bit by bit copy (exactly identical) Data structure is a representation of data Rules applied to a group of data in order to understand what the data means DATA STRUCTURE Binary Representation Hex decimal Representation DATA ACQUISITION Once write-blocking is ensured, the next step is to create a forensic image of the storage media. This involves making a bit-for-bit copy of the entire contents of the storage device, including both allocated and unallocated space. The forensic image serves as a duplicate of the original evidence for analysis, leaving the original device untouched. DATA ACQUISITIONS (CONT.…) Common tools used for hard drive acquisitions include Autopsy: An open-source digital forensics platform that offers a graphical interface for the Sleuth Kit, allowing investigators to conduct in-depth analyses. EnCase Forensic: This tool allows forensic analysts to create forensic images, analyze digital evidence, and generate reports. AccessData Forensic Toolkit (FTK): FTK is a comprehensive forensic platform that includes features for imaging, analysis, and reporting. dd (Linux/Unix Command): A command-line tool that can be used to create a bit-for-bit copy of a disk or partition. DATA ACQUISITIONS (CONT.…) Consideration How can we Get the best copy of the data Preserve all the data ensure the acquired data is correct Ensure the acquired data can be verified by third party DATA ACQUISITION STEPS Identify what to acquire and how HD, SSD, RAM How to copy the data Forensically sound way (Write blocker) How to save data Forensic disk image Ensure the copy is exactly the same as the original Cryptographic hashing algorithms (MD5, SHA1) DATA RECOVERY It is an attempt to pull out as much information from the data as possible. Deleted file Hidden partitions/ files File fragments To recover the data Examine the known structure Find where the structure starts and ends Try to recover the missing values PhotoRec: An open-source file carving tool designed to recover lost files including videos, documents, and archives from hard disks, CD-ROMs, and lost pictures from camera memory. FILE SYSTEM File System: Provide a way how data is stored and organized on a storage device. FAT 32 Supports individual file sizes up to 4 GB. Supports volumes up to 2 terabytes (TB) in size. Widely compatible with various operating systems, including Windows, macOS, Linux, and others. Uses a simple file and directory structure. Limited to a maximum partition size of 32 GB when formatting in Windows. Provides basic file security through read and write permissions. Suitable for smaller storage devices like USB drives, memory cards, and older systems. FILE SYSTEM (CONT.…) extFAT The Extended File System has gone through several versions, with ext2, ext3, and ext4 being the most widely used. Address size limitation of FAT32 exFAT supports very large file sizes, much larger than the 4 GB limit imposed by FAT32. exFAT supports larger volumes than FAT32, allowing for storage capacities beyond what FAT32 can handle. suitable for high-capacity storage devices like external hard drives. exFAT is supported by various operating systems, including Windows, macOS, and Linux. FILE SYSTEM (CONT.…,) NTFS Supports individual file sizes up to 16 Exabyte (EB). Supports volumes up to 256 terabytes (TB) in size. Primarily used with Windows operating systems. Limited native support in non-Windows systems. Features a more advanced file and directory structure with support for features like compression, encryption, and disk quotas. No practical limit on partition size when formatting in Windows. Provides advanced security features, including file-level encryption, access control lists (ACLs), and more Suitable for modern Windows operating systems and high-capacity storage devices. NTFS is the default file system for Windows. FILE SYSTEM (CONT.…,) HFS (Hierarchical File System): HFS, also known as Macintosh File System, was the original file system used by Apple for Macintosh computers HFS organized files and directories in a hierarchical tree structure HFS Plus (HFS+): HFS Plus, introduced with Mac OS 8.1 in 1998, was an extension of the original HFS. HFS+ addressed some limitations of the original HFS, such as the maximum file and volume sizes. It supported larger files and volumes, and it introduced features like Unicode support for file names. COMPUTER CRIME & DIGITAL FORENSIC CHAPTER THREE: DIGITAL FORENSIC INVESTIGATION USING FORENSIC SOFTWARE -AUTOPSY INSTRUCTOR : SAMUEL TAMIRAT PhD candidate MAIN POINT Digital Forensic Investigation Requirements Data location and the meaning of data Digital Forensic investigation With Autopsy Data recovery using PhotoRec DIGITAL FORENSIC INVESTIGATION REQUIREMENT Make clear understanding of what the digital investigation need or should answer Make sure the data or image that we copied is in a forensically sound way The data recovered or preprocessed should be seen What the date means for our investigation File time stamp Window registry entries File in download folder File in a temporary internet files DATA LOCATION AND THE MEANING OF DATA File Timestamps Most file systems keep track of timestamp Created, Accessed, Modified Action that affect timestamp Moving, Copying, creating and editing the file Window Registry Contains windows and user settings information in windows system. Registry key contain information about setting E.g. TypedURLs DATA LOCATION AND THE MEANING OF DATA File in download folder Default location for browser downloads. File in internet cache (Temp internet files, INetCache) Temporary storage for browsers when downloading webpages There are many location for data storage and different type of data exists Each location and data type means different depending on the investigation context DIGITAL FORENSIC INVESTIGATION WITH AUTOPSY CREATING A NEW CASE Case Name: CaseNo-CaseType-Name of Investigator-Name of victim-Year Eg. (001-F-Sam-2016) AUTOPSY OVERVIEW 1. New Case Creation AUTOPSY OVERVIEW (CONT.…) 2. Adding Data source AUTOPSY OVERVIEW (CONT.…) 3. Selecting Data source CONFIGURE INGEST MODULE This is where the actual analysis of the disk is performed Recent Activity: Extract recent user activity such as a web browsing, recently access files. Hashlookup: identify known and notable files using supplied hash database. File type identification: Match file types based on binary signatures Embedded File Extractor: Extract embedded files (docx, ppts, xlsx, …) ExIF Extractor: Ingest JPEG files and retrieves the ExIF metadata. Keyword Search: Perform file indexing and periodic search using keywords. Email Parser : This module detects and parses mbox and pst/ost files CONFIGURE INGEST MODULE (CONT.,,,) Extension Mismatch detector: This module flags a file that have a non standard file extension E01 Verifier:Validate the integrity of E01 File. Interesting file extensions: Identify interesting item based on the rule defined as what are the interesting items are. Photorec Carver: Run photorec curver against un allocated space in the dataset Virtual Machine extractor: extract virtual machine files AUTOPSY OVERVIEW (CONT.…) DATA RECOVERY WITH PHOTOREC PhotoRec is a free and open-source file recovery software designed to recover lost files, including videos, documents, and archives, from hard disks, CD-ROMs, and lost pictures from camera memory. It is a buddy program to TestDisk, another popular data recovery tool. DATA RECOVERY WITH PHOTOREC (CONT.…) PhotoRec Cross-platform tool, meaning it is compatible with various operating systems, including Windows, macOS, Linux, Supports a wide range of file systems, including FAT, NTFS, exFAT, ext2/3/4, HFS+, and many others It recover a variety of file types, including photos, videos, documents, and more. It can be used in a live environment, such as a bootable CD or USB drive, allowing users to perform recovery operations without modifying the existing system. DATA RECOVERY WITH PHOTOREC (CONT.…) Navigate the folder that the disk image exists Select the disk image and click proceed DATA RECOVERY WITH PHOTOREC (CONT.…) Select which file to recover Select the location where to store the recover data and it will store the recovered data in that location COMPUTER CRIME & DIGITAL FORENSIC CHAPTER FOUR: DIGITAL FORENSIC DATA REPRESENTATION AND FILE STRUCTURE INSTRUCTOR : SAMUEL TAMIRAT PhD candidate MAIN POINT Data Storage & Representation Number System Computer Character encoding File Structure File Meta data Time stamp DATA STORAGE & REPRESENTATION Knowing how data is stored in computers, number theory, how digital files are structured, and the types of storage units and the difference between them are essential areas to know how to locate and handle digital evidence. computers store, process, and represent digital data in a specific way. how a computer represents data, discussing common numbering systems, and introduce the major encoding scheme used by computers to produce text that is readable for humans. NUMBER SYSTEM Decimal (Base10) Decimal is the most widely used numbering system that we use every day when performing math calculations (e.g., 10 + 11 = 21); base-10 system because it uses 10 digits or symbols (0, 1, 2, 3, 4, 5, 6, 7, 8, 9) to represent its values. This number 5437 is interpreted as follows: = 5000 + 400 + 30 + 7 or 5×103 + 4×102 + 3×101 + 7×100 Binary Computers store data in binary format, which is the base-2 numeral system represented by 1’s and 0’s. NUMBER SYSTEM (CONT.…) Hexadecimal (Base-16) uses 16 digits or symbols to represent its values. 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F (capital letters are used to represent numbers from 10 to 15) Binary to Hex Binary Value 01001110 01101001 01101000 01100001 01100100 00100000 01001000 01100001 01110011 01110011 01100001 01101110 Hex Value 4E 69 68 61 64 20 48 61 73 73 61 6E (the number 20 in Hex represents the space between the two words) Hex is shorter and easier to understand by humans. COMPUTER CHARACTER ENCODING Computers use character encoding schema to convert binary numbers into meaningful text that a human can read There are two major encoding schemas used by computers to represent text: ASCI UNICODE COMPUTER CHARACTER ENCODING (CONT.…) ASCII (American Standard Code for Information Interchange) was invented a long time ago and is still supported on nearly all text editors. ASCII has only a limited ability to represent all letters from all languages across the globe, as well as punctuation and other special symbols from other languages, because it uses seven bits or 128 values only. There is another extended version of ASCII, named Extended ASCII, that supports 256 characters, but it still doesn’t offer support for all international languages. COMPUTER CHARACTER ENCODING (CONT.…) Unicode encoding, created by The Unicode Consortium is a widely used character- encoding schema that provides a unique number for every character from any international language. Unicode is supported in major operating systems, software packages, mobile devices, and web applications. Unicode is often defined as UTF-8, UTF-16, UTF-32, or UCS-2. FILES STRUCTURE Understanding how computers store and represent data is essential in digital forensics Investigators may need to extract and open a file from unallocated disk space of the target hard drive or from a raw dataset without using the program (e.g., MS Word) that originally created this file using File craving File carving is used effectively to recover deleted files and fragments of files from wiped or damaged hard drives. To conduct file carving, it is essential to know how we can distinguish a file from its signature FILES STRUCTURE As users, we distinguish file type from its extension. For instance, MS Word file has the DOCX or DOC extension, and MS Excel has the XLSX or XLS extension. As digital forensic investigators, we cannot depend on the file extension alone to determine file type, as this can be easily changed to whatever you want (e.g., an MS Word file can be changed to a DLL or PNG file to conceal its true identity). To counter for such concealment techniques, we must check the file signature (header) to know its type. FILES STRUCTURE (CONT.…) FILE METADATA Metadata is data about data. Most digital file types have metadata associated with them. It usually comes integrated into the same file; however, some file types store their metadata in a separate file. Metadata holds data that describe the file it’s associated with. For example, some metadata included in an MS Word file might include author name, organization name, computer name, date/time created, and comments. FILE METADATA (CONT.…) Digital forensics perspective, metadata can be very useful in many cases. we can track different authors of a file (e.g., an MS Office file) through the associated metadata. We can also search within the file’s metadata to locate interesting Information. most computer forensic suites support searching within acquired forensic image files’ metadata. TIME STAMP Digital files contain different metadata within them The most important is the timestamp metadata, which is used to represent different date/time events associated with the file of interest like last access date/time, last modified date, and creation date. During the investigation process, we may encounter date/time that is encoded in a specific way and we need to decode it (e.g., date/time values are in Windows registry written in binary format and need to be translated into ASCII). TIME STAMP COMPUTER CRIME & DIGITAL FORENSIC CHAPTER FIVE: HASHING INSTRUCTOR : SAMUEL TAMIRAT PhD candidate MAIN POINT Hashing Hash Function Hashing Guideline Salting and Peppering Hashing characteristics Common Hashing algorithms HASHING Hashing is the process of transforming any given key or a string of characters into another value. This is usually represented by a shorter, fixed-length value or key that represents and makes it easier to find or employ the original string. The most popular use for hashing is the implementation of hash tables. A hash table stores key and value pairs in a list that is accessible through its index. Because key and value pairs are unlimited, the hash function will map the keys to the table size. A hash value then becomes the index for a specific element. HASH FUNCTION A hash function generates new values according to a mathematical hashing algorithm known as a hash value or simply a hash. To prevent the conversion of hash back into the original key, a good hash always uses a one-way hashing algorithm. Hashing is relevant to but not limited to data indexing and retrieval, digital signatures, cybersecurity and cryptography. HASHING GUIDELINE Hash function should be able to hash in mass with a reasonable limit to prevent exploitation. Hash digest must be dependent on each bit. This will help In creating as many unique hashes as possible. Prevent hash collision. (Collison occurs when there are two exactly same hash values/digests. Salting & Peppering can help prevent collisions. SALTING PEPPERING HASHING CHARACTERISTICS Fixed Output Size: Regardless of the input size, a hash function produces a fixed-size output. For example, the SHA-256 algorithm generates a 256-bit hash value. Deterministic: The same input will always produce the same hash output. This deterministic nature is essential for consistency and verification purposes. Quick Computation: Hash functions are designed to be computationally efficient. They should produce the hash value quickly, even for large inputs. HASHING CHARACTERISTICS (CONT.…) Avalanche Effect: A small change in the input should result in a significantly different hash value. This property ensures that similar inputs do not produce similar hash codes. Pre-image Resistance: It should be computationally infeasible to reverse the hash function and obtain the original input from its hash value. Collision Resistance: Collisions occur when two different inputs produce the same hash value. A good hash function minimizes the likelihood of collisions. COMMON HASHING ALGORITHMS MD5 (Message Digest Algorithm 5): MD5 produces a 128-bit hash value. However, due to vulnerabilities, it is no longer considered secure for cryptographic purposes. SHA-1 (Secure Hash Algorithm 1): SHA-1 produces a 160-bit hash value. Like MD5, SHA-1 is considered insecure due to vulnerabilities, and its use is deprecated. SHA-256, SHA-384, SHA-512: Part of the SHA-2 family, these algorithms produce hash values of 256, 384, and 512 bits, respectively. They are widely used for cryptographic purposes. bcrypt: bcrypt is a key derivation function designed for securely hashing passwords. It includes a cost factor that adjusts the computational effort required, making it resistant to brute-force attacks. Argon2: Argon2 is a password hashing algorithm that won the Password Hashing Competition in 2015. It is designed to be memory-hard and resistant to GPU and ASIC attacks. HASHING APPLICATION Data Integrity: Hashing is used to verify the integrity of data during transmission. If the hash value of the received data matches the expected hash value, the data is likely intact. Password Storage: Hash functions are employed to securely store passwords. Instead of storing plaintext passwords, systems store the hash values. During authentication, the entered password's hash is compared with the stored hash. Digital Signatures: Hashing is used in digital signatures to create a fixed-size representation of a message that is then encrypted with the sender's private key. The recipient can verify the signature using the sender's public key. Blockchain Technology: Blockchain relies heavily on hashing for creating secure and tamper-resistant links between blocks. Each block contains a hash of the previous block, forming a chain. HASHING FOR DIGITAL FORENSIC File hashing is the act of attempting to uniquely identify a file. Different hash algorithms can be used for this purpose, but some are weaker than others and are more likely to have collisions. Some common algorithms are provided. Once a file has been hashed, it can be compared with other file hashes. A common technique in incident response is to search for a file’s hash value on Google and determine if the file’s been seen before, and if so what its purpose is. HASHING FOR DIGITAL FORENSIC (CONT.…) Another technique used in contraband cases is to match a file’s hash value with that of known contraband images to determine if the file had been seen before. In the case of trying to determine if a file is child sexually abusive material, identifying a file by hash value can help law enforcement prove the images are of a known victim. File hashing can also be used to whitelist files based on their signature. The white listing process can result in data reduction in a case by removing legitimate files from a timeline. Doing so runs the risk of removing data from the analyst’s view because attackers may use legitimate Windows file stopper form their tasks. SHA1,MD5 HASHING ALGORITHMS COMPUTER CRIME & DIGITAL FORENSIC CHAPTER SIX: WINDOWS FORENSIC ANALYSIS INSTRUCTOR : SAMUEL TAMIRAT PhD candidate MAIN POINT Introduction Time line Analysis File Recovery Analysis Recycle bin Analysis Data Carving User Account Associated attribute Window Register Analysis INTRODUCTION In July 2018, the market share of the Windows operating system (desktop version) range stood at 82.88%. Majority of personal computers worldwide run using this operating system Most of our digital forensic work involves investigating this type of OS Knowing how to find your way using Windows is a must for any digital forensics practitioner INTRODUCTION (CONT.…) Operating system forensics help examiners to correlate events conducted using the suspect device’s operating system to other actions/events that have happened in the real world. Almost any event or state change on a system is considered a result of a user action. A Windows user will leave traces while using it; Specially Windows leaves too many traces at different places as a part of its normal use, compared with other operating system types. Advanced Windows users who know how to delete and cover their traces will not always succeed in deleting all these traces, leaving valuable evidence for digital forensic examiners to retrieve. 1.TIME LINE ANALYSIS It gives a holistic view about the succession of events that have happened to the system of question and is used to answer a main question in any investigation: when did a specific activity take place? Timeline analysis allows investigators to save their investigation time by reducing the volume of data that needs to be investigated to a specific timeframe (e.g., after the incident took place). Timeline analysis is very important when investigating malware incidents to identify when a system state has changed because of a malware attack TIME LINE ANALYSIS (CONT.…) 2. FILE RECOVERY ANALYSIS Analysis of deleted files is a key task in any type of digital forensic investigation. It is a must to know How Windows deletes files where such files can be located, After they are deleted; what are the methods/ techniques to investigate these files Create the new case and select the “PhotoRec Carver module” from the ingest modules (make sure that “Process Unallocated Space” is selected); The PhotoRec tool (www.cgsecurity.org/wiki/PhotoRec) 3. RECYCLE BIN ANALYSIS Windows contains files that have been deleted by users but still exist within the system. users press and hold the Shift key when deleting a file to delete it permanently without moving it into the recycle bin. Few people employ permanent deletion of recycled files (or even know about it). This makes it possible for the recycle bin to hold important recycled artifacts, which are considered a valuable source for digital evidence. RECYCLE BIN ANALYSIS (CONT.…) 4. DATA CARVING Data carving is an advanced type of data recovery, usually used in digital forensic investigations to extract a particular file (using file’s header and footer information) from unallocated space (raw data) without the assistance of any file system structure (e.g., MFT). Data carving can be the only method to recover important evidence files and fragments of files in a criminal investigation where the file system that was originally responsible for organizing these files on the hard drive is missing or corrupted. 5. USER ACCOUNT ASSOCIATED ATTRIBUTE A suspect Windows PC can have more than one account. For each account on a Windows PC, there is a unique number that distinguishes it called the SID. By using this SID, a digital forensic examiner can know which user account conducted which action or when a particular user account triggered a specific event. MS-DOS command (wmic useraccount get name,sid) can show us the available user accounts and their associated SIDs of any Windows machine USER ACCOUNT ASSOCIATED ATTRIBUTE (CONT.…) 6. WINDOW REGISTER ANALYSIS Windows registry is considered the heart of Windows OS. it contains critical information needed by the operating system and installed applications in order to function. Every action conducted by a Windows user is stored in its registry in one way or another. Windows registry a rich source of evidence that can be extremely valuable for any digital forensic investigation. Windows registry is a hierarchical database that stores Windows system configuration settings for hardware, software applications, and the operating system in addition to the user’s preferences and the computer’s and applications’ usage history WINDOW REGISTER ANALYSIS (CONT.…) WINDOW REGISTER ANALYSIS (CONT.…) Autorun Using Autoruns from Sysinternals to view automatic startup programs and associated registry key in Windows WINDOW REGISTER ANALYSIS (CONT.…) USB Device Forensics Windows keeps a history log of all previously connected USB devices along with their connection times in addition to the associated user account which installs them The Windows registry also stores important technical information for each connected USB device such as vendor ID, product ID, revision, and serial number. WINDOW REGISTER ANALYSIS (CONT.…) USB Device Forensics The tool will find out information about the current and previous USBconnected devices WINDOW REGISTER ANALYSIS (CONT.…) Most Recently Used List Windows keep a log of the most recently accessed files There are many applications that run on Windows that have most recently used (MRU) lists such as recently opened MS Office files and recently visited web pages; these applications list the files that have been most recently accessed WINDOW REGISTER ANALYSIS (CONT.…) Network Analysis When Windows user connects his/her machine to the Internet or intranet, Windows will log this action in the registry network cards wireless connection profile (name, IP address, subnet mask, DHCP) WINDOW REGISTER ANALYSIS (CONT.…) Network Analysis HKEY_LOCAL_MACHINE\S OFTWARE\Microsoft\Window sNT\CurrentVersion\NetworkLi st\Nla\Wireless* WINDOW REGISTER ANALYSIS (CONT.…) Network Analysis HKEY_LOCAL_MACHI NE\SOFTWARE\Microsof t\WindowsNT\CurrentVers ion\NetworkList\Profiles** * WINDOW REGISTER ANALYSIS (CONT.…) Windows Shutdown Time HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\Windo ws under the ShutdownTime value. The shutdown value is stored using a binary value; to decode it to a readable form, use a tool called DCode from Digital Detective WINDOW REGISTER ANALYSIS (CONT.…) Printer Registry Information WINDOW REGISTER ANALYSIS (CONT.…) Deleted Registry Key Recovery Recovering deleted Windows registry keys can be forensically valuable in many cases WINDOW REGISTER ANALYSIS (CONT.…) File Format Identification A signature analysis is a process where file headers and extensions are compared with a known database of file headers and extensions to discover whether an attempt to conceal original file type has been made (changing the file extension to something else to hide it from the investigators’ eyes). As we know, each file under Windows has a unique signature, usually stored in the first 20 bytes of the file. We can check the original file signature of any file by examining it with Notepad or through using a Hex editor. Autopsy has the ability to discover file extension mismatches; to use this feature, you have to enable the “Extension Mismatch Detector” module. WINDOW REGISTER ANALYSIS (CONT.…) Windows Prefetch Analysis Prefetch is a feature used by Windows to speed up loading applications. Windows creates a Prefetch file when a user executes an application for the first time, and then it will record which files have been loaded as a part of this application execution. so the next time a user launches it, Windows will load it quicker HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Control\Session\Manager\MemoryM anagement\PrefetchParameters WINDOW REGISTER ANALYSIS (CONT.…) Event Log Analysis Windows records important events (both hardware and software events) that have happened to the system, applications, or other services in what is called an event log. WINDOW REGISTER ANALYSIS (CONT.…) Windows records huge amounts of information about its users; this information, which is also known as artifacts in the computer forensics domain, can be scattered across the system in different locations. In this chaper we tried to cover the main areas where forensics artifacts can be found. COMPUTER CRIME & DIGITAL FORENSIC CHAPTER SEVEN: WEB BROWSER AND EMAIL FORENSIC ANALYSIS INSTRUCTOR : SAMUEL TAMIRAT PhD candidate MAIN POINT Introduction Web Browser Forensics E-mail Forensics E-mail Forensics Challenges INTRODUCTION Internet applications already installed on Windows can give important information about user actions performed previously on his/her computer. Web browser is the only way to access the Internet, and criminals are using it to commit crimes related to the Internet or to target other users online. Internet users use web browsers to socialize, purchase online items, or to send e-mails and browse the web contents, among other things. Web browsers the preferred target for malicious actors to steal confidential information like account credentials INTRODUCTION (CONT.…) Analyzing web browser artifacts is a major part of any computer forensic investigation, as it can effectively in many cases determine the source of compromise or the user’s previous activities. For example, if we investigate web browsers and see that the suspect was downloading or searching online for information on steganography and encryption tools, this will give a clear sign that this user may employ such techniques to conceal secret data. 1. WEB BROWSER FORENSICS Web Browser market share WEB BROWSER FORENSICS (CONT.…) 1. Internet Explorer IE comes preinstalled with all versions of Windows. Its main registry key is located at HKEY_CURRENT_USER\Software\Mic rosoft\Internet Explorer HKEY_CURRENT_USER\Software\Mic rosoft\Internet Explorer\ TypedURLs HKEY_CURRENT_USER\Software\Mic rosoft\Internet Explorer\TypedURLsTime WEB BROWSER FORENSICS (CONT.…) Internet Explorer IE investigation task by using specialized tools. IEHistoryView (www.nirsoft.net/utils/iehv.html): Displays browser history from index.dat. IECacheView (www.nirsoft.net/utils/ie_cache_viewer. html): Displays all cache folder contents of IE IECookiesView (www.nirsoft.net/utils/iecookies.html): Display all cookies saved by IE. WEB BROWSER FORENSICS (CONT.…) 2. Microsoft Edge Web Browser Microsoft Edge (code name Spartan) is the replacement of the IE browser and the default browser for Windows 10. This is a lightweight web browser that integrates with the Cortana feature available in Windows 10, allowing a user to complete many tasks (e.g., open web pages, conduct online searches) using voice commands only. Display database scheme of Spartan.edb using ESDatabaseView from Nirsoft; image display saved web favorites in the “Favorites” container \Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\ MicrosoftEdge\User\Default\DataStore\Data\nouser1\xxxx-xxx\DBStore\spartan.edb WEB BROWSER FORENSICS (CONT.…) 2. Microsoft Edge Web Browser Microsoft Edge stores its browsing history in \Users\\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat The last browsing session of Microsoft Edge is stored at \Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_****\AC\ MicrosoftEdge\User\Default\Recovery\Active WEB BROWSER FORENSICS (CONT.…) 3. Firefox Web Browser Firefox is a free, open source web browser developed by Mozilla. It is considered among the most used web browsers in the world. Firefox does not use the Windows registry in the same way as the IE browser; Firefox stores its web history, download history, and bookmarks in a central database file named places.sqlite. This file exists within the users Firefox profile. We can access the users profile by pressing the Windows key and typing the following: %APPDATA%\Mozilla\Firefox\Profiles\ WEB BROWSER FORENSICS (CONT.…) Firefox Web Browser places.sqlite: Holds bookmarks, visited web sites, and download history. DB Browser for SQLite (http://sqlitebrowser.org). MZHistoryView (www.nirsoft.net/utils/mozilla_history_view.html). Displays list of previously visited web sites from the places.sqlite database cookies.sqlite: Stores cookies planted by web sites you already visited MZCookiesView (www.nirsoft.net/utils/mzcv.html). Displays all cookies stored in a Firefox cookie file WEB BROWSER FORENSICS (CONT.…) Firefox Web Browser formhistory.sqlite: Stores your search keywords used in Firefox search bar and your searches entered into web forms. key4.db and logins.json: Here is where Firefox saves your passwords. WEB BROWSER FORENSICS (CONT.…) 4. Google chrome Browser It is the fastest and most used web browser on desktop computers worldwide today; Most digital forensics examiners will likely come across this browser in one of their investigations. Google Chrome is based on Chromium, which is an open source browser project developed by Google. Google Chrome as the public version of this project. WEB BROWSER FORENSICS (CONT.…) Google chrome Browser Similar to other web browsers, Chrome (developed by Google Inc.) stores its configuration settings and user private information in SQLite databases Google Chrome can have more than one profile; But the default profile that can be found at \Users\\AppData\Local\Go ogle\Chrome\User Data\Default WEB BROWSER FORENSICS (CONT.…) Google chrome Browser Google Chrome store user browsing history, downloads, keywords, and search terms in the “History” database file are located under the Chrome user’s profile. This file can be examined using DB Browser for SQLite There are 12 tables in this file and 11 indices. WEB BROWSER FORENSICS (CONT.…) Google chrome Browser Nirsoft offers a tool to reveal Chrome history; it is called ChromeHistoryView (www.nirsoft.net/utils/chrome_histor y_view.html). This tool reads the “History” file of the Google Chrome web browser WEB BROWSER FORENSICS (CONT.…) Google chrome Browser Cookies Google Chrome stores cookies information in the “Cookies” file located under the Chrome user’s profile; we can view “Cookies” file contents using DB Browser for SQLite Top Sites This database file stores top web sites visited by Google Chrome. It holds two tables, meta and thumbnails, and the information is stored in the thumbnail table. Shortcuts This database is responsible for supporting the autocomplete feature of Google Chrome when typing (e.g., a search keyword in the address bar and in web forms). It contains two tables: meta and omni_box_shortcuts. Login Data This database file holds three tables: login, meta, and stats. The “login” table holds usernames and passwords (sometimes encrypted), in addition to other related attributes, for various web sites. OTHER WEB BROWSER INVESTIGATION TOOLS 1. WebCacheImageInfo (www.nirsoft.net/utils/web_cache_ image_info.html): Search and list all JPEG images with EXIF metadata information stored inside the cache folder of the following web browsers: IE, Firefox, and Google Chrome. OTHER WEB BROWSER INVESTIGATION TOOLS (CONT.…) 2. ImageCacheViewer (www.nirsoft.net/utils/image_ca che_viewer.html): Scan cache folder in any of the three major browsers (IE, Firefox, and Google Chrome) and list all images found inside OTHER WEB BROWSER INVESTIGATION TOOLS (CONT.…) 3. MyLastSearch (www.nirsoft.net/utils/my_last_search.html) Scan web history in all major browsers (Chrome, Firefox, and IE), cache folder, and retrieve all search queries made previously. II. E-MAIL FORENSICS E-mails have become the primary means of communications in today’s digital age. It is rare to see a person who owns a computer, smartphone, or tablet without having an active e-mail account. A study conducted by The Radicati Group2 estimated the total number of business and consumer emails sent and received per day will exceed 319 billion in 2021, and is forecast to grow to over 376 billion by year-end 2025. This is a huge number already and yet is continuing to increase steadily as more people around the world enter the digital era. E-MAIL FORENSICS (CONT.…) From a digital forensics viewpoint, we are concerned about finding and recovering e- mails from a suspect forensic image file/device, analyzing the e-mail header, extracting useful information from it like IP address and date/time when a particular e-mail was sent, and finally tracing e-mail back to its origin (the sender). E-mail can be mainly abused through Sending spam e-mails Using it to commit a crime, e.g., e-mail harassment Invading other user’s privacy by stealing their e-mail login credentials E-MAIL FORENSICS (CONT.…) E-mail Header Examination When examining e-mails for forensic information, (e.g., to see where the e-mail come from), the needed information is already stored within it, specifically in the e-mail header section. An E-mail header stores a wealth of forensically useful information about an e-mail under investigation, like the path it took over the Internet to arrive, Stop points/delays made during e-mail delivery, and the IP address of the machine that sent this e-mail, in addition to the client (e.g., e-mail program) who sent this e-mail and the type of OS used (in some cases). Note that most of the information (including the technical information) in the e-mail header can be forged! E-MAIL FORENSICS (CONT.…) E-mail Header Analysis No. 1 Points to Message-ID; this is a unique number assigned by the sending e-mail server. No. 2 Points to the e-mail address of the sender (this can also be false, as anyone can adjust the sender’s “e-mail address” from his/her end). Number No. 3 points to the originating IP address (IP address of the sender); No. 4 is the recipient IP address. No. 5 is the e-mail address of the recipient. E-MAIL FORENSICS (CONT.…) E-mail Header Analysis Analyizing email manually is tiresome so google develop the following tool Messageheader (googleapps.com) The tool will analyze the supplied message header and show (in addition to who sent the message) the names of all attachments and the path the message took to reach from sender to receiver in addition to any delay that may have happened during delivery. Other tools E-mail Header Analyzer (https://mxtoolbox.com/EmailHeaders.aspx) eMailTrackerPro (www.emailtrackerpro.com) E-MAIL FORENSICS (CONT.…) Determining a Sender’s Geographic Location The sender’s IP address can be extracted from the e-mail header (go to the line that begins with “Received: from” beginning from the bottom header) then we can use this IP address to determine the geographical location of the sender. Use Wolfram Alpha (www.wolframalpha.com) Ipfingerprints(www.ipfingerprints.com) E-MAIL FORENSICS (CONT.…) Determine Sender Geographic Location Using Sender’s Time Zone We can determine the sender’s location by checking the sender’s computer time zone information. E-MAIL FORENSICS (CONT.…) Investigating E-mail Clients Many users rely on e-mail clients to send/receive e-mails; for instance, the most two popular e-mail programs are MS Outlook and Mozilla Thunderbird. Autopsy has a default ingest module to investigate e-mail messages (Thunderbird and Outlook e-mail clients) found within the supplied data source (e.g., forensic image or e-mail client folder when performing analysis of logical files). E-MAIL FORENSICS (CONT.…) Webmail Forensics Sometimes, we may need to investigate a case where e-mails are stored in the cloud (e.g.,Gmail, Yahoo!, Outlook Mail). Most webmail providers give their users POP3/IMAP access to their stored e-mail. We can use an e-mail client like Thunderbird to synchronize a target e-mail account for offline analysis If the suspect e-mail is in Gmail (Google e-mail service), we can use a tool offered by Google called “Google takeout” to create/ download an offline backup of all Google application data that belongs to the target Google user account. https://takeout.google.com/settings/takeout E-MAIL FORENSICS CHALLENGES Disposable e-mail addresses: It is extremely difficult and even impossible in many cases to track disposable (temporary) e-mail addresses. This kind of e-mail lives for a short time and is usually used for one time (or one contact) only. Anonymous e-mails: For example, using the TOR network to send anonymous e-mail messages. Tracking such e-mails is nearly impossible, since they follow strict precautionary steps. Shared e-mail accounts: Here, a suspect creates an e-mail account using a free service like Yahoo! or Gmail, then shares the access to this account with his/her partner. Different jurisdictions: cloud e-mail providers may store your e-mails in servers located in countries other than the one in which you currently reside. COMPUTER CRIME & DIGITAL FORENSIC CHAPTER EIGHT: ANTI FORENSIC INSTRUCTOR : SAMUEL TAMIRAT PhD candidate MAIN POINT Introduction Classification of Anti forensics Techniques Data hiding techniques (Digital Steganography) Data destruction techniques (anti recovery) Encryption Techniques Cryptographic Anonymity Techniques Direct Attacks Against Computer Forensics Tools INTRODUCTION Antiforensics is the set of techniques used to fight against forensics analysis. It tries to stop and mislead investigations by making acquiring and analyzing digital evidence difficult or even impossible. Antiforensics techniques aim to destroy or conceal digital evidence, thus frustrating forensic investigators and increasing the time needed to perform the initial analysis Anti forensic in general Attempts to negatively affect the existence, amount and/or quality of evidence from a crime scene, or make the analysis and examination of evidence difficult or impossible to conduct CLASSIFICATION OF ANTI FORENSICS TECHNIQUES 1. Data hiding techniques (Digital Steganography) Steganography is the science of concealing a secret message within an ordinary honest file, thus maintaining its secrecy during delivery. 1. DIGITAL STEGANOGRAPHY Digital Steganography Techniques Injunction: Using this method, we embedded a secret message in a trivial, nonreadable location of the overt file. An example of this technique is embedding a secret message after the end-of-file marker (EOF). Hiding with this method will not have an effect on overt file quality or appearance. Substitution: Using this method, we are replacing insignificant bits that belong to the overt file with the one that belongs to the secret message. This method is more secure than the previous one, as the overt file size will not get increased because we are just replacing bits without adding anything new. Generation: This is the most secure method to achieve digital steganography; with this type, we are creating a new file that holds the secret message within it. DIGITAL STEGANOGRAPHY (CONT.…) Digital Steganography Types According to Carrier File Type 1. Text Steganography This type uses text to conceal secret data within it. Some examples include inserting spaces between words and/or inserting one or two spaces at the end of each line to store hidden bits, reducing the text size to 1 pixel and using the hidden text feature in MS Word to conceal data. Watermarking is also considered a type of text steganography where secret data are embedded in the overt file (image or audio) and can be extracted only by the owner using a secret key Limitation: does not hold much data DIGITAL STEGANOGRAPHY (CONT.…) 2. Image Steganography In image steganography, a user embeds a secret message within an image file using a specific steganography algorithm; the result, called a stego-image, is then sent to the receiver, who will use a similar algorithm to extract the secret message from the overt file. In today’s digital age, it is common for people to exchange and post images online (e.g., to social media sites); the large volume of exchanged digital images daily make this file type less suspicious to outside observers. Limitation: during resizing or changing file type the data might lost AUDIO-VIDEO STEGANOGRAPHY 3. Audio-Video Steganography Techniques used to conceal secret data in images and audio files can be utilized to conceal secret data in video files. Video files are composed of a series of audio and image files, thus allowing for a huge capacity of secret data without affecting the quality of the original file (overt file) The most popular audio steganography tool is MP3stego, which conceals secret data in the most used audio file format, MP3. 4. Network Steganography We can exploit networking protocols like the TCP/IP suite to embed secret messages. The design features of many networking protocols allow for this possibility. An example of a program to conceal data within networking protocols (TCP/ IP header) is called covert_tcp; 2. DATA DESTRUCTION TECHNIQUES (ANTI RECOVERY) Offenders use data destruction techniques to make their incriminating data impossible to recover even after using specialized tools for data recovery. There are three ways in which a user can destroy his/her data stored on digital devices: Physical destruction: In this type, digital storage media (like hard drives, memory sticks, magnetic tapes, CDs, DVDs and Blu-ray discs, credit cards) are destroyed physically to avoid recovery. Degaussing technique: This technique works by exposing the magnetic storage devices such as HDD or the magnetic tape to the powerful magnetic field of a degausser to eliminate magnetically stored data. Logical destruction (sanitizing): This is the most commonly used technique to destroy data. It uses a wiping tool to destroy datawithout affecting the hardware that holds this data. FILES’ METADATA MANIPULATION Metadata timestamps in digital files play an important role in computer forensic investigations, because they help investigators to limit their search within a specific timeframe that is related to the case in hand (e.g., before or after an incident took place). A suspect can change the four main timestamp attribute values of any digital file under a Windows NTFS file system. File Created, File Accessed, File modified These values are as follows: 3. ENCRYPTION TECHNIQUES Encryption is the practice of concealing information by obscuration, thus making it unreadable for unintended recipients. The ease of using them will certainly lead to making a forensic investigation of encrypted devices difficult, time consuming, and even impossible without the suspect’s cooperation. Cryptographic Systems Symmetrical encryption: Also known as secret key cryptography (SKC), in this type, both the sender and the receiver use the same key to encrypt and decrypt the data. Asymmetrical encryption: Also known as public key cryptography (PKC), this cryptographic type uses two different keys for encryption and decryption. The two keys are mathematically linked. However, no one can derive the decryption key (private key) from the encryption key (public key). ENCRYPTION TECHNIQUES (CONT.…) Encrypting file system (EFS) is a feature of the Windows NTFS file system; It allows a user to enable encryption on a per file or folder basis. EFS can also be used to encrypt the entire volume. Using it is simple: right-click over the file/folder/volume you want to enable encryption for, and then select Properties ➤ General tab. Click the “Advanced…”button, and a new window will appear; check the option “Encrypt contents to secure data” ENCRYPTION TECHNIQUES (CONT.…) Disk Encryption Using Open Source Tools There are various encryption tools already available; some of them are free while others are commercial. The most popular open source encryption program (used for file and disk encryption) is the legendary program TrueCrypt. VeraCrypt (www.veracrypt.fr/en/Home.html): This is based on TrueCrypt 7.1a. It is a free open source encryption disk supported on Windows, Mac OSX, and Linux. 4. CRYPTOGRAPHIC ANONYMITY TECHNIQUES Digital anonymity works by hiding any traces between the sender and message receiver when communicating through open networks like the Internet. It uses a combination of encryption algorithms to encrypt messages and cryptographic anonymity software to hide your identity during the transmission. Anonymous networks like the TOR network help users to maintain their online privacy when going online through concealing their true IP address from outside observers, including the ISP. The most famous anonymous network is the TOR network. www.torproject.org/projects/torbrowser.html.en Tracking users through the TOR networks is almost impossible when the user follows strict precautionary security measures CRYPTOGRAPHIC ANONYMITY TECHNIQUES (CONT.…) CRYPTOGRAPHIC ANONYMITY TECHNIQUES (CONT.…) WEB BROWSERS’ PRIVATE MODES Employing ant forensics techniques does not need to be that hard, as some applications used every day—such as web browsers—can be configured in one click to forget a user’s previous activities automatically. Many web browsers have introduced a special configuration known as Private Browsing (Firefox) or Incognito Mode (Google Chrome). Private Browsing will automatically erase all browsing history, form and search bar entries,download lists, passwords, cookies and cached web content, offline web content, and user data from a user’s machine upon closing the browser 5. DIRECT ATTACKS AGAINST COMPUTER FORENSICS TOOLS Some tech-savvy criminals employ modern techniques to attack forensic tools used to acquire or analyze digital evidence. Such attacks include program packers, anti–reverse engineering techniques, and attacking the integrity of digital evidence acquired during the investigation. If successful, such attacks can hinder the credibility of the acquired evidence during legal trial. COMPUTER CRIME & DIGITAL FORENSIC CHAPTER NINE: DIGITAL FORENSIC REPORT INSTRUCTOR : SAMUEL TAMIRAT PhD candidate MAIN POINT Introduction Effective note taking Writing the report INTRODUCTION Report writing is one of the hardest things we can do as a digital forensic investigator. We have to take a very technical subject and explain it in a manner that a non-technical person will understand, while not making any assumptions about the potential user or the digital evidence. I. EFFECTIVE NOTE TAKING The ability to take notes will directly impact our ability to write an effective report on the digital forensic investigation. Our notes will be the foundation of your reporting. A simple phrase that has impacted on digital forensic investigation Report writing is: if you do not write it down, it did not happen. The fundamental elements of notetaking should include the following: When you did something What you did What you saw Why you did something EFFECTIVE NOTE TAKING (CONT.…) When you did something? date/time when you are notified, who notified you, and when you arrived at the scene. What you saw? A crime seen What you did? Collecting volatile data, RAM from the system in question Why you did? Extract digital evidence from the suspect disk EFFECTIVE NOTE TAKING (CONT.…) How detailed should your notes be? The format of our notes is typically personalized to each digital forensic investigator. The baseline consideration should be, if the matter goes to trial years later, can you remember the details of the investigation? EFFECTIVE NOTE TAKING (CONT.…) There is no note standard, but we should include the following information: Suspect details. Victim details. Location of the digital evidence at the scene. Specifics of the digital evidence, make, model, the serial number of the system, any identifying marks Condition of evidence bags/seals Details about the forensic hardware that was used, such as firmware/serial number. Details about the forensic software that was used, such as version number. Any findings that support or do not support your hypothesis about what occurred. 2. WRITING THE REPORT The purpose of your report is to document the results of your forensic examination and may support additional investigative endeavors. The report may also be used in criminal court proceedings, civil court proceedings, or administrative proceedings. Others can use your findings to support a probable cause hearing, grand jury proceeding, or as a basis for an administrative sanction in the corporate environment. WRITING THE REPORT (CONT.…) As you prepare to draft a report, identify who will be your audience. If you are writing the report for the Chief of Information, the IT security section, or any technology-based group, your report should go into much greater technical detail than the report directed toward lawyers, judges, or juries. The following is a general template we can follow: Administrative information Executive summary Narrative Exhibits/technical details Glossary WRITING THE REPORT (CONT.…) The administrative section It will contain information about our investigation The name of the agency, the case number(s), and the participants in the investigation When was the investigation started and what events transpired before we were assigned to the investigation? WRITING THE REPORT (CONT.…) The executive summary It is the section that summarize the report The executive summary should follow the following guidelines: Should be only 10 percent of the report Written in short, clear, concise paragraphs Should follow the same timeline as the narrative Should not include any information not included in the narrative Should contain your findings/conclusions WRITING THE REPORT (CONT.…) The native Section Evidence analyzed Include all the evidence you have examined, including the make/model, serial numbers, and so on. Acquisition details Describe the acquisition process of creating the forensic image(s). Identify the hardware or software used in the process and include the serial/version numbers. We should also include the date the hardware/software was verified. Analysis details create the report chronologically and by subject specific artifacts of the incident being investigated information with the specific exhibit you are describing in the Exhibits/technical details section present your conclusions/findings WRITING THE REPORT (CONT.…) Exhibits/technical details Glossary The final portion of this section will be a table of software/hardware used. version numbers of the software/firmware so that others can repeat your examination. The organization licenses for your software are authentic.

Computer Crime & Digital Forensics PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue