Академический Документы
Профессиональный Документы
Культура Документы
The challenge for cyber forensic expert is to detect, collect and protect digital evidences in such a manner that
it is evidentiary value is preserved and admissible in court.
To be a Cyber forensic expert, person should have wide range of knowledge and experience about – cyber
forensics including cyber crime, hacking, spamming, viruses, tracking user activity, forensic imaging and
verification, data recovery and analysis, file types, encryption, password breaking etc. with basic understanding
about programming languages and operating systems like windows, linux, mac, java, etc and also have
knowledge about legal issues, acts, laws etc related to digital evidence.
Computer Forensic science was created to address the specific and articulated need of law enforcement to
make the most of the new form of electronic evidences. It is a science of acquiring, preserving, retrieving, and
presenting data that has been processed electronically and stored on computer media.
Typically, computer forensic tools exist in the form of computer software. Computer forensic specialists
guarantee accuracy of evidence processing results through the use of time−tested evidence processing
procedures and through the use of multiple software tools, developed by separate and independent
developers. The use of different tools that have been developed independently to validate results is important
to avoid inaccuracies introduced by potential software design flaws and software bugs.
The Coroners toolkit (TCT) combines many highly useful tools into one package and is freely available at
www.fish.com/tct. It is a collection of tools designed to assist in the forensic examination of a computer. It is
primarily designed for UNIX systems, but does have limited functionality when dealing with non−UNIX media.
TCT is not to be used for the first time in an emergency; familiarity with the tools and their uses is necessary
to use it correctly. Go to www.fish.com/tct and read everything on the site before attempting to use TCT. If
you are not an experienced UNIX system administrator, you will most likely cause more damage than good
attempting to use it.
Encase and Forensic Tool Kit (FTK) used widely, for receovery and imaging of media, all over the world,
opinions based on encase and FTK are acceptable in court. Encase is a powerful combination of integrated
tools that facilitates seamless sharing of evidentiary data among examiners. It also provides hardware analysis,
file signature analysis, regisitry tracker, automatic report generation and much more.
Investigative tools and electronic crime scene investigation: Safeback, Maresware, DIB Mycroft version 3, snap
back dot access, encase, ntrack, capture it, DIBS analyser, Data lilfter, Smart, Forensic X.
Forensic SW used: DIBS® Analyzer Professional Forensic Software, Forensic Toolkit (FTK), DIBS® Forensic
Workstation, DIBS® Mobile Forensic Workstation, DIBS® Portable Evidence Recovery Unit, ForixNT, EnCase
Enterprise Edition, SMART Extractor
Analysis Tools
Microsoft Notepad and Microsoft Wordpad Programs: Although these are simple text viewers, they can be used
to bring up everything from cookie files to Web pages and some logs.
Microsoft Windows Explorer: Make sure you know how to use Windows Explorer to search for files and
examine properties of a file, including the various file attributes, security settings, file access/revision times,
and ownership. All of the features of the program can be explored in the product's online help.
Low−Level File Editors: Having a product that can open a binary file in hexadecimal can still be invaluable.
Products such as UltraEdit32 (http://www.ultraedit.com/) and others like it allow you to take a detailed look at
a file, search its contents, and more.
Checksum Generators: These are programs that can let you take a snapshot of a file and generate a unique
check digit associated with that file. A checksum, as it is called, can be used to cross−check the integrity of a
file and see if it has been modified by anyone. If you benchmark a file, and then check it later and the
checksum is different, then you have reason to suspect something might be happening. Tools to perform
checksum generation are available from companies such as NTI (http://www.forensics−intl.com/) and other
firms.
Usage Mapping Tools: A usage mapping tool is designed to allow you to track how often a given program or
file is accessed, for how long, and by whom. Such mapping tools have been put into place for things such as
Internet abuse tracking and the like. Tools for this are also available from NTI and other sources.
Slack Space and Swap Space Analysis Tools: These tools let you capture and examine the slack space in files
and the swap file, which Microsoft Windows uses as a temporary memory extension. Although you can use
low−level file editor viewers such as UltraEdit32 to examine these, the process of doing so can be expedited
utilizing some of the more advanced tools that will allow wildcard and keyword searching. Again, companies
such as NTI can provide such tools to authorized persons.
Packet Sniffer Programs and Equipment: These tools are normally only used by a network administrator or
network consultant because they can be very involved to operate. One must know certain things about the
network configuration to use the equipment versions; and the software version, while easier to use, should not
be employed without some level of training. Windows NT and Windows 2000 do come with such packet
analysis tools in the server edition of their software.
Remote Logon to Administrative Shares: This is a way in which you can log on to someone's computer from
yours over the network. Be extremely careful when doing this. While it is possible to remotely log on to
someone's PC by knowing the machine's network name, and using a user ID with administrative privileges,
remember that at that point you are logging directly onto their machine and you do run the risk of possibly
contaminating evidence by inadvertently changing file access dates and times, revealing your presence in the
event log, which the user could see if they also had administrative rights, etc. While a technical possibility for
forensic use, especially in a potential criminal investigation, it should not be used without extreme caution. The
use of covert monitoring programs and sniffing packets is far more advisable because it preserves the integrity
of the system to a greater extent.
Applications
GetFree: GetFree (www.forensics−intl.com/getfree.html) is a forensic data capture tool. When files are
"deleted" in DOS, Windows, Windows 95, or Windows 98, the data associated with the file is not actually
eliminated. It is simply reassigned to unallocated storage space, where it may eventually be overwritten by the
creation of new files over time. Such data can provide the computer forensics investigator with valuable leads
and evidence. However, the same data can create a significant security risk when sensitive data has been
erased using DOS, Windows, Windows 95, or Windows 98 file deletion procedures and commands.
GetFree software is used to capture all of the unallocated file space on DOS−, Windows−, Windows 95− and
Windows 98−based computer systems. The program can be used to identify leads and evidence. It is also
effectively used to validate the secure scrubbing of unallocated storage space.
CopyQM Plus: CopyQM Plus (www.forensics−intl.com/copyqm.html) is diskette duplication software that turns
your PC into a diskette duplicator. In a single pass, diskettes are formatted, copied, and verified. CopyQM Plus
will also create self−extracting executable programs tied to specific diskette images. When the resulting
program is run, the diskette image will be restored to diskette.
DiskSearch Pro: DiskSearch Pro (www.forensics−intl.com/dspro.html) is used to quickly find and document the
occurrence of strings of text stored on computer storage devices.
M−Sweep Data Scrubber: M−Sweep (www.secure−data.com/ms.html) is a data scrubber tool that was
developed primarily for use on notebook computers that contain trade secrets and other forms of confidential
data. Sometimes, sensitive information "leaks" into file slack, the Windows swap file, and unallocated space
without the knowledge of the computer user. Such information is easily recovered using computer forensic
tools and methods. This is a potential security threat and M−Sweep eliminates this problem. This software
eliminates potential evidence.
Byte Back: Byte Back (www.toolsthatwork.com/ttw−tools.shtml) is a data recovery and computer forensic tool
for powerful, low−level cloning, imaging, and disk analysis. It clones/ images most drive formats, and supports
drives up to four terabytes. Integrated MD5. It performs safe recoveries on hard disk, Zip, Jaz, floppy, and
more.
Drive Image Pro 3.0: Drive Image Pro 3.0 is available from PowerQuest Corporation (800−379−2566,
http://www.powerquest.com/). Drive Image Pro 4.0 provides IT professionals with powerful cloning tools for
fast, flawless system deployment, whether the need is to distribute a new operating system, update an
application suite, or simply manage multiple workstation images.
EnCase 2.08: EnCase 2.08, from Guidance Software, Inc. (626−229−9191,
http://www.guidancesoftware.com/), features a graphical user interface that enables examiners to easily
manage large volumes of computer evidence and view all relevant files, including "deleted" files, file slack, and
unallocated data. The integrated functionality of EnCase allows the examiner to perform all functions of the
computer forensic investigation process — the initial "previewing" of a target drive, the acquisition of the
evidentiary images, the search and recovery of the data, and the final reporting of findings — within the same
application. Further, EnCase methodology allows the examiner to perform these processes in a noninvasive
manner, meaning not one byte of data is changed on the original evidence.
FileCNVT: FileCNVT, a FileList conversion utility, is a forensic tool used to quickly catalog the contents of one or
more computer hard disk drives. The FileList output is compressed so that the program and related output will
normally fit on just one floppy diskette. FileCNVT is used to convert the FileList output from its native
compressed format into a database file. FileCNVT is a simple but specialized program that creates a dBASE III
file from the output of the FileList program.
DM: DM, a database analysis tool, is easy to use and is compatible with the dBASE III file structure. This file
format is an industry standard and can be imported into most other database file structures and spreadsheet
applications. Unfortunately, the program is undocumented and some trial and error is required on the part of
the user to use the program. The program has the capacity to sort and view up to 999,999 records.
Net Threat Analyzer: Net Threat Analyzer Internet threat identification software is software that was developed
by NTI to assist law enforcement agencies in the identification of potential Internet−related threats to children.
It is provided free of charge to law enforcement computer crime specialists and school police. The software
relies on computer artificial intelligence, fuzzy logic to identify patterns of text that may be tied to Internet
transactions or file downloads from the Internet. Its features include:DOS−based for speed. The speed of
operation and results are amazing. Can be operated from a single floppy diskette. Automatically identifies and
processes the Windows swap file (when configured as a static file). Command line switches allow batch file
operation of the program. Provides output in database format for easy analysis. Audible alert for identification
of probable pornography. Options allow for automatic e−mail pattern identification and automatic Internet
browsing identification. Options allow for automatic identification of file downloads made from the Internet.
Automatically flags probable Internet−related communications involving pornography. Automatically flags
probable Internet−related communications involving narcotics. Automatically flags probable Internet−related
communications involving bomb−making. Automatically flags probable Internet−related communications
involving sex crimes. Automatically flags probable Internet−related communications involving hate crimes.
Provided free for legitimate law enforcement purposes.
ShowFL: ShowFL, a specialized computer timeline analysis tool, is ideal for the timeline analysis of computer
usage. It is also helpful in the investigation of conspiracies when multiple computers and computer users are
involved.
FILTER: FILTER, a binary data filtering tool, is used to remove binary (non−alphanumeric) characters from
computer data. Once a file has been processed with this program, the contents can be printed and viewed with
traditional computer applications (e.g., word processors). This program is primarily a documentation tool and
has limited features. However, it has proven to be a valuable tool in dealing with documentation issues tied to
file slack, swap files, and evidence found in unallocated file space.
Spaces: Spaces is an encryption pattern review aid. This program is very simple. It creates one or more files
that contain nothing but spaces. Every file created by this program will contain exactly 10,000 spaces. Files
containing repeated patterns of the same data are helpful in evaluating the effectiveness of encryption. This
program aids in the evaluation of data distribution tied to encryption.
Additional Free Forensics Software Tools
Red Hat, Inc.: Red Hat, Inc. (800−454−5502, 919−547−0012, http://www.redhat.com/) includes an MD5
mechanism to validate data. It writes images to hard drive, tape, and any other media available to the
forensics platform. The dd file utility is distributed with most versions of UNIX and Linux, is probably the most
overlooked and underused imaging and copying utility, and is free. It was originally designed as a tool to copy,
convert, and format text files in UNIX file systems, enabling a user to convert a file from the EBCDIC character
set to the ASCII character set, from ASCII to EBCDIC, or from ASCII to alternate EBCDIC. The dd file utility can
also change all lowercase letters in the file to uppercase or change all uppercase letters to lowercase.
AccessChk v2.0: Display access to files, registry keys, or Windows services by the user or group you
specify.
AccessEnum v1.3: Display who has access to which directories, files, and registry keys on a computer.
Use it to find places where permissions aren't properly applied.
Autoruns v8.53: Display programs that are configured to start up automatically when a computer boots and a
user logs in (also displays the full list of registry and file locations where applications can configure auto-start
settings).
Autorunsc v8.53: The command-line version of the Autoruns program (described in the previous entry).
Diskmon: Capture all hard disk activity. Acts like a software disk activity light in your system tray.
Handle v3.2: Display open files and the process that opened those files.
ListDLLs v2.25: Display all the DLLs that are currently loaded, including where they are loaded and their
version numbers (prints the full path names of loaded modules).
PendMoves v1.1: Display file rename and delete commands that will be executed the next time the computer is
started.
Portmon v3.02: Display serial and parallel port activity (will also show a portion of the data being sent and
received).
Process Explorer v10.2: Display files, registry keys, and other objects that processes have open, which DLLs
they have loaded, owners of processes, etc.
ShareEnum v1.6: Scan file shares on a network and view their security settings to eliminate improperly applied
settings.
Strings v2.3: Search for ANSI and UNICODE strings in binary images.
TCPView v2.4: Display all open TCP and UDP endpoints and the name of the process that owns each endpoint.
Tokenmon v1.01: Display security-related activity, including logon, logoff, privilege usage, and impersonation.
Window Tools
Vol: Display the disk volume label and serial number, if they exist.
Hostname: Display the host name portion of the full computer name of the computer.
Openfiles: Query, display, or disconnect open files or files opened by network users.
FCIV: File Checksum Integrity Verifier. Use to compute a MD5 or SHA1 cryptographic hash of the content of a
file.
Reg Use to view, modify, export, save or delete, registry keys, values, and hives.
Netcap: Gather network trace information from the command line.
Sc Use to communicate with the Service Controller and services. (Sc query is useful for dumping all
services and their states.)
Ftype View or modify file types used in file name extension associations.
Rasdiag: Collect diagnostic information about remote services and place that information in a file.
Security Auditing is accurate and reliable technique which often acceptable in court. This digital evidence can
reveal many things – what files were accessed, when and by whom, what files were modified, when and by
whom, and what internet sites have been visited and which are stored in cache memory. The operating system
creates this evidence in part for the purpose of facilitating file access and speeding access to internet sites
often visited.
Anti virus, Anti spyware, Email security, Firewall, Digital and SSL Certificates, Start up monitor, Security
Auditing tool, Network and LAN security tool
Types: Those against persons, Against Business and Non-business organizations., Crime targeting the
government.
Cyber crime contains all criminal offences which are committed with the aid of communication devices in a
network. This can be internet, telephone line and mobile network etc.
Hacking: Hacker is a person/computer user who intends to gain unauthorized access to a computer system.
Hackers are skilled computer users who penetrate computer systems to gain knowledge about computer
systems and how they work. Hacking means an illegal intrustion into a computer system and/or network. Every
act committed towards breaking into a computer and/or network is hacking. Hackers write or use ready-made
computer programs to attack target computer. They possess the desire to destruct and they get the kick out of
such destruction.
Cracking: A cracker is a hacker with criminal intent. Crackers maliciously sabotage computers, steal information
located on secure computers and cause disruption to the networks for personal and/or political motives.
Phishing: Act of sending email to a user falsely claiming to be an established legitimate enterprise in an
attempt to scam the user into surrendering private information, that will be used for identity theft. The email
directs the user to visit a website where they are asked to update personal information, such as passwords and
credit card, social security, bank account numbers, that the legitimate organization already has.
Credit Card Fraud: The unauthrotized and illegal use of a credit card to purchase property. This is also an
adjunct to identity theft.
Net Extortion: Copying the company’s confidential information/data in order to extort said company for huge
amount.
Denial of service attack:Act by criminal, who floods the bandwithd of the victim’s network or fills his email box
with spam mail depriving him fo the services he is entitled to access or provide.
IRC Crime: Internet relay chat servers have chat rooms in which people from anywhere the world can come
together and chat with each other
Virus Dissemination: Malicious software that attaches itself to other software (virus, worms, trojan horse, time
bomb, logic bomb, rabbit and bacterium are the malicious.
Software Piracy: Theft of software through the illegal copying of genuine programs or the counterfeit and
distribution of products intended to pass for the original.
Cyber stalking: repeated acts of harassment or threatening behavior of the cyber criminal towards the victim
by using internet services.
Viruses: A virus is a man made computer program that infects a file or program on computers. Each time the
infected program is run, the virus is also triggered. It replicates or spreads itself by infecting other programs on
the same computer.
Worms: A worm is also a man-made program that replicates itself. It does not infect other programs files on
the computer. It can spread automatically on to other computers. It does this by sending a copy of itself
through email, over a network and via internet relay chat to other computers.
Adware: Is a SW that presents banner ads or in pop-up windows through a bar that appears on a computer
screen.
Backdoors: A backdoor can gain access to a computer by going around the computer access security
mechanisms. It is mainly used to install further computer virus or worms on relevant system.
Boot viruses: The boot or master boot sector of hard drives is mainly infected by boot sector viruses. They
overwrite important information necessary for the system execution.
Bot-Net: is a collection of software bots, which run autonomously. A bot-net can comprise a collection of
cracked machines running programs (usually worms, trojans) under a common command and control
infrastructure.
Dialer: A dialer is a computer program that establishes a connection to the internet or to another computer
network through the telephone line or the digital ISDN network.
Honeypot: It’s a service which is installed in a network. It has the function to monitor a network and to
protocol attacks.
Keystroke Logging: it is a diagnostic tool used in software development that captures the user’s keystrokes.
Script Viruses and worms: They use a script language such as java script, VBscript etc to infilterate in other
new scripts or to spread by activation of operating system functions. This usually happens through emails or
documents.
Spyware: They intercept or take partial control of a computer s operation without the user;s informed consent.
It is designed to exploit infected computers for commercial gain.
Trojan Horse: When loaded into a computer, it can capture information from our system. (user name or
passwords)
Zombie: It is PC infected with malaware programs and that enable hackers to abuse computers via remote
control for criminal purposes.
Rootkits: These are collections of software programs that a hacker can use to gain unauthorized remote access
to a computer and launch additional attacks. These are generally organized into a set of tools that are tuned to
specifically target a particular operating system.
Internet cookies: These are text files that are placed on a user’s computer by web sites that the user visits.
Cookies contain and provide identifying information about the user to the web sites that place them on the
user computer along with whatever information the sites want to retain about the user’s visit.
Malicious Code: It refers to viruses, worms, trojans, logic boms and other uninvted software.
Forgery: Counterfeit currency notes, postage and revenue stamps, mark sheets etc can be forged using
sophisticated computers, printers and scanners.
Internet Time Theft: The usage by unauthorized persons of the internet hours paid for by another person
____________________
Theft of information contained in electronic form: This includes info stored in computer hard disks, removal
storage, media etc. Theft may be either by approaching the data physically or by tampering them through the
virtual medium.
Email Bombing: Sending large number of mails to the victim, which may be an individual or a company or even
mail servers there by ultimately resulting into crashing.
Data Diddling: This involves altering raw data just before a computer processes it and then chanding it back
after the processing is completed.
Salami Attacks: It is prevalent in financial institutions or for the purpose of committing financial crimes. The
alteration in these crimes is so small that it might go unnoticed.
Denial of Service Attack: The Computer of the victim is flooded with more requests that it can handle which
cause it to crash.
Virus/Worm Attack: Viruses are programmed to attacah themselves toa computer or file and then circulate
themselves to other files and to other computers on a network. They affect the data on the computer wither by
altering or deleting it. Worms merely make functional corpies of themselves and do this repeatedly till they eat
up all available space on a computer’s memory.
Logic Bombs: These are event dependant. The programs are created to do something only when a certain
event occurs.
Trojan Attack: This means an unauthorized programme, which passively gains control over another’s system by
representing itself as an authorized programme.
Internet time theft: The internet surfing hours of the victim are used by another person. This is done by
gaining access to the login ID and password.
Web Jacking: The hacker gains access and control over the website of another. He may even mutilate or
change the information on the site.
____________________________
Cyber stalking: involves following a persons movements across the internet by posting messages on the
bulletein boards frequented by the victim, entering chat rooms, bombarding the victim with emails.
Defamation: Act of imputing any person with intent to lower the person in the estimation of the right thinking
members of society generally or to cause him to be shunned or avoided or to expose him to hatred, comtempt
or ridicule.
Computer Vandalism: any kind of physical harm done to the computer of any person.
Transmitting virus/worms:
IP Crimes/Distribution of pirated software: Any unlawful act by which the owner is deprived completely or
partially of his rights is an offence.
Cyber Terrorism against Govt org: Terrorist attacks on internet is by distributed denial of service attacks, hate
websites, hate emails, attack on sensitive computer systems etc. Premeditated use of disruptive activities or
the threat in cyber space.
Fraud and Cheating: Mainly credit card crimes, contractual crimes, offering jobs etc.
All material gathered during a criminal investigation must be collected, reported, recorded, classified, analysed,
processed and stored. All evidence must be marked for identification and protectively packaged. Records must
be made of each piece of evidence and its location in relation to a crime. The law speaks of a chain of evidence
or chain of custody which must remain unbroken to prevent tampering. The Police are held accountable for
every item of evidence from the time it is discovered at the scene of a crime until it is presented in court.
A chain of custody tracks evidence from its original source to what is offered as evidence in court. With
electronic evidence, a chain of custody is critical because electronically stored data can be altered relatively
easily, and proving the chain is the primary tool in authenticating electronic evidence. A good benchmark is
whether the software is used and relied on by law enforcement agencies. Second, the copies made must be
capable of independent verification. In short, your opponent and the court must be able to satisfy themselves
that your copies are accurate. Third, the copies created must be tamper proof. Securing the media simply
assures that your original copies are preserved. Just as you would make working copies of any documents
produced, you should create working copies of data. When you work with data restored from the media you
collected, make sure you can track individual files and documents back to their original source. The checklist
below sets out one way of doing this.
Give any one 'Case Study' or 'Case Example' and mention how Cyber Forensic was important in
solving that case:
Cyber Crime Investigation Cell, CID, Mumbai – Registered a case u/s 66 of IT Act, Sec 419, 420, 465, 468, 471
of IPC, Section 51, 63, 65 of Copyright Act. It was a case of Phishing.
Investigation carried on with the help of emails received by customers of financial institution and accused was
arrested.