Department of Electronics and I.T.

University of Kashmir
Unit 4: Digital Forensics
M.Tech Sem: 3

Digital Forensics
The use of scientifically derived and proven methods toward the preservation, collection, validation,
identification, analysis, interpretation, documentation and presentation of digital evidence derived
from digital sources for the purpose of facilitating or furthering the reconstruction of events found
to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned
operations.
(Digital Forensic Research Workshop (DFRWS) 2001)
Investigations types might vary but
 the principles and procedures remain the same more or less
 the sources of evidence remain same
Digital Forensics depends upon the
 Expertise of an examiner to interpret data
 Information ret rieved by tools (hence, should be trust worthy)
Digital Forensics, hence, is the Science of forensics combined with the art of investigation
 Applying scientific method and deductive reasoning to data is the science
 Interpreting these data to reconstruct an event is an art
Goals of Forensic Analysis:
 Find the facts
 Via these facts reconstruct the truth of an event
 Truth of an event is revealed by discovering and exposing the remnants (traces) of the
event left on the system
 Remnants are known as artifacts or evidence (used in legal proceedings)
 Even the simple tasks create artifacts
 Even the act of cleaning the tasks leave additional artifacts
To survive in a court of law, Investigators must apply the two tests for evidence:
 Authenticity:
Where does the evidence come from?
 Reliability:
Is the evidence reliable and free of flaws?
Modes of At t ack:
 Insider attacks:
These involve a breach of trust from employees within an organization.
 External attacks:
These involve hackers hired by ei ther an insider or an external entity whose aim is to
destroy a competitor ’s reputation.
Rules of Comput er Forensics:
A good forensic investigator should always follow these rules:
 Examine original evidence as little as possible. Instead, examine the duplicate evidence.
 Follow the rules of evidence and do not tamper with the evidence.
 Always prepare a chain of custody, and handle evidence with care.
 Never exceed the knowledge base of the FI.
 Make sure to document any changes in evidence.
Staying within these parameters makes a case valuable and defensible.

DFRWS Invest igative Model:

Identification:
 Forensic Sciences are based on Locard ’s Exchange Principle (exchange of traces).
 In digital world, when two systems come in contact, they exchange traces.
 E.g., if an individual browses to a website, the web server or web application firewall
may record the individual ’s IP address within a collection log.
 This principle can guide in the identification of potential sources of evidence during an
incident.
 E.g., to identify the root cause of a malware infection, start with analysing the infected
system by searching the firewall connection or proxy logs for any outbound traf fic from
the infected system to external IP addresses. This may reveal the C2 Server.
P rese rvation:
 After evidence identification, it is important to safeguard it from any mod ificat ion or
delet ion .
 Done by enabling the con t rols to protect the potential evidence e.g., log files from
removal or modi fication.
 In terms of host systems e.g., desktops , isolate the syst em from rest of the network
through ei ther physical or logical controls, network access controls, etc.
 It is critical that the users not be allowed to access a suspect system to prevent
deliberate or inadvertent tainting of evidence.
 Preservation of evidence in virt ual syst ems is achieved through the snapshot ting
systems, cloning the system and saving on non-volatile storage.
Coll ection (media):
 Examiners begin the process of actual acquisition of digital evidence.
 While acquisition, volat ili ty of the evidence is to be considered.
 For network equipment, it could include active conn ect ions or log dat a stored in the
device.
 The Int ernet Engineering Task Force (IETF) has put together a document titled
Guideli nes for Evidence Collection and Arc hiving (RFC 3227) addressing the order of
volatility of digital evidence:
 registers, cache
 routing table, ARP cache, process table, kernel statistics, memory
 temporary file systems
 disk
  Remote logging and moni toring data that is relevant to the system in
question
 physical configuration, network topology
 archival media
 Proper Evidence Handli ng
 Altering the original evidence (no alteration allowed in original evidence),
always work on duplicate.
 Documentation (if you didn ’ t w rit e it dow n, it didn ’ t happen )
 Chain of Custody
 Describes the documentation of a piece of evidence through its life cycle
 Starts when an individual first takes custody of the piece of evidence to
when the incident is finally disposed of
 Can be maintained: Elect ronically or Manually
Coll ection (chain of cus t ody diagram):

Exami nati on (data):

 Details the specif ic tools and forensic techn iques to discover and extract data from the
evidence seized.
  E.g., in case of malware suspected to infect the desktop as part of larger attack, extraction of
speci fic information from the acqui red memory image would take part in this stage.
 Extraction of Secure Shell traf fic from a network capture.
 The preservation of evidence is kept in mind throughout the examination process.
Analy sis (informati on):
 Once examination has extracted the potentially relevant pieces of data, the examiner then
analyses the data in light of any other relevant data obtained.
 E.g., if the analyst has discovered that the compromised host has an open connection to an
external IP address, he will then correlate that information with an analysis of the packet
capture from the network. Using IP address as a starting point, the analyst would be able to
isolate the particular traf fic, hence, identify the C2 server.
 It can take many iterations and might include reduction of acqui red base data set.
 Other examples include: file system analysis, file content analysis, log analysis, etc.
P resen tati on (evi dence):
 This refers to a det ailed writ t en repo rt of facts related to a digital forensic case.
 It needs to be clear and concise that addresses every action and captures the critical data
requi red.
 It should be thorough, accurate and without any bias or opinion.
 It aids in determining the roo t cause of an incident .
 It is usually presented in the court of law and might requi re validation from expert wit ness.

6 A ’s of Digital Forensics:
 Assessment:
You must be able to distinguish between evidence and jun k dat a. For this, you should know
what the data is, where it is located, and how it is stored.
 Acqui siti on:
The evidence you find must be preserved as close as possible to its original st at e. Any
changes made during this phase must be documented and justi fied.
 Aut hentication:
At least two copies are taken of the evidential computer. One of these is sealed in the
presence of the computer owner and then placed in secure storage. This is the master copy
and it will only be opened for examination under inst ruction from the court in the event of a
challenge to the evidence presented after forensic analysis on the second copy.
 Analy sis:
The stored evidence must be analyzed to extract the useful information and recreate the
chain of events.
 Articulation:
The manner of presentation is important, and it must be understandable to court effectively.
It should remain technically correct and credible. A good presenter can help in this respect.
 Archival:
After the case is closed seal the original evidence and keeps it in secure storage place
because it is a chance to reopen the case after some time or years, then it ’s requi red to
resubmit in court.
Skill s requ ired for Digit al Forensic App lication:
 Programming or computer-related experience
 Broad understanding of operating system and its applications
 Strong analytical skills
 Strong computer science fundamentals
 System administrative skills
 Knowledge of the latest intrusion tools
 Knowledge of cryptography and steganography
  Strong understanding of the rules of evidence and evidence handling
 Ability to be an expert defender in court
--------------------------------------------------------------------------------------------------------------------------------------
 Incident Respon se
 Having the ability to properly respond to securi ty incidents in an orderly and efficient
manner allows organizations to both li mit the damage of a potential cyberattack, but also
recover from the associat ed damage that is caused.
 Incident response is a capabili ty added to the existing policies and procedures of
organizations of all sizes.
 Building of this capabili ty needs to address several key components as:
 Working knowledge of the incident respon se process
(includes general incident flow and general actions taken at each stage)
 Organizations having acc ess to personn el who form the nucleus of any incident
response capabili ty
(includes organizing the team, formalizing the plan and associated processes)
 Having Incident Response framework in place, the plan needs to be continually evaluat ed,
test ed, and improved as new threats immerge.
 Having Incident Response capabili ty will posi tion organizations to be prepared for the
un fortunat e reali t y that many organizations have already faced, an incident that
compromises their securi ty.

Post Incident Preparation

Activity

Eradication & Detection

Recovery

Containment Analysis

Incident Respon se Process

Inc id en t Res pon s e Pr o cess (Pr ep arat i on):

 Without good preparation, any subsequent incident response is going to be disor ganized
and has the potential to make the incident worse.
 Cri tical components of preparation are:
 Creation of Incident Respon se Plan
(includes processes, procedures and any addit ional tools)
 Necessary Staffing
 Staff is properly trained
 Tools such as forensics hardware and soft ware should be acqui red and
incorporated into the overall process
 Regular exercises to be conduction to ensure organization is trained and familiar
with the process
Inc id en t Res pon s e Pr o cess (Det ect i on ):
 The detection phase is that part of the incident response process where the organization
first becomes aware of a set of events that possibly indicates malicious activity.
 The detection of potential incidents is a complex endeavor.
  An organization can have millions of computational events per day. This is coupled with the
securi ty controls constantly altering the activity which makes it difficul t to separate pieces of
signal from the vastness of noise.
 Even today's cut ting-edge Securit y Incident and Event Management (SIEM) tools lose their
effectiveness if they are not properly maintained with regular updates.
 Detection can be from:
 SIEM technology or other securi ty controls
E.g., a securi ty analyst may receive an alert that a particular administrator account
was in use during a period of time where the user was on vacation.
 External sources (ISP or law enforcement agency)
E.g., may detect malicious activity originating in an organization's network and
contact them and advise them of the si tuation.
 Users (employee)
E.g., informing a help desk technician that they received an Excel spreadsheet
from an unknown source and opened it. They are now complaining that their
files on the local system are being encrypted.

Det ect ion of Incident s

Inc id en t Res pon s e Pr o cess ( An al ys i s ):

 After incident detection, personnel from organization begin the analysis phase.
 They start with the task of collecting evidence from systems such as:
 Running Memory
 Log Files
 Network Connections
 Running Software Processes
 It might take a few hours to several days (depending on the Incident nature)
 After collection, evidence needs to be examined (using tools)
Analysis will help in:
 Ascertaining what happened
 what it affected
 whether any other systems were involved
 whether any confidential data was removed
The ultimate goal of analysis is to determine the root cause of the incident and reconstruct the
actions.

Possible Invest igat ions Phase St eps

Perf o r m i ng For en s i c An al ys i s

Inc id en t Res pon s e Pr o cess (Contai nm ent):

 Organizations take measures to limit the ability for threat actors to continue compromising
other network resources, communicating with command and control infrastructures, or
exfilt rating confidential data.
 Containment st rategies range from:
 locking down ports and IP address on a firewall
 or simply removing the network cable from the back of an infected machine
 Each type of incident involves its own containment st rategy
Inc id en t Res pon s e Pr o cess (Erad i cat i on & Rec o ver y) :
 Erad i cat i on
 The organization removes the threat actor from the impacted network.
 E.g., in malware infection, the organization may run an enhanced ant i-malware
solution.
 Wipe or reimage the infected machines
 Removing or changing compromised user accounts
 After exploited vulnerabilities are identified, vendor patches are applied or
software updates are made.
 Rec o ver y
 Recovery activities are closely aligned with organization's bu s iness con t i nu i t y or
di s as t er r ec ov er y plans
 Reinstall fresh operating systems or applications
 Restore data on local systems from backups
 Audit their existing user and administrator accounts
 Comprehensive vulnerability scan to ensure all vulnerabilities have been removed
Inc id en t Res pon s e Pr o cess (Po s t Inc id en t Ac t iv i t y)
 Post-incident activity includes a complete review of all the actions taken during the incident.
 Review of what worked and more importantly what didn ’t work.
 This highlights tasks and actions that have po sitive or negat ive impact on the outcome of
Incident Response.
 Documentation of actions during IR is necessary (all technical jargons should be explained)
 Finally, organizational personnel should update their own Incident Response Processes with
the lessons learned for future unfortunate events.
--------------------------------------------------------------------------------------------------------------------------------------
 Digital Evid ence
 Digital evidence is defined as informat ion and dat a of value to an invest igat ion that is
stored on, received or transmitted by an elect ronic device.
 This evidence can be acqui red when elect ronic devices are seized and secured for
examination.
 According to the Nat ional Inst it ut e of Justice, “Digital evidence should be examined only by
those trained speci fically for that purpose. ”

Legal Cons i d erat i on s

Computer evidence needs to be:
Admissible: It must conform to certain legal rules before it can be put before a court.
Aut hent ic: It must be possible to posi tively tie evidentiary material to the incident.
Complet e: It must tell the whole story and not just a particular perspective.
Reliable: There must be nothing about how the evidence was collected and subsequently handled
that casts doubt about its authenticity.
Beli evable: It must be readily believable and understandable by a court.

Rul es of ev i de nc e
Rule 402: Test for relevant evidence
Rule 502: Attorney-Client privilege and work product
Rule 702: Testimony by expert witnesses
Rule 902: Evidence that is sel f -authenticating
Rule 1002: Best evidence rule
Rule 1003: Admissibility of duplicates
Or de r of Vo l at ili t y
When collecting evidence, you should proceed from the volatile to the less volatile. Here is an
example order of volatility for a typical system.
 registers, cache
 routing table, ARP cache, process table, kernel statistics, memory
 temporary file systems
 disk
 Remote logging and moni toring data that is relevant to the system in question
 physical configuration, network topology
 archival media

Co lle c t i on of Ev iden ce :
Handheld Devi ces: Pe riphe ral Devi ces:
 PDA’S (Personal Digital Assistant) Equi pment that can be Attached or Connected
to a Compu te r
 Digital Multimedia Devices  Modems
 Pagers  Rout e rs
 Digital Cameras  P rin te rs
 Global Positioning Satellite (GPS)  Scanne rs
Receivers
 Mobile and Smart Phones  Docking S tati ons

Too l s and Mat er ial s f or Co lle c t i ng Di gi tal Ev iden ce :

 Cameras (Photo and Video)  Evidence Stickers, Labels or Tags
 Cardboard Boxes  Crime Scene Tape
 Notepads  Anti-static Bags
  Gloves  Permanent Markers
 Evidence Inventory Logs  Non-magnetic Tools
 Evidence Tape  Paper Evidence Bags
 Radio Frequency-shielding Material such as Faraday Isolat ion Bags or Aluminium Foil to
Wrap Cell Phones, Smart Phones, and other Mobile Communication Devices
--------------------------------------------------------------------------------------------------------------------------------------

Digital Forensic Types

 Disk Forensics  Mobile Device Forensics
 Memory Forensics  Multimedia Forensics
 Network Forensics  Internet Forensics

Tab l e of Too l s :

Tool Name Op Sys Purpose/Description St atic /Live Analysis

Registry Recon Windows Rebuild the registries, parsing for in-depth Static
analysis
SIFT (SANS Investigative Ubuntu Digital Forensic Analysis on di fferent O.Ss Live
Forensics Toolki t)
Encase Windows Gather & analyse memory dump Static
PTK Forensics (Programmers LAMP GUI based framework for static & live analysis Both
Toolki t)
FTK Windo ws Digital analysis & indexing the evidentiary data Static
Wireshark Windo ws/Mac Capt ur es & analyses packet s Both
/Linu x
The Sleuth Ki t Unix/Windows GUI & CLI for analysis on Unix & Windows Live
COFEE (Compu ter Online Windows Extracting & analysing forensic data lively Live
Forensic Evidence Extractor)
X-Ways Forensics Windows General purpose on Win Hex edi tor Both
Bulk Extractor Windows/Linux Extraction of phone no's, email addresses, Live
URLs, etc.
OCFA (Open Compu ter Forensics Linux CLI for distributed computer forensics to Live
Architecture) analyse digital media, used in forensic labs
Memoryze Windows Acqui res & analyses RAM images which Live
includes the page file on live system
Volatility Framework Volatility Extraction of items from RAM Live
Systems

Tw o Tec hn i qu es of Di gi tal For en s i cs :

Based on evidence handling during seizure:
 Static Forensics (Tradi tional/Dead)
 Live Forensics
It is determined on the state of the system and the approach to both types is different but both
need to be pai red together to complement each other.
Dead For en s i cs
 Provides incomplete evidentiary data
 Information in volatile memory cannot be effectively recovered
 Investigations carried out on data at rest.
 Works on images
Li ve For en s i cs
 Provides more accurate and consistent picture of current & previous running processes.
  Works on live systems (real time)
 Analysis is quick (no imaging time)
 Volatile memory + regist ry keys + open network connections + system accounts
 Responsible for immediate and active threat
 No special processing involved for decryption and unpacking
How t o Pr o ceed ?

Har d di s k dr i ve s :
Introduced in 1956 by IBM for general purpose mainframes & minicomputers.
Advancements over the years in terms of:
 Capaci ty  Shape  Performance
 Size  Internal st ructure  Interface
 Modes of storing data

Hard disk types

Parall el Ad van c ed Tec hno l ogy Attach m en t (PA TA ): [CONSULT PPT FOR IMAGES]
First types of hard disk drives used as internal computer storage interface
 Interface: PATA
 Referred to as: Int egrat ed Drive Elect ronics (IDE) & Enhanced Int egrat ed Drive Elect ronics
(EIDE)
 First Introduced by: Western Digital Bank (1986)
 Provide a common drive interface technology for connecting hard drives & other devices to
computers.
 Data Transfer Rate: 133MB/s
 Max devices connected to the Drive channel: 2 (most of the motherboards have a provision
of 2 channels, thus, internally 4 EIDE devices can be connected).
 40 (all connectors black) or 80 (black, gray, blue connectors) wire ribbon cable transferring
multiple bits of data simul taneously in parallel.
  Data Stored: by magnetism
 Internal Structure: made of moving mechanical parts
 External: No
 Hot plugging: No

Ser i al ATA (SA TA ):

 Replaced PATA in desktops and laptops
 Advantages over PATA:
 SATA drives can transfer data faster than PATA types by using serial signaling technology
 SATA cables are thinner and more flexible than PATA cables
 They have a 7-pin data connection, with cable limit of 1 meter.
 Disks do not share bandwidth because there is only one disk drive allowed per SATA
controller chip on the computer motherboard.
 They consume less power. They only requi re 250 mV as opposed to 5V for PATA
 Hot Plugging: Yes
 External: Yes
 No. of Devices: 1

Sm all Co m pu t er Sys t em Int erfac e (SCSI) :

 Mostly used for HDDs and tape drives, but can be used for a wide variety of other devices
(CD- ROMs, Printers, Scanners, etc.).
 Previous versions – Parallel
 Latest Versions – Serial (SAS – Serial Attached SCSI)
 Popular on high performance workst at ion s, servers and st orage appli ances.
 RAIDS on servers use some kinds of SCSI hard drives.
 Modern desktops and notebooks typically use SATA instead of SCSI for internal HDDs.
 68 pins

Soli d Stat e Dr i ve:

Solid State Drive, could be seen as the successor of the Hard Disk Drive (HDD) and relies entirely on
flash memory. This allows faster read/wri te speeds, less power consumption and increased
robustness (HDDs are extremely vulnerable to shocks), though still at much higher cost.

USB:
 Universal Serial Bus
 The USB "trident" Icon
 Year Created: January 1996
 Number of Devices:127 per host
 Style: Serial
 Hot plugging: Yes
 External: Yes
Fir eW ir e:
FireWire is Apple Inc.'s brand name for the IEEE 1394 interface. It is also known as i.Link (Sony ’s
name). It is a personal computer (and digital audio/digital video serial bus interface standard,
offering high-speed communications and real-time data services. FireWire has replaced Parallel SCSI
in many applications, due to lower implementation costs and a simplified, more adaptable cabling
system.
 The FireWire icon
 Year Created:1990
 Created By: Apple
 Number of Devices:63
 Style: Serial
 Hot plugging: yes
 External: yes

Per i phe ral Co m pon ent Int er c onn ec t (PCI):

The PCI Standard speci fies a computer bus for attaching peripheral devices to a computer
motherboard. These devices can take any one of the following forms: An integrated circui t fit ted
onto the motherboard itsel f, called a planar device in the PCI speci fication. An expansion card that
fits into a socket.
 Created: Mid-1993
 Created by: Intel
 Superseded by: PCI Express (2004)
 Number of Devices:1 per slot
 Speed: 133 MB/s
 Style: Parallel
 Hot plugging: No
 External: No

PCI Ex p r ess :
PCI Express, officially abbreviated as PCIe (and sometimes confused with PCI Extended, which is
officially abbreviated as PCI-X), is a computer expansion card interface format. It was designed as a
much faster interface to replace PCI, PCI-X, and AGP interfaces for computer expansion cards and
graphic cards. The PCI Express (PCIe) physical connection (slot) is completely different from those of
the older standard PCI slots or those for PCI Extended (PCI-X).

Pu r po s e of Wr i t e B lo ck er s :
 To allow a seized hard drive (source) to be connected to a lab/exam computer for forensic
image acquisition and or analysis.
 To prevent the lab/exam computer from writing data to a seized (source) hard drive.
Wr i t e B lo ck Requ i r em ent s :
• Forensic investigators need to be absolutely certain that the data they obtain as evidence
has not been altered in any way during the capture, analysis, and control.
• A writ e blocker is any tool that permits read-only access to data storage devices without
compromising the integri ty of the data.
• The main difference between the software and hardware write blockers is that software
write blockers are installed on a forensic computer workstation, whereas hardware write
 blockers have write blocking software installed on a controller chip inside a portable physical
device.
• Where possible, set a hardware jumper to make the disk read only.
• All commands that change drive content are blocked
• Why not just say all READ commands are allowed?
• The tool shall not prevent obtaining any information from or about any drive.

--------------------------------------------------------------------------------------------------------------------------------------
 Disk Forensics
Im agi n g:
 Imaging the subject media by making a bit -for-bit cop y of all sectors on the media is a well-
established process that is commonly performed on the hard drive level, hence often
referred to as hard drive imaging, bit st ream imaging or forensic imaging.
 Generate a digit al fingerprint of the acqui red media known as a hash.
 A hash generation process involves examining all of the 0’s and 1’s that exist across the
sectors examined. Altering a single 0 to a 1 will cause the resulting hash value to be different.
Both the original and copy of the evidence are analyzed to generate a source and target
hash. Assuming they both match, we can be confident of the authenticity of the copied hard
drive or other media.

Disk Space Evaluation:

Disk locati ons to look for:

 Host Protected Area (HPA)
 Device Configuration Overlay (DCO)
 Master Boot Record (MBR)
 Slack Space
 Unallocated Space

Hos t Pr o t ect ed ar ea (HPA ) :

 Area of HDD or SDD not visible to Operating System.
 Commands involved in creating and using a HPA:
 IDENTIFY DEVICE [returns true size before set ting HPA and false size after set ting
HPA]
 SET MAX ADDRESS [used to reduce the reported size of HDD]
 READ NATIVE MAX ADDRESS [always returns the true size of HDD]
 The HPA is useful only if other software or firmware (e.g. BIOS) is able to use it (HPA aware).
 These softwares use “READ NATI VE MAX ADDRESS” ATA command which accesses the
register containing the true size of the hard drive.
 To use this area, the value of register read by IDENTIFY DEVI CE is changed to that found in
the register read by READ NATI VE MAX ADDRESS
 HDD Bef or e and af ter HPA cr eation

Forensi c impo rtance:

 Some roo t kit s hide in the HPA to avoid being detected by anti-rootkit and anti-
vi rus software.
 HPA can also be used to store dat a that is deemed illegal and is, thus, of interest to
government and police computer forensics teams.
 Used by theft recovery and moni toring service vendors, even when a stolen laptop has its
hard drive format ted the HPA remains untouched.
 Some vendors hide system restore software in HPA.
Identification tools:
 ATATool by Data Synergy
 The Sleuth Kit (free, open software) by Brian Carrier (HPA identification is currently Linux-
only.)
 EnCase by Guidance Software
 Forensic Tool Kit (FTK) by Access Data
Example:
The Windows program ATATool can detect an HPA in first drive as:
 ATATool /INFO \\ .\PhysicalDrive0

Devi c e Conf i gurat i on Over l ay (DCO):

 Hidden area on many of today ’s HDDs.
 Information stored in DCO is not accessible by the BIOS, O.S. or the user.
 DEVI CE_CONFIGURATION_IDENTIFY command is used.
 The output of this command can be compared to the output of IDENTIFY_DEVICE to see if a
DCO is present on a given hard drive.
Most major tools will remove the DCO in order to fully image a hard drive, using the
DEVI CE_CONFIGURATION_RESET command. This permanently alters the disk unlike with HPA which
can be temporarily removed for a power cycle.
Forensi c impo rtance:
 DCO allows system vendors to purchase HDDs from different manufacturers with potentially
different sizes, and then configure all HDDs to have the same number of sectors.
 Given the potential to place data in these hidden areas, this is an area of concern
for computer forensics investigators.
De tec ti on tools:
 ATATool utility can be used to detect a DCO from a Windows environment.

Mas t e r B oo t Rec o r d:
 Special type of boot sector at the very beginning of parti tioned computer mass storage
devices like fixed disks or removable drives.
 The MBR holds the information on how the logic al part itions, containing file systems, are
organized on that medium.

Boot signature validates the MBR i.e., invalid magic number indicates a corrupt or missing MBR,
hence, critical to booting or using the disk.
Sl ack Spac e:
 Slack space is a form of internal fragmentation, i.e. wasted space, on a hard disk.
 When a file is writ ten to disk it ’s stored at the “beginning” of the cluster.
 A cluster is defined as a collection of logically contiguous sectors and the smallest amount of
disk space that can be allocated to hold a file.
 Rarely will there be an even match between the space available in a cluster and the number
of bytes in the file.
 Lef t over bytes in the cluster are unused, hence the name slack space.
 The examination of slack space is an important aspect of computer forensics.
 Technically, a file’s slack space is the differ ence bet ween it s logic al and ph ysical size.
 Logical size of a file is determined by the file’s actual size and is measured in bytes.
 The physical size of a file is determined by the nu mber of sec tors that are allocated to the
file.
 Sectors are clustered in groups of four by default which means that each cluster has 2,048
bytes.

Clust er / sec tor / slack Slack Spac e

 Clust er

Fil e sy s t em Tab l es :
File System table is an array of entries that describe each file system implementation details.
Recovery of deleted data is possible by consul ting the file system tables, meta data or timestamps to
recreate the timeline of events is done by file system tables.
Fil e Syst ems:
 FAT (File Allocation Table)
 NTFS (New Technology File System)
 HFS (Hierarchical File System)
 ext4
…

Inod e in ext4

Un all oc at e d sp aces :
 Unallocated space, sometimes called “free space”, is logical space on a hard drive that the
operating system e.g., Windows, can write to.
 To put it another way it is the opposi te of “allocated ” space, which is where the operating
system has already writ ten files to.
 On a standard, working computer, files can only be writ ten to the unallocated space.
 On a new drive the unallocated space is normally zeros, as files are writ ten to the hard drive
the zeros are over writ ten with the file data.
Dele ting a file:
 FAT / MFT tells the computer where the file begins and ends.
 Deleting a file deletes pointer to the file
 FAT/MFT space occupied by the file is marked as available.
 The actual data that was contained in the file is not deleted.
 The space is marked unallocated.
Hence, can be recovered till not over-written using specialized tools.

Gene ral Forensi c issues:

 Imaging the HDD that has the HPA and/or DCO on it.
 While certain vendors claim that thei r tools are able to both properly detect and image the
HPA, they are ei ther silent on the handling of the DCO or indicate that this is beyond the
capabili ties of their tool.

Met hod s of Hi di n g Data:

Hiding is not limited to:
 Crypt ography
 Obscuring data into unreadable data
 St eganogr aph y
 Hiding the existence of the data
 Wat ermarking
 Proving ownership by adding sufficient metadata
but is also hidden in . . .
 Disks
 File Systems
 Operating System

Fil e Syst em (NTFS):

 Everything writ ten to the disk is considered a file
 Files, directories, metadata, etc.
 MFT is the heart of NTFS (array of records 1024 bytes each)
 Records in the MFT are called metadat a.
 First 16 records in the MFT reserved for metadata files.
 Entry #1 is $MFT
One of the most complex file sys t ems you ’ll deal wit h!

Dele t ed Fil es:

 Unallocated space
 File System Journals, Index Files, and Log files: $I30, $LogFil e
 File Wippers – They don ’t actually wipe everything, some crumbs left for investigator!
 Hiding within $DATA attribute
 MFT slack space is used for data hiding.
Recove rability:
 MFT entry and file both are recoverable
 File is deleted and the MFT entry is recoverable but a portion of the file data is overwritten
file can only be partially recovered.
 The file is deleted and the MFT entry is recoverable but the file data is 100% over writ ten.
The file is not recoverable, but information about the file, name, dates, sizes, etc., is.

Bad Bl ocks ($BadClus):

 Marked in the metadata file $BadClus (MFT entry 8)
 Sparse file with the size set to the size of the entire file system
 Bad clusters are allocated to this file
 Clusters can be allocated to $BadClus and used to store data
Ti me Mani pulation (Ti mest omp):
 Also, a form of Data Hiding
 Misleading investigators by altering MACE timing
(forensic timeline will be incorrect).

Ope rati ng Syst ems:

Range from simple changing icons, names, file extensions, hide attrib, to known system names
(svchost.exe), etc into more complex techniques leveraging the OS capabili ties itsel f.
Changing the file extension –
 .doc to .xls
 .pdf to .doc
Hiding files within system directories

Aut oruns:
 A feature of the Windows operating system that causes predetermined system actions
when certain media is inserted.
 Common media types that trigger AutoRun actions include CDs, DVDs in tradi tional or Blu-
Ray format and USB storage devices, such as flash drives or external hard drives.
Withou t prope r unde rstandi ng of the unde rlaying technology, it ’s just like you ’ re searching for a
need l e in t h e hays tac k!
--------------------------------------------------------------------------------------------------------------------------------------
Memory Forensics
 Forensic analysis of volatile data in computer ’s memory du mp.
 For investigation of advanced computer attacks that are steal thy enough to avoid leaving
data in on computer ’s hard drive (memory resident ).
 RAM is, hence, acqui red and analysed by capt uring or du mping or sampli ng it to a non-
volatile storage in a way that does not corrupt the image.
 The importance of RAM in forensics lies in the fact that every transaction occurs with RAM
being part of it.
In Memory Data:
 Current running processes, running treads and terminated processes
 Open TCP/ UDP ports / raw sockets / active connections
 Memory mapped files
 Executables, shared objects (modules and drivers), text files
 Caches
 Web addresses, typed commands, passwords, clipboards, Securi ty Account Manager
(SAM dat abase) , edited files
 Passwords/ keys / other information
 Malware presence including rootki ts
 Live regist ry hives
 Hidden data and many more
 In fact, anything that processor works upon.
 Kernel Debugger Data Block
 Unloaded drivers
 Process Struct (_Eprocess)
 Process Environment Block (_PEB)
 PEB loader data
SAM: Securi ty Account Manager is a database that stores users ’ passwords used to authenticate
local or remote users.
Live regist ry hives: A hive is a logical group of keys, sub-keys, and values in the regist ry that has a set
of supporting files containing backups of its data. Each time a user logs in a new hive is created with
a separate file for that user profile.
Persist ence of Dat a in memory:
Factors that determine the persistence of data in RAM:
 System Activity
 Main Memory Size
 Data Type
 Operating System
The Process of Memory Forensics:
 Capture the memory (memory dump)
 Analyse the memory
 Reconstruction of memory state
 Reconstruction of the entire scenario with disk image and memory image in conjunction
Various formats:
 Raw dump ( linear format ) (.img / .dd)
 Windows crash dump format (.bin)
 BSoD (writ ten after a system is frozen)
 Hiberfil.sys format
 Commercial tools format
 Winen .E01 kind of format
 .vmem (Vmware)
 .Bin (hyper V)
 Fastdump pro (hpak)
Windows Memory Forensics:
It includes:
 Windows objects and pool allocations  Registry in memory
 Processes, handles and tokens  Kernel forensics and Rootkits
 Process memory internals  Windows GUI subsystem
 Hunting malware in Process Memory  Disk Artifacts in memory
 Event logs  Event reconstruction
 Networking artifacts / hidden  Timelining
connections / Internet history

Windows Internal Structures:

Process Analysis Objectives:
 Process Int ernals
How the O.S. system keeps track of processes and how windows APIs enumerate them.
 Ident ify Crit ical Processes
Identify several critical processes to know how normal systems operate.
 To know about any attempts by rouge processes to blend in with critical processes.
 Generate visuali zations
Visualizations showing parent and child relationships between processes.
Helps in determining the correct chain of events that led to particular process starting.
 Direct Kernel Object Manipulation (DKOM)
Spot attempts to hide process by altering one or more process lists in kernel memory.
Attributes of a process to be known:
 Process path
 Parent process
 Number of instances
 User account
 Start time
Knowing these about the system processes will help an investigator to differentiate between normal
processes and rouge processes.
Initial Process Baseline (Windows):
Name Parent Process Event Owner Path
System - Boot Local System %SystemRoot%\System32
smss.exe System Boot Local System %SystemRoot%\System32
csrss.exe smss.exe Boot Local System %SystemRoot%\System32
wininit.exe smss.exe Boot Local System %SystemRoot%\System32
services.exe wininit.exe Boot Local System %SystemRoot%\System32
lsm.exe wininit.exe Boot Local System %SystemRoot%\System32
svchost.exe services.exe Boot %SystemRoot%\System32

--------------------------------------------------------------------------------------------------------------------------------------
 In ternet Forensics/ Network Forensics
Int er n et For en s i cs :
Internet forensics shifts that focus from an individual machine to the Internet at large & the
challenge is immense to extract Internet – related evidence. The Internet forensics mainly covers:
• Web Forensics
• Network Forensics
• Email Forensics

Int er n et Art i fac t s :

 Web browser being the only way to access the Internet makes it the target to commi t
cybercrimes.
 Multi tude of browsers available increase the complexity of investigations.
 Evidence is extracted from: Pre-fetch files and li ve memory analysis .
 The potential artifacts include:
• Browsing History
• Email
• Internet Banking Data
• Social media applications
• Downloaded files
Prefet ch files are great artifacts for forensic investigators trying to analyze applications that have
been run on a system. Windows creates a prefetch file when an application is run from a particular
location for the very first time. This is used to help speed up the loading of applications. Hence, has
user ’s application history. Even if a program e.g., cleaner has been deleted, its prefetch file will still
be there.

Web br o w ser s :
• Software application that allows a user to locate, access, and display web pages.
• The purpose of a web browser is to fetch information resources from Internet and display
them on a user ’s device.
• The content on web is created using HTML and XML (Extensible Markup Language).
• Browsers translate web pages and websites delivered using Hypert ext Transfer Prot ocol
(HTTP) into human-readable content.
• Browsers possess the ability to display other protocols and prefixes, such as HTTPS, FTP,
email handling (mail to:), or files (file:)
• The web pages are identified by distinct URL, the browsers make use of this URL to locate
the content on Internet.
• A variety of web browsers are available with different features, and are designed to run on
different operating systems.
• Major browsers have lightweight versions available for mobile devices called micr o-browser
(st ripped-down browser).
• As a cli ent / server mod el, the browser is the client run on a computer that contacts the
Web server and requests information.
• Contemporary web browsers are fully-functional suites that can interpret and display HTML
web pages, applications, JavaScript, AJAX and other content hosted on web servers.
• External plug-ins requi red to support the active content is also supported e.g., in-page video,
audio or game content, hence, extend the capabili ty of a browser.
 • Browser can be used to perform tasks of video-conferencing, designing web pages, and add
anti-phishing filters or other securi ty features to browser itsel f.

Web f or en s i cs :
 Web forensics relates to cyber-crime on the Internet.
 Web forensic analysis brings out some details like when and in what sequence did
somebody access a Web page.
 The victims of Web attacks are clients and Web servers.
 The medium of attack on the Internet are Web Browser , Dat abase Servers and App lication
Servers.
 Port number 80 is the standard port for Websi tes.
 It listens to requests from a Web Client.
 The po tent ial at t acks ent er int o the syst em through this po rt .
 Web forensics is carried out on both cli ent side and server side.
 While the server-side forensic evidence helps an investigator progress towards a con clusion ,
the client-side evidence provides potentially very st ron g and det ailed evidence.
 Both are sometimes insufficient, hence, intermediate logging locations like application
server logs play crucial role in proving someone ’s guilt.
.dat is usually a generic data file that stores information speci fic to the application it refers to. They
sometimes might be found with other configuration files e.g., dlls

Cli ent - s id e f or en s i cs :
On the client side, forensic analysis is done to find out if a user has been involved or has been a
victim of the crime.
Potential evidence can be found in:
 Browser history
 Registry entries
 Temporary files
 Index.dat
 Cookies
 Favori tes
 HTML pages in unallocated space
 Emails sent and received by the user
 Cache
Ind ex.dat is a database file used by browser to improve performance. Repository of info. e.g., URLs,
search queries, recently opened files
Cookies: small pieces of info stored on your computer e.g., session id, user id, set tings for future use
of a page to hide something

Ser ver -s i d e f or en s i cs :
 On the server side, forensic analysis can be done by examining
 Access Logs
 Error Logs
 FTP log files
 Network traf fic
 The int ermediat e sit e logs such as
 Antivirus Server Logs
 Web filter logs
 Spam filter logs
 Firewall logs also help in tracking an incident

For each cached page, Cache View provides:

 URL from which the page was ret rieved
 Name of the cached file as stored on the local system
 File size
 File type
 Time it was last modi fied
 Download date
 Its expi ry (if applicable)
 Web-based e-mail con t ent and persist ent Browser coo kies are important things in the analysis
and reconstruction of the subject's Internet activity.
 Forensic tools FTK, SQLi tebrowser, Cache Viewer, Registrar Registry manager, plist Editor Pro
and IECacheView.
 Log entries serve as traces of digital evidence of the crime.
 Extracting timestamps

Web br o w ser f or en s i cs : Goog l e Ch r om e

 Google Chrome stores data in SQLit e format and can be examined using SQLi te database viewer.
 The database file that contains the Google chrome browsing history is stored at default folder
Hist ory.
 The tables include:
 downloads  Keyword_search_terms
 presentation  segment_usage
 urls  visits

The history file includes: 9 tables, 13 indices, triggers, views.

Down l oads :
 id  Interrupt reason
 Current path  End time
 Target path  Opened
 Start time (web kit time format)  Refer
 Received bytes  Last modi fied
 Total bytes  Mime type
 State  Danger type
 Original mime type of the downloaded
file
ur l s :
 List of URLs from which files where  Visit count
downloaded
 Id  Type count
 url  last visit time
 Ti tle  hidden

 Recover deleted history

 Analysis of cookies
 Login data
 Top si tes
 User profiles
 Analysis of prefetch file
 live memory analysis

TCP/ IP Po rt s & Pr o t oc ol s :

Ports are used to identify the services.

 Sub-branch of digital forensics related to the moni toring and analysis of computer network
for the purposes of anomalous traf fic, information gathering, legal evidence, or intrusion
detection.
 Deals with volat il e, unpredictable and dynamic information.
 Captured network traf fic can include tasks such as reassembling transferred files, searching
for keywords and parsing human communication such as emails or chat sessions.
 The capture, recording and analysis of network events helps to discover the source of
securi ty attacks.

Network Artefacts in storage media:

 Volatil e Memory (including bu ffers in NIC)
 Open/prior connections, pai red with processes that initiated them
 Recently used / downloaded programs and temporary files
 Recently run command output (ping/ tracert/ etc)
 DNS cache
 Routing / ARP table information
 Packets (buffered in memory)
 Persist ent (sec ond ary) memory
 Recently run network programs (prefetch on windows XP for instance)
 Logs / event records
 Recently visited URLs
 IP addresses in in email headers, configuration files, etc.
 Network captures (did the person have packet captures on thei r machine?)
There is an overlap between these mediums. Convergent sources of evidence mean more support
for that evidence, which can be critical in court. The more ways to veri fy an event, the better.
Import ant : Network Communications are a conversation. Evidence on one side of this conversation
means evidence may exist on the other side as well (and anywhere in between too).

Th e en vir on m ent
 When going for network forensics, it is implied that network transmissions are temporal.
 It may not be possible to personally collect the data that be analysed in a timely or cost-
effective manner. This might necessitate inst ructing or consul ting others in the process. We
can hope for an IDS/NSM solution.
 Hence, it is necessary to be able to define and explain the steps to others clearly.

Co vert Ch ann el s and Ex f il trat i on

• A type of attack that creates a capabili ty to transfer information objects between processes
that are not supposed to be allowed to communicate by the computer securi ty policy.
• It is hidden from the access control mechanisms of secure operating systems since it does
not use the legi timate data transfer mechanisms of the computer system.
• Hard to install in real system, often detected by moni toring system performance.
• Detection of covert channels is a must to prevent the exfilt ration of enterprise data.
 Mob ile device Forensics
 Smart mobile phones are used by almost every person with diverse types and models.
 Besides the normal uses, these phones can be used for evil purposes.
 These mobile phones act as the sources of digital evidence pertaining to a particular crime,
hence, need to be recovered in a forensically sound manner.
Im po rtanc e and Mot i v at ion :
 Mobile phones, hence, are seized as prime crime exhibits, device identification is very
necessary at the beginning of the forensic examination.
 Biggest challenge is the changing models of mobile phones.

Inf or m at i on t h at r esi d es on m ob il e phon es :

 Incoming, outgoing, missed call history known as call detail records (CDRs)
 Phonebook or contact lists
 SMS text, application based, and multimedia messaging content
 Pictures, videos, and audio files and sometimes voicemail messages
 Internet browsing history, content, cookies, search history, analytics information (Internet
Forensics)
 To-do lists, notes, calendar entries, ring tones
 Documents, spreadsheets, presentation files and other user-created data
 Passwords, passcodes, swipe codes, user account credentials
 Historical geolocation data (GPS), cell phone tower related location data, Wi-Fi connection
information
 User dictionary content
 Data from various installed apps
 System files, usage logs, error messages
 Deleted data from all of the above

Too l Cl ass if ic at i on Sys t em :

Hex du mp: viewing data in hexadecimal form of data done for debugging or reverse engineering.
Chip off : advanced forensics where we remove the chip/flash memory physically and then acqui ring
the raw data using specialized equipment. It helps to get the complete physical image.
Micro-read: This process involves interpreting and viewing data on memory chips. Physical gates on
the chips are analyzed with high-powered elect ron microscope converting gate level into 1’s and 0’s
to discover the resulting ASCII code. It is expensive and time-consuming, needs hardware and file-
system knowledge.

Mob il e Devi c e Har dwar e and Operat i n g Sys t em s :

 Hardware components of a mobile device includes:
 CPU
 RAM (program memory, object store)
 ROM (OS, Pre-loaded applications, safe-store folder)
 EEPROM
 Batteries
 Removable storage (memory cards)
 Input/output components
 SIM cards
SI M car d:
 Subscriber Identity Module (SIM) – is microcont roller based, Universal Integ rated Ci rcuit
Card (UICC), 32 to 128 KBs
 Consists of:
 Microprocessor
 ROM (operating system for the card)
 RAM
 EEPROM (securi ty keys, phone book, SMS set tings)
 Keys St ored in SIM:
 Integ rated Ci rcuit Card Identifier or ICCID
SIM’s unique serial number stored and printed on SIM, 19 to 20 characters,
sometimes last 13 digits are printed on SIM: MMCC IINN NNNN NNNN NN C x

MM = Constant (ISO 7812 Major Industry Identifier)

CC = Country Code
II = Issuer Identifier
N {12} = Account ID ("SIM number")
C = Checksum calculated from the other 19 digits using the Luhn algori thm.
x = An extra 20th digit is returned by the 'AT!ICCID?' command, but it is not
officially part of the ICCID.
 International Mobile Subscriber Identity or IMSI
The IMSI is used to acqui re the details of the mobile in the Home Location Register
(HLR) or the Visitor Location Register (VLR).

 Authentication Key
 Location Area Identity (LAI) used for location updating of mobile subscribers
 SMS messages
 Contacts
 Remnant s of files in SIM cards:
Straight forward and hierarchical data storage st ructure.
 Master File (MF)--- references to all other files on the same SIM card, root of the file
system
 Dedicated File (DF)
  Elementary File (EF)
Dedicated Files are subordinate directories under the MF, their contents and functions being
defined by the GSM11.11 standards.

 Three are usually present: DF (DCS1800), DF (GSM), and DF (Telecom).

 Subordinate to each of the DFs are supporting EFs which contain the actual dat a.

 The EFs under DF (DCS1800) and DF (GSM) contain network related information and the EFs
under DF (Telecom) contain the service-related information.

SIM Card Fil e St ruct ur e:

Mob il e Operat i n g Sys t em s :

 Mobile operating system directly affects how the investigator can access the mobile phone.
 Presently, different mobile phones have different OSs, hence, makes mobile forensics
difficul t. A forensic technique applicable to one OS might be useless to other.
 Dominating OSs:
 Google Android
 Apple iOS
 Windows Phone OS
 Blackberry OS

Di gi tal For en s i c Pr o cess :

 Seizure
 Airplane Mode
 Phone Jammer
 Faraday bag
 Identification/ Acquisition + Extraction/
 Examination & Analysis

Ident ificat ion & Acqu isition:

 Physical Acqu isition: Also known as a physical memory dump, is a technique for capturing
all the data from flash memory chips on the mobile device. It allows the forensic tool to
collect remnants of deleted data. Initially, the received data is in raw format and cannot be
read. Later on, some methods are applied to convert that data into a human readable form.
 Logical Acqu isition: or logical extraction, is a technique for extracting the files and folders
without any of the deleted data from a mobile device. However, some vendors describe
logical extraction narrowly as the ability to gather a particular data type, such as pictures,
 call history, text messages, calendar, videos, and ring tones. A software tool is used to make
a copy of the files. For example, iTunes backup is used to make a logical image of an iPhone
or iPad.
Acquisition includes:
 Tool Selection
 Tangential equipment
 Dumping Memory
 Accessing the file system

Mobil e devic e can be

1. ON and unlocked
2. ON and locked
3. OFF
1. Devic e on and un locked:
Isolate device form network if possible
 Disable wifi & hotspots, airplane mode, SIM ID cloning
Take the necessary steps to ensure physical device access is possible
 Remove passcode, enable USB debugging, enable stay awake option disable timed
screen lock option
Physical acquisitions
 Acqui re supporting media, SIM cards, Media cards, associated media for device
backups
Logical acquisitions
 Logical/file system acquisition, device backups

2. Devic e ON and locked:

And roid: iOS

Physical access MAY requi re that USB
debugging mode is enabled
Acqui re supporting media
Check associated computers and media
for device backups
Device can be physically acqui red even if
passcode is set with use of custom boot loaders
Physical acquisition is not possible on 64-bit &
the non-jail break devices if the passcode is set
and unknown.
Acqui re supporting media
Check associated computers and media for
device backups

3. Devic e is OFF:
 Attempt physical acquisition while turned OFF
 Turn it ON and follow the steps when device is (ON & unlocked, or ON & locked)

Examination & Analysis:

 Applying Mobile Device Forensic Tools
 Potential Evidence
 Securi ty lock
 Phone book
 SMS messages
  SIM card – Phonebook & SMS messages
 Recent calls
 Calendar
 Web browsing
 Multimedia
 Other artifacts

Fr om GSM and iDEN Phon e SI M Car ds (Part i al Li s t):

 IMSI: International Mobile Subscriber Identity
 ICCID: Integ rated Ci rcuit Card Identification (SIM Serial No.)
 MSI SDN: Mobile Station Integ rated Services Digital Network (phone number)
 Network Inf ormat ion
 LND: Last Number Dialed (sometimes, not always, depends on the phone)
 ADN: Abbreviated Dialed Numbers (Phonebook)
 SMS: Text Messages, Sent, Received, Deleted, Originating Number, Service Center (also
depends on Phone)
 SMS Service Center Inf o
 GPRS Service Center Inf o
 Locat ion Inf ormat ion : The GSM channel (BCCH) and Location Area Code (LAC) when phone
was used last.
* When SIM Locked – Cannot Be Cracked without Network Operator Assistance.

Not on SI M , bu t Ex c lu s i ve t o GSM Devi c es

 IMEI: International Mobile Equipment Identity. - To Find IMEI,
Type #*06#. IMEI is on the Device, registers with the network, along with IMSI.
IMSI+IMEI+MSISDN the most detailed identity information of user.

Rem em ber… Only GSM and Nex t el Phon es have SI M s. Not in CDMA (Ver i zon , Spr int)
A PIN Lo cked SI M is Not Acc ess i bl e Wi t hou t PIN – Requ i r es PUK Fr om Carr i er

Mob il e Phon e Roo t i ng :

 Running Android mobile operating system to attain privileged control (root access) over
various Android subsystems.
 Android is Linux based and rooting gives administrative (super user) access.
 Gives ability to alter or replace system applications & set tings, run specialized applications
that requi re administrative-level permissions or other operations inaccessible to normal
Android user.
 iOS jail breaking is privilege escalation to remove software rest rictions imposed by Apple,
done by using series of kernel patches, provides root access (malware enters the device
using jailbreaking)

iPhon e For en s i c An al ys i s :
 iOS is a proprietary encrypted operating system and the constant patches and upgrades
mean that forensic tools st ruggle to keep pace.
 The most common way of acqui ring data from an iOS device is through iTunes backup.
 iTunes performs an automated backup during the sync process which will provide the most
important information to the forensic investigator.
--------------------------------------------------------------------------------------------------------------------------------
 Multimedia Forensics

Def i n i t i on:
 Multimedia is the integration of text, image, graphics, audio, video to enhance the delivery or
presentation of digital information and hence, its impact on the user.
 Multimedia presentation can be non-linear (interactive) or linear (passive).
 The presentation of multimedia requi res the support of appropriate hardware and software
tools, e.g., Keyboard, Optical Character Recognition (OCR), printer, moni tor, sound card,
microphone, scanner, video camera, graphics card, screen capture software, audio/video
editors, graphic tablet, etc.
 However, compared to tradi tional unimedia (text), multimedia use huge amounts of storage
space plus high speed storage media.
 Internet is one of the main sources of communicating multimedia globally.
 Hypermedia – consists of hypertext combined with still or moving images and sound i.e.,
hypertext + hypergraphics.
 Multimedia information in presented in a variety of standard file formats.

Mul t i m ed i a ( For m at s ):

Aud io: Image: Video & Animat ion:

AIFF (Audio Interchange File GIF (Graphics Interchange AVI (Audio Video Interleave)
Format) Format)
MIDI (Musical Instruments JPEG (Joint Photographic MPEG (Moving Picture
Digital Interface) Experts Group) Experts Group)
WAV (Wave Form) PNG (Portable Network SWF (Small Web Format)
Graphics) [Flash]
MP3 (Moving Pictures Expert TIFF (Tagged Image File MOV (movie)
Group Layer -3) Format)
ASF (Advanced Streaming EXIF (Exchangeable Image DAT (video data given an
Format) File Format) alternative extension, not a
video format)
RM (Real Media) PS (Postscript)
AVI (Audio Video Interleaved) PDF (Portable Document
Format)
Mul t i m ed i a For en s i cs :
 Brings together multimedia securi ty, computer forensics, imaging and signal processing for
identification of any forgeries or manipulations.
 Multimedia data forms an essential piece of information.
 Investigation & analysing multimedia content challenges such as:
 Time rest rictions
 Numerous formats
 Huge amounts of data
 Highly dynamic environment

What can be done to prot ect digit al images?

 Wat ermarking
 Fragile watermarks
 Semi-fragile watermarks
 Sel f-embedding watermarks
 Digital cameras with watermarking capabili ties
 Digit al Fingerpr inting/Signat ures
 Digital cameras with fingerprinting capabili ties
 Fragile watermarks are designed to detect every possible change in pixel values.
###################################
Iden t i f i cat i on of Fiel d s :
 Source identification
 Environment classification
 Content classification
 Content forgery
 Data recovery approaches for multimedia
 Fragment identification
 Steganography & Steganalysis

Sour c e Iden t i f i cat i on : Determining the device used to create the speci fic content.
These include:
 Digit al Camera: device for the reproduction of natural scenes
Features identifying digital cameras include: JPEG compression, Color Fil ter Array (CFA),
sensor imperfections, Sensor Pat tern Noise (SPN)
 SPN is usually caused by influences during the sensor production cycle: individual
pixels show a different sensitivity to light because of inhomogeneity of silicon wafers.
The major problems of this approach are the con t aminat ion of SPN, denial of the
acqu isit ion of a clean fingerprint of the camera because of its absence.
 Photo Response Non-uni formity Noise (PRNU) – finger print for an individual camera.
Colou r decoup led PRNU (CD-PRNU): PRNU + CFA. The CFA is predefined by the
manufacturer.

 Scanners: used to capture hard-copy media

 Identification by: image denoising, wavelet analysis and neighborhood detection
 Video cameras:
 sensor types used in digital cameras and camcorders are similar.
 Sensor pat tern noise applied here as well
 Vast number of frames help in easier source camera identification
En vi r on m ent Cl ass if ic at i on:
To determine the location and the local condi tions of the place where the data has been taken
or recorded. Content depends on the type of the media investigated:
 Visual Dat a:
 Recording environment can be:
 Event recogni tion & place instance recogni tion
 Satellite images provided by Google Earth gathered based on the GPS (Global
Positioning Syst em) coordinates of a tagged photograph.
 Place instance recogni tion
 Context
 Aud io Dat a:
 Steganalysis used to recover the hidden info:
 Region of recording
 local condi tions depending on the spatial condi tions
 recording location depending on side noises which are identified through
content analyzation
 Elect rical Network Frequency (ENF)
 Video Dat a:
 Visual + additive data

Cont en t Cl ass if ic at i on :
 The cheaper storage media has resulted in tremendous amounts of data to be
investigated by forensics team and there are always challenges of false posi tives and
false negatives in an investigation that can mislead an investigator.
 Available multimedia content can be classified on the basis of available Formats
 In video media, key frames and mot ion analysis is performed to classify content.
 Content is analysed for any probabili ty of pornography.

Cont en t For g er y:
 Detection of content forgery in visual, auditive and video data:
 Visual dat a: looks for modi fication of digital images & includes:
 Copy-move forgery (cloning) it has duplicated image sections
 Partial deletion of speci fic objects
 Manipulation of geomet ry, luminance, color-space, etc.
 Fil tering of unwanted parts of an image
 Aud itive dat a: to check for forgeries visual, physical, elect rical, and acoustical tests
need to be carried out. It includes the analysis of:
 Recording device, veri fication of integri ty of recording medium, usage of
analytical tools to identify irregularities
 Video dat a: involves analysis of video tampering by looking for:
 Duplicated frames, duplication of regions across frames

Data Rec o ver y App r oac h es f or Mul t i m ed i a:

Places predestined for finding data in various disks where multimedia is stored:
 Unallocated space
 Slack-space
 Swap-space
  Memory areas marked as corrupt
 Computer memory which contains data st ructures of running applications and
operating systems.
 Flash memory found in all portable devices
 Host protected area
 Multimedia content needs to be carved out of these locations for which appropriate
file carving techniques are used e.g., signature-based file carving, graph theoretic
carving, etc.

Frag m en t Iden t i f i cat i on :

 Classification of fragments during recovery is important for finding the parts of whole file.
 Approaches depending on content and file type are available for the full recovery of a file.
 Certain approaches use the magic numbers present in the files of same type for recovery of
fragments.

St egano graph y & St egan al y s is :

 While cryptography focuses primary on the protection of private information by rendering a
message inapprehensible to outsiders, steganography conceals the existence of secret
information at all.
 Dat a is hidden in bo th audit ive and visual dat a by:
 Low-bit coding
 Echo hiding
 Phase coding
 Spread spect rum

--------------------------------------------------------------------------------------------------------------------------------------
 Top ics
 Int rusion Det ect ion  Hashing Issues
 At t ack Trace Back  Ant i-forensics
 Packet Inspect ion  Tools
 Log Analysis

Intr u s i on Det ect i on :

• IDS is a system that moni tors network traf fic for suspicious activity and issues alerts in real-
time when such activity is discovered.
• The basic activities include anomaly detection & reporting (passive), while some IDS can even
take actions against malicious activity or traf fic that includes blocking traf fic from a suspicious
IP address (reactive).
• IDS analyzes whole packets = header + payload
• The system detects unauthorized users attempting to enter into a computer system by
comparing user behavior to a user profile, detects events that indicate an unauthorized
entry into the computer system, notifies a control function about the unauthorized users
and events that indicate unauthorized entry into the computer system and has a control
function that automatically takes action in response to the event.
• The user profiles are dynamically constructed for each computer user when the
computer user first attempts to log into the computer system and upon subsequent
logins, the user's profile is dynamically updated.
• By comparing user behavior to the dynamically built user profile, false alarms are
reduced.
• The system also includes a log auditing function, a port scan detector and a session
moni tor function.
• IDS can be prone to false alarms (false posi tives), IDS’ need to be properly configured to
differentiate between normal traf fic and malicious traf fic.

An Int rusion Prevent ion Syst em (IPS) also moni tors network packets for potentially damaging
network traf fic. But where an intrusion detection system responds to potentially malicious traf fic by
logging the traf fic and issuing warning notifications, intrusion prevention systems respond to such
traf fic by rejecting the potentially malicious packets. IPS can be configured to block/stop potential
threats without involvement of system administrator. If not tuned properly, IPSes can deny
legi timate traf fic as well, hence, care should be taken in this regard.
• IDS types:

• Network int rusion det ect ion syst em (NIDS): deployed at a st rat egic po int (s) within the
network, to moni tor inbound and outbound traf fic.

• Host int rusion det ect ion syst ems (HIDS): run on all computers or devices in the network
with direct access to both the internet and the enterprise internal network. Hence, can
detect anomalous traf fic generated from inside the organization or from a host that is
infected as well not done by NIDS.
 • Signat ure-based int rusion det ect ion syst ems: moni tors all the packets traversing the
network and compares them against a database of signatures or attributes of known
malicious threats, much like antivirus software.

• Ano maly-based int rusion det ect ion syst ems: moni tors network traf fic and compare it
against an established baseline, to determine what is considered normal for the network
with respect to bandwidth, protocols, ports and other devices. This type of IDS alerts
administrators to potentially malicious activity.

IDS is typically located between a company ’s firewall and the rest of its network.
IDS capab ili t i es :
• Moni toring the operation of routers, firewalls, key management servers and files
• providing administrators, a way to tune, organize and understand relevant operating
system audit trails and other logs that are often otherwise difficul t to track or parse
• providing a user-f riendly interface
• including an extensive attack signature database against which information from the system
can be matched
• recognizing and reporting when the IDS detects that data files have been altered
• generating an alarm and notifying that securi ty has been breached
• reacting to intruders by blocking them or blocking the server

IDS can be:

• Passive IDS: simply detects and an alert is generated & sent to the administrator or user for
the necessary action.
 • Reac tive IDS: not only detect suspicious or malicious traf fic and alert the administrator but
will take pre-defined proactive actions to respond to the threat.
Well known IDS is Snort (op en sou rce) avail able for Windows and Linux
--------------------------------------------------------------------------------------------------------------------------------------
Attack trace back :
• Where an attack originated?
• How it propagated?
• What device(s) and person(s) were responsible?
The goal of trace back capabili ties is to determine the path from a victimized network or system
through any intermediate systems and communication pathways, back to the point of attack
origination. In some cases, the computers launching an attack may themselves be compromised
hosts being controlled remotely from a system one or more levels further removed from the system
under attack. Attribution is the process of determining the identity of the source of a cyberattack.
Types of attribution can include both digital identity (computer, user account, Internet Protocol (IP)
address, or enabling software) and physical identity (the actual person using the computer from
which an attack originated).
Ex am p l e: IP Trace B ac k
• Reliably determining the origin of a packet on the Internet.
• The need lies in the fact that IP address can be forged or spoofed.
• Usually used in DoS/DDoS attacks (but not limited to) to check where from a packet came.

Pack et Ins p ect i on :

• A method of examining and managing network traf fic
• It is a form of packet filtering that locates, identifies, classifies, reroutes or blocks packets
with speci fic data or code payloads that conventional packet filtering, which examines only
packet headers (for addresses), cannot detect.
• Performed as a firewall feature
• Packet Inspection or Deep Packet Inspection (DPI) examines the contents of packets through
a given check point and makes real-time decisions based on rules assigned by an enterprise,
ISP or network manager, depending on what a packet contains.
Earlier firewalls had less processing power (no power for deeper inspections on large volumes of
information), hence, only packet filtering was done
Pack et Ins p ect i on (Us es ):
• A network securi ty tool
• the detection and interception of vi ruses
• other forms of malicious traf fic
• Eavesdropping
• in network management to st reamline the flow of network traf fic (e.g., high priority packets
routed to destination ahead of other packets)
• Throt tled data transfer (Throt tled data transfer : deliberate regulation of the data transfer
rate in a communications system, used in any scenario where it is necessary or desirable to
limit the amount of data that can be sent or received per uni t time. It prevents spam or bulk
email transmission through a network server, prevents the uploading or downloading of
huge email attachments, preventing the spread of vi ruses or worms.)
• Helps to identify the originator or recipient of content
• Effective against buffer overflow attacks, DoS attacks, certain types of malware
Pack et Ins p ect i on (li m i tat i on s ):
• DPI can have the limitations associated with them including:
• Reducing network speed because of the increased burden on firewall
• Requi re a periodic update and revision to remain optimally effective.
• DPI can be exploited to facilitate attacks
--------------------------------------------------------------------------------------------------------------------------------------

Lo g an al ys i s : Logs are collected from:

• Network devices
• Operating systems
• Applications
Log analysis, hence, includes:
1. Aut hent ication and Aut horizat ion Repo rt s
2. Syst ems and Dat a Change Repo rt s
3. Network Act ivit y Repo rt s
4. Resou rce Acc ess Repo rt s
5. Malware Act ivit y Repo rt s
6. Fail ure and Crit ical Error Repo rt s
1. Aut hent ication and Aut horizat ion Repo rt s
a. All login failures and successes by user, system, business uni t
b. Login attempts (successes, failures) to disabled/service/non-
existing/defaul t/suspended accounts
c. All logins after office hours / “off” hours
d. User authentication failures by count of unique attempted systems
e. VPN authentication and other remote access logins (success, failure)
f. Privileged account access (successes, failures)
g. Multiple login failures followed by success by same account
2. Change Repo rt s
Can lead to costly crashes and the loss of data.
a. Additions/changes/deletions to users, groups
b. Additions of accounts to administrator / privileged groups
c. Password changes and resets – by users and by admins to users
d. Additions/changes/deletions to network services
e. Changes to system files – binaries, configurations
f. Changes to other key files
g. Changes in file access permissions
h. Application installs and updates (success, failure) by system, application, user

3. Network Act ivit y Repo rt s

a. All outbound connections from internal and DMZ systems by system, connection
count, user, bandwidth, count of unique destinations
b. All outbound connections from internal and DMZ systems during "off" hours
c. Top largest file transfers (inbound, outbound) or Top largest sessions by bytes
transferred
d. Web file uploads to external si tes
e. All file downloads with by content type (exe, dll, scr, upx, etc.) and protocol (HTTP,
IM, e-mail, etc.)
f. Internal systems using many different protocols/ports
g. Top internal systems as sources of multiple types of NIDS, NIPS or WAF Alerts.
h. VPN network activity by user name, total session bytes, count of sessions, usage of
internal resources
i. P2P use by internal systems
j. Wireless network activity
k. Log volume trend over days

4. Resou rce Acc ess Repo rt s

a. Access to resources on critical systems after office hours / “off” hours
b. Top internal users blocked by proxy from accessing prohibited si tes, malware
sources, etc.
 c. File, network share or resource access (success, failure)
d. Top database users
e. Summary of query types
f. All privileged database user access
g. All users executing INSERT, DELETE database commands
h. All users executing CREATE, GRANT, schema changes on a database
i. Summary of database backups
j. Top internal email addresses sending attachments to outside
k. All emailed attachment content types, sizes, names
l. All internal systems sending mail excluding known mail servers
m. Log access summary

5. Malware Act ivit y Repo rt s

a. Malware detection trends with outcomes
b. Detect-only events from anti-virus tools
c. All anti-virus protection failures
d. Internal connections to known malware IP addresses
e. Least common malware types

6. Crit ical Errors and Fail ures Repo rt s

a. Cri tical errors by system, application, business uni t
b. System and application crashes, shutdowns, restarts
c. Backup failures
d. Capaci ty / limit exhaustion events for memory, disk, CPU and other system
resources

--------------------------------------------------------------------------------------------------------------------------------------
 • Has h: “A unique numerical identifier that can be assigned to a file, a group of files, or a
portion of a file, based on a standard mathematical algori thm applied to the characteristics
of the data set. The most commonly used algori thms, known as MD5 and SHA, will generate
numerical values so distinctive that the chance that any two data sets will have the same
hash value, no matter how similar they appear, is less than one in one billion. ‘Hashing ’ is
used to guarantee the authenticity of an original data set and can be used as a digital
equivalent of the Bates stamp used in paper document production. ”

Has hi n g Iss ues :

• Hashing refers to the use of hash functions to veri fy that an image is identical to the source
media, it is a form of checksum.
• Hash function converts a message of any leng th to a data of fixed leng th.
• It is like a digital fingerprint for a file., mathematically derived from the contents of the item
being hashed.
• The leng th of the hash depends on the type of hash used.
• It is incredibly unlikely that two image files with different contents would ever generate the
same hash. And if it does, that is an error in hashing.
• Cryptographic hash functions, such as MD5 (Message Digest 5), RIPEMD-160, SHA (Secure
Hash Algor it hm)-1, SHA-256, and SHA-512, are expli cit ly designed to be colli sion resist ant
and to produ ce large, 128- to 512-bit result s.
• Hashing is used in many other areas of digital study such as download confirmation and
encryption.
• Altering anything within the contents of the disk image will alter the hash value (like adding
or removing a single character in a document or changing one pixel in an image),
• However, changing the name or extension of the image will no t alt er the hash value.
• Hashing is pivotal in the scope of forensics investigations, as the hash veri fies the integri ty of
the disk image.
• Every piece of evidence on the disk image that is to be presented needs to be hashed, and at
any time during or after investigation, an investigator should be able to re-hash the disk
image & replicate the same hash value.
• Most of the forensic tools have auto-generated hash values.
• The hashing algori thm has found to have a weakness known as collision in which two
different messages have the same hashing value.
• Although the probabili ty of producing this weakness is very small, this collision can be used
to deny the usage of the evidence in the court of justice.
• MD5 and SHA series are based on Merkle-Damgard Construction.
• MD5 and SHA series differ in terms of the message leng th, the function and the number of
rounds.
• The use of hashes to ensure digital evidence integri ty has legal precedence.
• However, there are concerns related to MD5 hashes, the courts will at some point, no longer
consider this as a valid technology to ensure integri ty.
• As of now, admissibility guidelines do not differentiate between physical and elect ronic
evidence, hence, elect ronic evidence won’t be treated differently from physical evidence fro
authentication purposes.

Has h colli s i on s :
• If two separate inputs produce the same hash output, it is called a colli sion , hence, won’t be
able to prove the integri ty of evidence in the court of law.
 • The odds of collisions are very low especially for the functions with large output sizes.
• Hash collision means hash code is not unique and more the duplicates worse the
performance.
• Hash collisions can even be exploited.
• MD5 & even SHA1 have been shown to not be completely collision resistant, however
st ronger functions such as SHA-256 seem to be safe for the foreseeable future.

Colli sions can be:

• St rong colli sions: given a message digest algori thm, it should be computationally infeasible
to find a pai r of messages with identical message digest.
• Weak colli sions : given a message and a corresponding message digest, it should be
computationally infeasible to find a different message with identical message digest.
Every hashing algori thm shows a resistance to the collisions called collision resistance (CR).
A hash collision can be carried out known as hash collision attack but it is way too complex and an
attacker should have a physical possession of the files to be altered.
Error Rates for Hash Algori thms:
• Hash algori thms are designed to essentially randomize the file content.
• This allows us to assume that different files behave like random data.

--------------------------------------------------------------------------------------------------------------------------------------

An t i -f o r ens i cs :
• Attempts to negatively affect the existence, amount, and/or quality of evidence from crime
scene, or make the examination of evidence difficult or impo ssible to conduct.
Ryan Harris (2006)
Anti-forensics techniques can be categorized into:
• Low tech anti-forensics techniques
• High tech anti-forensics techniques

Lo w t ec h an t i -f or en s i cs t ec hn i qu es :
Requi re basic knowledge of computing and elect ronics (are destructive)
• Physical data destruction
• Hard drive Scrubbing
• Artefact wiping
• Steganography
• Cryptography
High tech ant i-for ensics techn iques:
Requi res excellent conversance of computing/programming and elect ronics (not destructive, rather
more focused on hiding data, breaking digital forensics tools and process and causing prolongation
of the whole investigation)
• Data Saturation • Scrambled MACE Times
• Hiding Data • Rest ricted Filenames
• Hiding data in Slack and Unallocated • Ci rcular References
Space
• Nonstandard RAID Configurations • Broken Log Files
• File Signature Masking • Portable Systems and Programs

Di gi tal f or en s i c t oo ls cat eg or ies :

• Disk and data capture tools
• File viewers
• File analysis tools
• Registry analysis tools
• Internet analysis tools
• Email analysis tools
• Mobile devices analysis tools
• Mac OS analysis tools
• Network forensics tools
• Database forensics tools

• Dat a acqu isit ion : EnCase, FTK, SafeBack, MFL, dd, Macquisition, IxImager, …
• Sof t ware writ e block: HDL, PDBLOCK & ACES
• Hardware writ e block: MyKey, Tableau, WiebeTech, DiskJocky, DriveLock, & FastBlock
• Mobil e Devic e (cell phon e) acqu isit ion : Paraben, Bi tPim, MOBILedit, Neutrino, GSM XRY, …
• Drive wipe: Boot & Nuke, Voom, Drive eRazer
Embedded Syst em
 Dedicated systems designed to do one job and to do it well.
 Vary in size as well as in complexity and function.
 Can have low complexity, like a single micro-controller chip used to open and close a gate
 or very high complexity, like multiple complex embedded systems gathered to automate an
aircraf t
 Are hugely widespread in the form of:
 Consumer elect ronics
 Industrial control
 Military devices
 Networking systems
 Telecommunications
 Medical indust ry
 Power plants
 Used to control an enormous variety of si tuations on a regular basis.
 They are designed with a little concern for securi ty.
 Embedded systems are probably the fastest growing source of forensic digital investigations
 Thus, these systems can provide vast amounts and different kinds of information and data
that can be used for many purposes, such as crime investigations and forensic examination.
 Dedicated hardware knowledge is requi red.

Embedded forensics: (do it on your own)

--------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------