Scandals such as those at OPCW and Gatwick Airport have reinforced the importance of crime science and the need to take proactive measures rather than a wait and see approach currently used by many organisations. This book proposes a new approach in dealing with cybercrime and unsociable behavior involving remote technologies using a combination of evidence-based disciplines in order to enhance cybersecurity and authorised controls.
It starts by providing a rationale for combining selected disciplines to enhance cybersecurity by discussing relevant theories and highlighting the features that strengthen privacy when mixed.
The essence of a holistic model is brought about by the challenge facing digital forensic professionals within environments where tested investigative practices are unable to provide satisfactory evidence and security. This book will be of interest to students, digital forensic and cyber security practitioners and policy makers. It marks a new route in the study of combined disciplines to tackle cybercrime using digital investigations and crime science.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
The cookie is used to store the user consent for the cookies in the category "Analytics". The cookies is used to store the user consent for the cookies in the category "Necessary". The cookie is used to store the user consent for the cookies in the category "Other. The cookie is used to store the user consent for the cookies in the category "Performance". It does not store any personal data. Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads. Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet. Skip to content Close Menu Contact. Anthony C. Author : Anthony C. Systematic approaches may differ, and it depends on the local laws and your own organization policy.
Initial assessment of the case: Before starting the actual investigation, you should look at the broader prospective of the case and the possible outcomes. Keep in mind that you have to be suspicious of everyone and everything. Do not try to imagine the result at first, because if you do so then you unintentionally work in that particular direction. Communicate with the relevant people about the incident; try to gather as much information as you can.
What is the nature of the case? What is the situation after the incident? Create a design to approach the case: You should have everything, every possible step in your mind and you should write them down. Create the process to handle this particular case.
How you are going to approach the authority, the victim and the suspect? How you are going to seize the machines? What legal documents you might need to do this and how you are going to get the legal documents? Required resources: What resources this case might require? Human resources, technical, and the software that required.
Do you have the necessary software or do you need to get it? If you need assistance from any other company or team, this also comes under the required resources, create the list and get them at first place. Identify the risks: Risk assessment should be done to evaluate the possible risks that are involved in the particular case.
Based on the experience, your organization should have the list of possible problems occurred during an investigation, even you can judge the risk based on your own experience. After identification, take the necessary steps to minimize or mitigate the risks.
Investigation: All right, you have collected the data. Now investigate the extracted evidence and point out the culprit. Critique the case: Self-evaluation is the key, since you need to forward your report to court. After completing the report, you should thoroughly review the entire case. Find your weaknesses and improve them for future cases.
You can't simply investigate or seize any machine without following the proper laws and regulations. The legal aspects are important, since the case will go to the court and apart from the hearing, you need to follow laws while investigating otherwise you will find yourself in trouble. Legal Process: The legal process depends on your local laws and rules. In the first stage, a complaint received, the investigator will investigate the complaint, and with the help of prosecutor, collect, analyze and report to build a case.
You can't start a criminal investigation by yourself. A criminal investigation requires evidence of an illegal act. If evidence is not found, then the criminal investigation cannot be started. Someone should inform the local police about the crime that has been committed and based on receiving the complaint the further investigation would be started.
At the very first step, the local police investigate the crime. They report the type of the case to the top management and then a specialist will be assigned to look after the case.
Not every policeman is not a computer expert. Sometimes they only know the basics about digital devices. During the seizure process, they might damage the critical evidence. To avoid any mishaps, CTIN has defined levels of law enforcement expertise. The Police officer is responsible for acquiring and seizing the digital evidence on the crime scene.
The assigned detectives usually handle the case. Specialist training in retrieving digital evidence, normally conducted by a data recovery or computer forensics expert, network forensics expert, or Internet fraud investigator. This person might also be qualified to manage a case, depending on his or her background.
You, as an investigator should have knowledge and expertise of computer forensics, and how to handle cyber-crime cases. You have to judge the level of expertise of the other team members and assign their roles, responsibilities and the expected performance.
Follow the systematic approach discussed in the previous chapter, look for the evidence and then create a strong case supported by the evidences. Your job as a computer investigator is to investigate the digital devices, extract the evidence and create the report. From this point onward, the job of a prosecutor is started. As an investigator, you need to submit the final report with the evidences to the government attorney, the level of authority depends on the nature of the case, and your local laws.
You can find the available guides on evidence management and other topics related to computer forensics. As it was discussed that you should collect evidence in a way that is legally admissible in a court. There are two core areas of law related to cyber-crime. Because individuals generally retain a reasonable expectation of privacy in the contents of closed containers, see United States v. Ross, U. See United States v. Barth, 26 F. Reyes, F. Lynch, F. Chan, F.
If it finds that the process, methodology and tools have violated 4th amendment while recovering the evidence, then the information or evidence will become inadmissible by the courts. The word memorized is very important in this context; keep in mind that the key passkey is never written on anywhere.
The 5th amendment protects an individual from being compelled to provide the incriminating testimony. Remember, it does not provide protection if the evidence is written somewhere.
The first two laws 18 U. Let discuss the real-time electronic communication first. Before discussing the exceptions and prohibited acts, we should discuss the electronic communication based on OSI model. I will explain the both from the OSI point of view.
Well, the legal document provides the admissible definition and they are: 18 U. Some prohibitions are: 1. Intellectual property laws can be further divided into copyright laws, trademark and trade secret laws, etc.
According to 18 U. This is the end of second module; we will discuss the file system from the next module. What kind of the storage devices do we have and what are their structures. This module discusses the technicalities of modern computer devices with the aim to provide the inside and understanding of storage medium and architecture of the current famous operating systems.
This chapter does not aim to differentiate drive with another type of drive, but this chapter aims to discuss the structure of different drives. Yes, fixed storage are the built-in storage space available in any electronic device and the external or removal is the one that you can plug and play with. The rapid growth in computer industry has introduced many storage mediums, apart from the traditional media types, for example hard-drive and CD compact disk , files can be stored in USB drive, mp3 player, mobile phones, digital camera, etc.
Hard Drive To understand the file, file system, how OS interact with storage media hard-drive , how the flow of information works, etc. It is also important to understand the place where data actually store, so that you will be able to retrieve it during your investigation. A hard drive is made up of one or more platters coated with magnetic material, data stored or recorded magnetically onto the disk.
The hard-drive platter is made up of aluminum alloy, glass and ceramic is also used in the creation of platter. It is important to understand that the area where data stores composed of magnetic media coating done by iron oxide substance.
Data is stored on the both front and back sides of the platter which is also known as side0 and side1. The data of each platter are physically stored into tracks and sectors. Every track has its own unique identification number for tracking, and the number starts from 0 at outer edge and moves an inner portion till the center of the circle reaching the value around The size of a sector is bytes.
Cluster: Cluster is an important component that we should discuss, it is somehow linked to the sector discussed above or it may be referred as the group of sectors. The cluster is an allocation unit and a space allocated for files and directories to be stored. If small files store on a file system with large cluster will waste the disk space, and this wasted space is called slack space. Cluster size or number of cluster is always calculated of an exponent of 2. Hence the size is bytes.
Slack Space: Cluster Infosec Institute ehacking File Slack Space Refer to the concept created above, slack space is the free or unused space in a cluster, this space is available between the end of the actual file and the allocated data unit end of cluster. Slack space and investigating slack space are way too important for forensics expert because this space can contain salient information about the suspect and evidence can be retrieved from this space.
For example, if suspect deleted all of the files and directories that filled the entire cluster and then saved or created some new files that filled half of the cluster only to mislead the investigator, the other half of the cluster may have the information of the deleted file which can be retrieved and can be used as evidence against the suspect. The file can be made up of many data types for example, audio, video, text, etc.
The file system is the workflow, process and method that defines how the data is stored and where they are placed on logical volumes.
The logical volume is the result of the partition process, and it is a partition acting as a single entity that has been formatted with a file system. Understanding the file system is crucial for forensics investigator, as you must know the location and distribution of various types of files and how they structured on mapped in the memory. Before the hard drive or any other storage media are used to store the file, the disk must be partitioned and formatted into multiple logical volumes.
Hidden partitions can also be created to hide the intended data; this space can created between the primary partition and the first logical partition. This unused space is referred as partition gap, hidden data can alter by using the disk editor utility. Different operating systems may have different file systems and structure.
However, there are some common traits that you can find in every file system, for example, the concept of directories and files. Nice for floppies, but useless on hard drives. Technically interesting file system available for the Amiga, performs very well under a lot of circumstances.
Very simple and elegant. That system was based on the BASIC programming language and allowed programs and data to be stored on a floppy disk. Since that time, the FAT file system has been improved upon multiple times to take advantage of advances in computer technology, and to further refine and enrich the FAT file system itself. Today, the FAT file system has become the ubiquitous format used for interchange of media between computers, and, since the advent of inexpensive, removable flash memory, also between digital devices.
The FAT file system is now supported by a wide variety of OSs running on all sizes of computers, from servers to personal digital assistants. In addition, many digital devices such as still and video cameras, audio recorders, video game systems, scanners, and printers make use of FAT file system technology.
It has a limited amount of storage, volume not more than 16 MB. It uses bit file allocation table entry to address an entry into file system.
It was created for large disk and it can handle the storage capacity up to 2 GB, and for some newer OSs the capacity is up to 4GB. It uses bit file allocation table where the top 4 bits are reserved. Cluster size used: bytes. It can access up to 2 TB of disk storage. NTFS supports large file names and it supports the large storage media. It is known as a recoverable file system; it can automatically recover or restore the consistency of the file system when an error occurs. Root directory.
This file is always located at the first clusters on the volume. Now we will use the hex workshop to analyze the partition physical level. You need to understand the hexadecimal codes to understand the file systems of various operating systems. Here is the list of the hexadecimal codes with the respectable file system. Download Hex workshop www.
In the example below, I have clicked on my C: drive to analyze it. If you see MSD0S5. Windows Registry Windows registry is the hierarchical database; it contains the information of the users, applications, hardware, etc. Windows registry know everything about a program, where the program is stored, its version and every setting of that program.
During execution of any task, windows continuously refer to the registry. Data in registry stores at Binary file. Information including the configuration and preference settings.
Before discussing the file systems, we should discuss some basic concept related to file system in Linux. What is a File? In Linux, everything is file while the others are processes, file is connected with the storage media and whatever you store, it informs the file.
The file is the collection of data; data may be your text, image, video, etc. To manage the files on Linux, ordered tree structure has been created where the root contains large branches, and the branches contain a regular file leaves of a tree for that matter.
What is Directory? Directory is a special file that contains other files and sub-directories. You can't change the root directory, you can't rename it. Inodes The inode is the basic concept in Linux file system, each file in Linux is represented by inodes which is the structure of the file system. Each inode contains the information of the file, timestamps, size, file type, owner of the file, permission, etc.
If we summarize, then it is the database stores metadata about each file and directory. It is used to track the file on the hard- drive. The inode contains entries and each entry is bytes in size. The first output shows the identification number of this particular file, while the second output provides more details about the file.
Journaling File System Journaling file system introduced in Linux is the main reason that many corporations switched to Linux, however it is no longer a unique reason because there are other file systems available having capability.
The file systems before Ext3 are based on static structure, they don't have journaling functionality. However, Ext3 and beyond file system has journaling capability. So what journaling file system is all about? Journaling file system first write into another part of hard-drive called journal where it stores the logs of the file. So journaling file system is always consistent.
Partition size was limited to 64 MB and 14 bytes was the limit for file names. EXT2 Ext was immediately superseded by ext2. The second extended file system was created by Remy Card in Ext2 was the most famous and the default file system in Linux until the launch of ext3. However, USB and other removal storage media are still using ext2 as their first choice file system. Ext2 does not support journaling; this is the main reason why ext2 is recommended for USB drives because these drives does not need to do the journaling.
It supports maximum file length of bytes and the max file size is 2 TB. In ext2, the directories and files are not indexed, so searching a file within large amount of files may take time. It has journaling which is the main edge of it over ext2. Ext3 is more advanced than ext2, because it has the capability to index the directories and files by using an H-tree. Maximum individual file size is 2 TB, overall the file system can be up to 32 TB. The Ext2 file system can be switched to ext3 without taking backup.
It was released in Linux kernel version 2. It uses 48 bit addressing system which allows the maximum file size of 16 TB and the maximum volume size of 1 EB. Here you can see the content of the root location. Let's find their file system information. In this section we have discussed many important topics of Linux file system including the journaling concept and inodes, the information of the root, sub-directories discussed above are very important, and you should look inside them while investigating the case.
In the next module, we will see the techniques to gather evidence and how to analyze them. In the first module, we have discussed the rules that you must follow during evidence acquisition process. There are many tools, both commercial and open-source are available, and somehow many of them are same as per their function; every investigator has its own toolkit and you should make your own.
The selection of toolkit highly depends on your mindset, way of work and the expected cases. Anyhow, let's discuss some important concept first. Storage Media Image: Creating storage media image is crucial for investigating a case and finding evidence out of it. Note: Never investigate the original device, take the copy of the device and investigate it. AccessData Corp. In this guide, we will use their software and apart AccessData, we will use some open-source software too.
AccessData FTK Imager — Forensics Tool FTK image is a wonderful software that can create an image of the storage media, it can also preview the content of the created image, and you can export the image for further investigation. Keep in mind that an image can be created locally or remotely. In this scenario, I am taking an image of a removal drive USB and the same image will be used throughout this guide.
Information from memory can also be collected, and you can image the individual item too. Now select the device type. In our situation, logical drive. Here E01 file format is for EnCase famous digital forensics program. Select the type and click next. If you are analyzing large drive, then you can split the image into multiple parts, image fragmented size is the failed to provide this information. The following window will appear after the creation of the image.
Since the values are matched, hence it indicates that nobody has altered the disk and you got the exact copy of the suspect device. This same information has also been printed in the text format available at the same location. This is how you create an exact copy of the suspect device for investigation purposes; make sure to keep the hash details with you to verify the integrity in the investigation process where you will be touching the data.
Hashing to Verify the Integrity of the Image Hashing process is to match the image with the source media or drive. Hashing is as if you are doing a biometric verification of a human. There are many algorithms created for hashing, and hashing can be used for many reasons, including encryption, but in our scenario we are discussing hashing from a forensics point of view. MD5, bit, 32 character algorithm is one of the famous amongst the list of algorithms.
If you alter the data acquired from the suspect disk, it will change its hash value. It is crucial to maintain the integrity; otherwise, you can't verify in court that you did not change the evidence in any way. If alter any of these values, the hash will also be changed. So conduct a fair investigation, never try to change the evidence else, you will make the legal process very difficult.
You can try this. However, if you change any value data then the hash will be changed respectively. Image Acquisition on Linux In the previous topics, we have discussed software and processes to create an image of the suspect device on Windows OS.
The same functions can be performed on Linux machine too, there are open-source tools are available that can make your job effective and efficient. DD is an UNIX command that is very important for forensic experts, this is the command-line utility means you don't have the graphical user interface to execute the functions.
It helps you to transfer the data. We will use dcfldd to acquire an image. The output contains the list of partitions. We need to mount the drive first so that we will be able to make any changes to it. Mounting in Linux is like loading a drive or simply opening a drive.
First, we need to create a location, you can do this by locating the file system in Linux too, but here I am performing all tasks from the terminal. Now you have witnessed the procedure on both the Linux and Windows machine. In the next topic we will analyze the created images. Data Analysis After the acquisition and verification of the storage media image, the next step is to analyze the content to find the possible evidences of the case. First, analyze the clearly visible files and folders and then look for the hidden and deleted items.
Take a deep look into every file and directories. In the previous step, we have successfully created the image and the image has also been verified to maintain the integrity of the data. Now let's move further. Prodiscover Basic is the forensics software that we are going to use to analyze the data. This particular software can be used to achieve both the purposes, creating image and analysis.
Anyway, in this particular scenario, we will use prodiscover to analyze the file and then we will create the report. You can even create an image of the disk from this software. I am using the same image created in the previous topic. Your job is now to analyze every file and folder and to look for the possible evidence.
The biggest mistake that you should not make, is the damage to the data; otherwise the integrity of the data will be lost and you won't be able to prove anything in the court. There is a way to copy the data and then view it in the user-friendly mode, but how? Follow the procedure below, by doing this you can maintain the integrity.
Let say you want to analyze a single file, and then simply copy it and it on any other place, use Hex workshop to get the hash of that file and then do whatever you want to do. After completing the job, make sure to reanalyze the file again and compare it with the previously taken hash.
Get the hash information and store it. Open this file without any fear, acquire the evidence, close the file, reanalyze the hash and you are done. Click on Save Project to save the project and use it whenever you want. It has a strong case management and administration database too. You will asked to create a case of you can work on any existing case. In our scenario, I am opening a case. Make sure to provide the right information that you use to maintain the database of the cases.
Here I am browsing the image created before. There are six documents in the image while 37 multimedia files and the other useful information mentioned in the screen. You can recover them to analyze.
In the example below, I am reading a text file within FTK window. Every steps are mentioned above needs practice, create your forensics lab and perform the tasks. In the next topic, we will analyze a drive in a Linux machine. Disk Analysis on Linux — Autopsy Sleuth Kit is the open-source computer forensics investigation suite, Autopsy is the front-end or user interface of Sleuth Kit. It is available on the famous Linux distribution Kali Linux, so you need not to worry about the installation.
You can open. Put the relevant information because it is for administrative and management purpose think if you are investigating so many cases at the same time. You need to create history of every case. Click on Add host to proceed. You have also witnessed the usage of most common computer forensic tools; you should not stop here and keep practicing every feature of the tools mentioned in the topics discussed earlier. End Note: This is the end of this mini course, but not certainly the end of knowledge and skills.
It is highly recommended to create a forensics lab of your own to practice the skills acquired while reading this course material. Technology is changing every day, we have so many storage media and it is your job to understand the media so that you will be able to investigate whenever needed.
Get the software discussed in this mini course and practice the evidence management of your own. Try your level best to maintain the integrity at every level, you might have noticed that, I have used this term so many times in the course.
Yes, because it is crucial for your case.
0コメント