Introduction to Cyber Security 22ETC15I

MODULE - V
Introdcution, Historical Background of Cyberforensics, Digital Foresics Science, Need for
Computer Foresics, Cyber Forensics and Digital Evidence, Digital Forensic Life cycle, Chain of
Custody Concepts, network forensics.

❖ Introduction
➢ Cyber forensics plays a key role in investigation of cybercrime.
➢ ‘Evidence" in the case of “cyber offenses" is extremely important from legal perspective.
➢ There are legal aspects involved in the investigation as well as handling of the digital forensics
evidence.
➢ Only the technically, trained and experienced experts should be involved in the forensics activities

❖ Historical Background of Cyber forensics:

➢ The application of computer for investigating computer-based crime has led to development of a
new field is called as Computer Forensics.
➢ Sometimes, computer forensics is also referred to as “digital forensics.”
➢ Computer forensics/digital forensics has existed for as long as people have stored data inside
computers.
➢ The focus of computer forensics is to find out digital evidence- such evidence required to establish
whether or not a fraud or a crime has been conducted
➢ “Forensics science” is the application of science to law and it is ultimately defined by use in court.
➢ Forensic science is the application of physical sciences to law in search for truth in civil, criminal
and social behavioral matters to the end that injustice shall not be done to any member of society.
➢ An alters native definition for digital forensics science is:
the use of scientifically derived and proven methods towards the preservations, collection,
validation, identification, analysis, interpretation, documentation and presentation of digital evidence
derived from digital sources for the purpose of facilitating or furthering the instruction of events
found to be criminal or helping to anticipate unauthorized actions shown to be disruptive to planned
operations.
DR. SRINIVAS, T BHAGAVATH SINGH,
CHAITRA S, AISHWARYA G, VIDYARANI Page 5
Introduction to Cyber Security 22ETC15I

❖ Digital Forensics Science

➢ It is the Application of analyses techniques to the reliable and unbiased collection, analysis,
interpretation and presentation of Digital Evidence.
➢ The Main objective of "cyber forensics” is to provide digital evidence of a specific or general
activity.
Definitions :
1.Computer Forensics: It is the lawful and ethical seizure, acquisition, analysis, reporting and
safeguarding of data and metadata derived from digital devices which may contain information that
is notable and perhaps of evidentiary value to the trier of fact in managerial, administrative, civil
and criminal investigation.
In Short, It is the collection of Techniques and tools used to find evidence in a computer

2.Digital Forensics: It is the use of scientifically derived and proven methods towards the
preservations, collection, validation, identification, analysis, interpretation, documentation and
presentation of digital evidence derived from digital sources for the purpose of facilitating or
furthering the instruction of events found to be criminal or helping to anticipate unauthorized actions
shown to be disruptive to planned operations.

The Role of Digital Forensics is to:

1) Uncover and document evidence and leads.
2) Corroborate evidence discovered in other ways (E-Discovery).
3) Assist in showing a pattern of events (data mining has an application here).
4) Connect attack and victim computers (Locard’s Exchange Principle )
5) Reveal an end-to-end path of events leading to a compromise attempt, successful or not.
6) Extract data that may be hidden, deleted or otherwise not directly available
Using digital forensics techniques, one can:
1. Corroborate and clarify evidence otherwise discovered
2. Generate investigative leads for follow-up and verification in other ways.
3. Provide help to verify an intrusion hypothesis.
4. Eliminate Incorrect assumptions

DR. SRINIVAS, T BHAGAVATH SINGH,

CHAITRA S, AISHWARYA G, VIDYARANI Page 6
Introduction to Cyber Security 22ETC15I

Temporary
fllae

Figure : Data seen using forensics tools.

FAT - file allocation table

❖ The Need for Computer Forensics

➢ The media, on which clues related to cybercrime reside, will vary from case to case.
➢ There are many challenges for the forensics investigator because storage devices are getting
miniaturized due to advances in electronic technology.
for example: external storage devices such as mini hard disks (pen drives) arc available in amazing
shapes as shown in the below figure

Rss
et
fig: Hidden and miniaturized storage media

DR. SRINIVAS, T BHAGAVATH SINGH,

CHAITRA S, AISHWARYA G, VIDYARANI Page 7
Introduction to Cyber Security 22ETC15I

❖ Cyber Forensic and Digital Evidence:

Cyber forensics can be divided into two domains:
1. Computer forensics,
2. network forensics.

1.Computer Forensics: It is the lawful and ethical seizure, acquisition, analysis, reporting and
safeguarding of data and metadata derived from digital devices which may contain information that
is notable and perhaps of evidentiary value to the trier of fact in managerial, administrative, civil
and criminal investigation.
• In Short, It is the collection of Techniques and tools used to find evidence in a computer

2.Network Forensics: It is the study of network traffic to search for truth in civil, criminal and
administrative matters to protect user and resources from exploitation, invasion of privacy and any
other crime fostered by the continual expansion of network connectivity
• many security threats are possible through computer networks. Therefore "network forensics" is very
much important in cybercrime

➢ As compared to the physical evidence , “digital evidence” is different in nature because it has
some unique characteristics
➢ Digital evidence is much easier to change /manipulate and also "perfect" digital copies can be made
without harming original. Therefore integrity of digital evidence is proved.
➢ Another subtle aspect (of digital evidence) is that it is usually in the form of the “image” - this
means that it is convenient and possible to create a defensible “clone” of storage device.
➢ Different information (clues) can be found at different levels of abstraction

DR. SRINIVAS, T BHAGAVATH SINGH,

CHAITRA S, AISHWARYA G, VIDYARANI Page 8
Introduction to Cyber Security 22ETC15I

Typically, the evidences reside on computer systems, user created files, user protected files,
computer created files and on computer networks.
Computer systems have the following:

1. Logical file system that consists of

• File system: It includes files, volumes, directories and folders, file allocation tables (FAT) as in the
older version of Windows Operating System, clusters, partitions, sectors.
• Random access memory.
• Physical storage media: It has magnetic force microscopy that can be used to recover data from
overwritten area.
(a) Slack space: It is a space allocated to the file but is not actually used due to internal
fragmentation
(b) unallocated space.

2. User created files: It consists of address books, audio/video files, calendars, database files,
spread-
sheets, E-Mails, Internet bookmarks, documents and text files.

3. Computer created files: It consists of backups, cookies, configuration files, history files, log
files,
swap files, system files, temporary files, etc.

4. Computer networks: It consists of the Application Layer, the Transportation Layer, the Network
Layer, the Data link Layer.

o The Rules of Evidence

According to the “Indian Evidence Act 1872,” “Evidence” means and includes:
1. All statements which the court permits or requires to be made before it by witnesses, in relation to
matters of fact under inquiry, are called oral evidence.

2. All documents that are produced for the inspection of the court are called documentary evidence.

Legal community believes that “electronic evidence” is a new breed of evidence. They also, at times,
have an apprehension that the law of evidence as per Indian Evidence Act of 1872 may not hold
good for electronic evidence. Some lawyers express doubts and apprehensions about the process of
leading electronic evidence in the courts.
DR. SRINIVAS, T BHAGAVATH SINGH,
CHAITRA S, AISHWARYA G, VIDYARANI Page 9
Introduction to Cyber Security 22ETC15I

However, this is not true; the traditional principles of leading evidence, along with certain newly
added provisions in the Indian Evidence Act 1972 through the Information Technology Act (ITA)
2000, constitute the body of law applicable to electronic evidence.

There are number of contexts involved in actually identifying a piece of digital evidence:
1. Physical context: It must be definable in its physical form, that is, it should reside on a specific
piece
of media.
2. Logical context: It must be identifiable as to its logical position, that is, where does it reside
relative
to the file system.
3. Legal context: We must place the evidence in the correct context to read its meaning, This may
require looking at the evidence as machine language, for example, American Standard Code for
Information Interchange (ASCII).

Following are some guidelines for the (digital) evidence collection phase:
1. Adhere to your sites security policy and engage the appropriate incident handling and law
enforcement personnel.

2. Capture a picture of the system as accurately as possible.

3. Keep detailed notes with dates and times. If possible, generate an automatic transcript (e.g., on
Unix systems the “script” program can be used; however, the output file it generates should not be
given to media as that is a part of the evidence). Notes and printouts should be signed and dated.

4. Note the difference between the system clock and Coordinated Universal Time (UTC). For each
timestamp provided, indicate whether UTC or local time is used (since 1972 over 40 countries
throughout the world have adopted UTC as their official time source).

5. Be prepared to testify (perhaps years later) outlining all actions you took and at what times.
Detailed notes will be vital.

6. Minimize changes to the data as you are collecting it. This is not limited to content changes; avoid
updating file or directory access times.

7. Remove external avenues for change.

DR. SRINIVAS, T BHAGAVATH SINGH,
CHAITRA S, AISHWARYA G, VIDYARANI Page 10
Introduction to Cyber Security 22ETC15I
8. When confronted with a choice between collection and analysis you should do collection first and
analysis later.

9. Needless to say, your procedures should be implementable. As with any aspect of an incident
response policy, procedures should be tested to ensure feasibility, particularly, in a crisis. If possible,
procedures should be automated for reasons of speed and accuracy. Being methodical always helps.

10. For each device, a systematic approach should be adopted to follow the guidelines laid down in
your collection procedure. Speed will often be critical; therefore, where there are a number of
devices requiring examination, it may be appropriate to spread the work among your team to collect
the evidence in parallel. However, on a single given system collection should be done step by step.

11. Proceed from the volatile to the less volatile; order of volatility is as follows:
* Registers, cache (most volatile, i.e., contents lost as soon as the power is turned OFF);
* routing table, Address Resolution Protocol (ARP) cache, process table, kernel statistics, memory;
* temporary file systems
* disk;
* remote logging and monitoring data that is relevant to the system in question;
* physical configuration and network topology;
* archival media (least volatile, i.e., holds data even after power is turned OFF),

12. You should make a bit-level copy of the system's media as your analysis will almost certainly
alter file access times. Try to avoid doing forensics on the evidence copy.

❖ Digital Forensics Life Cycle

➢ Digital Evidence is present in nearly every crime Scene. That is why law enforcement must know
how to recognise,seize, transport and store original digital evidence to preserve it for forensics
examination

➢ The cardinal rules to remember are that evidence:

1) is admissible;
2) is authentic;
3) is complete;
4) is reliable;
5) is understandable and believable.

DR. SRINIVAS, T BHAGAVATH SINGH,

CHAITRA S, AISHWARYA G, VIDYARANI Page 11
Introduction to Cyber Security 22ETC15I

Digital forensics process:

➢ The digital forensics process needs to be understood in the legal context starting from preparation of
the evidence to testifying.

➢ Digital forensics evidence consists of exhibits, each consisting of a sequence of bits, presented by
witnesses in a legal matter to help jurors establish the facts of the case and support or refute legal
theories of the case.

➢ The exhibits should be introduced and presented and/or challenged by properly qualified people
using a properly applied methodology that addresses the legal theories at issue.

➢ The tie between technical issues associated with the digital forensics evidence and the legal theories
is the job of “expert witnesses.

➢ Testimony is presented to establish the process to identify, collect, preserve, transport, store,
analyze, interpret, attribute, and/or reconstruct the information contained in the exhibits and to
establish, to the standard of proof required by the matter at hand, that the evidence reflects a
sequence of events that is asserted to have produced it.

➢ The party must show not only the evidence to be admitted but must also establish that the evidence is
relevant, authentic and that the evidence presented is not the result of hearsay, original writing or the
legal equivalent thereof, and more probative than prejudicial.

➢ the “chain of custody” need to testify a number of aspects relating to the evidence — the testimony
would typically include the processes used for creating, handling and introducing the evidence, the
method used for collecting the exhibit (i.e. the evidence artifacts) as well as the manner in which the
exhibit is brought to court.

➢ Non-experts can make statement about evidence to the extent that they can clarify non-scientific
issues by stating what they observed.
The forensics life cycle involves the following phases:

1. Preparation and identification;

2. collection and recording;
3. storing and transporting;
4. examination/investigation;
5. analysis, interpretation and attribution;
6. reporting;
7. testifying.

DR. SRINIVAS, T BHAGAVATH SINGH,

CHAITRA S, AISHWARYA G, VIDYARANI Page 12
Introduction to Cyber Security 22ETC15I

• Summarize
• Translate
ExpIaJn con

• Duplicate ev
Recover data

Fig: Process model for understanding a seizure and handling of forensic evidence legal framework

The process involves the following activities:

1. Prepare: Case briefings, engagement terms, interrogatories, spoliation prevention,

disclosure and discovery planning, discovery requests.

2. Record: Drive imaging, indexing, profiling, search plans, cost estimates, risk analysis.

3. Investigate: Triage images, data recovery, keyword searches, hidden data review, communicate,
iterate.

4. Report: Oral vs. written, relevant document production, search statistic reports, chain of custody
reporting, case log reporting,

5. Testify: Testimony preparation, presentation preparation, testimony.

1) Preparing for the Evidence and Identifying the Evidence

➢ In order to be processed and applied, evidence must first be identified as evidence.

➢ It can happen that there is an enormous amount of potential evidence available for a legal matter, and
it is also possible that the vast majority of the potential evidence may never get identified.

DR. SRINIVAS, T BHAGAVATH SINGH,

CHAITRA S, AISHWARYA G, VIDYARANI Page 13
Introduction to Cyber Security 22ETC15I
➢ Consider that every sequence of events within a single computer might cause interactions with files
and the file systems in which they reside, other processes and the programs they are executing and
the files they produce and manage, and log files and audit trails of various sorts.

➢ In a networked environment, this extends to all networked devices, potentially all over the world.

➢ Evidence of an activity that caused digital forensics evidence to come into being might be contained
in a time stamp associated with a different program in a different computer on the other side of the
world that was offset from its usual pattern of behavior by a few microseconds. If the evidence
cannot be identified.

2) Collecting and Recording Digital Evidence

➢ Digital evidence can be collected from many sources.

➢ Obvious sources include computers, cell phones, digital cameras, hard drives, CD-ROM, USB
memory devices and so on.

➢ Non-obvious sources include settings of digital thermometers, black boxes inside automobiles, RFID
tags and webpages (which must be preserved as they are subject to change).

➢ Special care must be taken when handling computer evidence: most digital information is easily
changed, and once changed it is usually impossible to detect that a change has taken place (or to
revert the data back to its original state) unless other measures have been taken.

➢ For this reason, it is common practice to calculate a cryptographic hash of an evidence file and to
record that hash elsewhere, usually in an investigator's notebook, so that one can establish at a later
point in time that the evidence has not been modified as the hash was calculated.

3) Storing and Transporting Digital Evidence

The following are specific practices that have been adopted in the handling of digital evidence:

1. Image computer media using a write-blocking tool to ensure that no data is added to the suspect
device;
2. establish and maintain the chain of custody
3. document everything that has been done;
4. only use tools and methods that have been tested and evaluated to validate their accuracy and
reliability.

DR. SRINIVAS, T BHAGAVATH SINGH,

CHAITRA S, AISHWARYA G, VIDYARANI Page 14
Introduction to Cyber Security 22ETC15I
➢ In storage, digital media must be properly maintained for the period of time required for the
purposes of trial.

➢ Storage must be adequately secure to assure proper “chain of custody” and typically, for evidence
areas containing large volumes of evidence, paperwork associated with all actions related to the
evidence must be kept to assure that evidence does not go anywhere without being properly traced.

➢ Sometimes evidence must be transported from place to place. For example, when collected from a
crime scene, the evidence must somehow be moved to a secure location or it may not be properly
preserved through a trial.

➢ Digital forensics evidence can generally be transported by making exact duplicates, at the level of
bits, of the original content. This includes the movement of content over networks, assuming
adequate precautions are taken to assure its purity during that transportation.

➢ Evidence is often copied and sent electronically, on compact disks or on other media, from place to
place. Original copies are normally kept in a secure location to act as the original evidence that is
introduced into the legal proceedings.

4) Examining/Investigating Digital Evidence

➢ In an investigation in which the owner of the digital evidence has not given consent to have his or
her media examined special care must be taken to ensure that the forensic specialist has the legal
authority to seize, copy and examine the data.

➢ Sometimes authority stems from a search warrant.

➢ Now let us understand the difference between live and dead analysis. After that we explain about
“imaging of the media.

➢ Traditionally, computer forensics investigations were performed on data at rest, for example, the
content of hard drives.

➢ This can be thought of as a “dead analysis.” Investigators were told to shutdown computer systems
when they were impounded for fear that digital time bombs might cause data to be erased.

DR. SRINIVAS, T BHAGAVATH SINGH,

CHAITRA S, AISHWARYA G, VIDYARANI Page 15
Introduction to Cyber Security 22ETC15I
➢ In recent years, there has been increasingly an emphasis on performing analysis on live systems. One
reason is that many current attacks against computer systems leave no trace on the computer's hard
drive; the attacker only exploits information in the computer's memory.

➢ The process of creating an exact duplicate of the original evidentiary media is often called Imaging.

➢ During imaging, a write protection device or application is normally used to ensure that no
information is introduced onto the evidentiary media during the forensics process.

➢ The imaging process is verified by using the SHA-1 message digest algorithm

5) Analysis, Interpretation and Attribution

➢ Analysis, interpretation and attribution of evidence are the most difficult aspects encountered by
most forensics analysts.

➢ In the digital forensics area, there are usually only a finite number of possible event sequences that
could have produced evidence; however, the actual number of possible sequences may be almost
unfathomably large.

➢ Any execution of an instruction by the computing environment containing or generating the

evidence may have an impact on the evidence.

➢ Typical forensics analysis includes a manual review of material on the media -an example of OS-
specific investigation is reviewing the Windows registry.

➢ Through this registry inspection, the investigators objective is to look for suspect information,
discovering and cracking passwords, performing keyword searches for topics related to the crime,
and extracting E-Mail and images for review.

DR. SRINIVAS, T BHAGAVATH SINGH,

CHAITRA S, AISHWARYA G, VIDYARANI Page 16
Introduction to Cyber Security 22ETC15I

Examples Of Common Digital Analysis types includes:

DR. SRINIVAS, T BHAGAVATH SINGH,

CHAITRA S, AISHWARYA G, VIDYARANI Page 17
Introduction to Cyber Security 22ETC15I

6) Reporting

➢ Once the analysis is complete, a report is generated. The report may be in a written form or an oral
testimony or it may be a combination of the two.

➢ After extracting and analyzing the evidence collected, the results may need to be presented before a wide
variety of audience including law enforcement officials, technical experts, legal experts, corporate
management, etc. Depending on the nature of the incident or crime, it may become mandatory to present
the findings in a court of law.

➢ It could be a police investigation or a presentation to appropriate corporate management or it could be an

internal company investigation.

➢ As a result of the findings in this phrase, it should be possible to confirm or discard the allegations with
regard to particular crime or suspected incident.

➢ The presentation of evidence and its analysis, interpretation and attribution have many challenges.

➢ Presentation of the report is more of an art than a science, but there is a substantial amount of scientific
literature on methods of presentation and their impact on those who observe those presentations.

The following are the broad-level elements of the report:

1. Identity of the reporting agency

2. case identifier or submission number;
3. case investigator,
4. identity of the submitter:
5. date of receipt:
6. date of report
7. descriptive list of items submitted for examination, including serial number, make and model
8. identity and signature of the examiner
9. brief description of steps taken during examination, such as tring searches, graphics image searches
and recovering erased files
10. results/conclusions.

7) Testifying

➢ This phase involves presentation and cross-examination of expert witnesses.

➢ Digital forensics evidence is normally introduced by expert witnesses except in cases where non
experts can bring clarity to non-scientific issues by stating what they observed
➢ To the extent that the witness is the custodian of the system or its content he/she can testify to
musters related to that custodial role as well.
➢ Only expert witness can address based on scientific, technical or other specialized knowledge

DR. SRINIVAS, T BHAGAVATH SINGH,

CHAITRA S, AISHWARYA G, VIDYARANI Page 18
Introduction to Cyber Security 22ETC15I

A witness qualified as an expert by knowledge, skill, experience, training or education may testify in
the forms of an opinion or otherwise it
(a) the testimony is used on sufficient facts or data,
(b) the testimony is the product of reliable principles and methods, and
(c) the witness has applied the principles and methods reliably to the facts of the case

precaution to be taken when collecting Electronic evidence

DR. SRINIVAS, T BHAGAVATH SINGH,

CHAITRA S, AISHWARYA G, VIDYARANI Page 19
Introduction to Cyber Security 22ETC15I

DR. SRINIVAS, T BHAGAVATH SINGH,

CHAITRA S, AISHWARYA G, VIDYARANI Page 20
Introduction to Cyber Security 22ETC15I

❖ Chain of Custody

➢ It is the central concept in Cyber Forensics or digital forensics investigation.

➢ It is the Chronological written record of those individual who have had custody of evidence from its
initial acquisition until its final disposition

➢ Purpose: The proponent of a piece of evidence must demonstrate that it is what it purports to be.

➢ The chain of custody begins when an item of relevant evidence is collected and the chain is
maintained until the evidence is disposed of.

➢ It needs continuous accountability and accountability is important because, if not properly

maintained, an item of evidence may be inadmissible in court

DR. SRINIVAS, T BHAGAVATH SINGH,

CHAITRA S, AISHWARYA G, VIDYARANI Page 21
Introduction to Cyber Security 22ETC15I

❖ Network Forensic

Network Forensic is the study of network traffic to search for truth in civil, criminal and
administrative matters to protect user and resources from exploitation, invasion of privacy and any
other crime fostered by the continual expansion of network connectivity
• many security threats are possible through computer networks. Therefore "network forensics" is very
much important in cybercrime
➢ As compared to the physical evidence , “digital evidence” is different in nature because it has
some unique characteristics
➢ Digital evidence is much easier to change /manipulate and also "perfect" digital copies can be made
without harming original. Therefore integrity of digital evidence is proved.
➢ Another subtle aspect (of digital evidence) is that it is usually in the form of the “image” - this
means that it is convenient and possible to create a defensible “clone” of storage device.
➢ Different information (clues) can be found at different levels of abstraction

DR. SRINIVAS, T BHAGAVATH SINGH,

CHAITRA S, AISHWARYA G, VIDYARANI Page 22
Introduction to Cyber Security 22ETC15I

DR. SRINIVAS, T BHAGAVATH SINGH,

CHAITRA S, AISHWARYA G, VIDYARANI Page 23