KEMBAR78
mobile forensic.pptx
AK
Uploaded byAmbuj Kumar
PPTX, PDF5,528 views

mobile forensic.pptx

This document provides an overview of mobile forensics. It discusses key topics like the mobile forensics process, goals of mobile forensics, challenges with acquiring evidence from mobile devices, and analyzing different types of evidence. Specific techniques discussed include hashing, write protection, recovering deleted data through tools like Disk Drill, analyzing Windows and Linux event logs, and investigating malicious files. The document outlines the various components involved in a mobile forensics investigation from acquiring evidence to documenting the chain of custody.

Downloaded 103 times
Mobile FORENSICS
Topics  Mobile Forensics Fundamentals & Process  Acquisition & Duplication  Hashing & Write Protection  Analyzing & Investigating Deleted Data  Analyzing Malicious file
WHAT IS Mobile FORENSICS? Mobile forensics is an electronic discovery technique used to determine and reveal technical criminal evidence. Mobile forensics involves the  Collection- What needs to be investigated.  Preservation  Analysis  Documentation and  Presentation of computer evidence stored on a computer.
Mobile Forensic Process
Mobile Forensics Goals • Finding legal evidence in computing devices and preserving its integrity in a way that is deemed admissible in a court of law. • Preserving and recovering evidence following court- accepted technical procedures. • Identifying data leaks within an organization. • Accessing possible damage occurring during a data breach.
Why mobile forensics
Threats targeting mobile devices
Mobile hardware and forensic • Mobile forensics highly dependent on the underlying hardware of the mobile devices. • Investigators need to take different approaches for mobile forensics depending upon the mobile hardware architecture. • Knowledge of mobile hardware also become important in case of broken device
Mobile OS and forensic
Architectural layer of mobile device environment
Android architecture stack
Android boot process
IOS Architecture
IOS boot process
Normal and DFU mode booting
Booting iPhone in DFU mode
Mobile storage and evidence location
What should you do before investigation
Build a forensic workstation
Build the investigation team
Review policies and laws
Mobile phone evidence analysis
Collecting the evidence
Document the scene
Document the evidence
Evidence preservation
Set of switching for on/off mobile phone
Faraday bag
Faraday bag
Forensic imaging
Duplication/Cloning FtkImager • https://accessdata.com/product- download/ftk-imager-version-4-5
Bypassing android phone lock
Mobile forensic analysis worksheet
Cybercrime Attack Mode • Insider attacks(most dangerous) • External attacks
How Are Computers Used in Cybercrimes? • A computing device is used as a weapon to commit a crime. • Example: Launching denial-of-service (DoS) attacks or sending • Ransomware • Gaining unauthorized access
Forensics Investigation Types • Public investigations(Public investigations involve law enforcement agencies and are conducted according to country or state law) • Private (corporate) sector investigations (Private investigations are usually conducted by enterprises to investigate policy violations, litigation dispute, wrongful termination, or leaking of enterprise secrets )
Digital Evidence Types • User-created data includes anything created by a user (human) • using a digital device. It includes the following and more: • Text files (e.g. MS Office documents, IM chat, bookmarks), • spreadsheets, database, and any text stored in digital format, • Audio and video files, • Digital images, • Webcam recordings (digital photos and videos), • Address book and calendar,
• Hidden and encrypted files (including zipped folders) created by the computer user, • Previous backups (including both cloud storage backups and offline backups like CD/DVDs and tapes), • Account details (username, picture, password), • E-mail messages and attachments (both online and client e- mails as Outlook), • Web pages, social media accounts, cloud storage, and any online accounts created by the user.
Challenge of Acquiring Digital Evidence • computer with a password, access card, or dongle. • Digital steganography techniques to conceal incriminating data in images, videos, audio files, file systems, and in plain sight (e.g. Within MS Word document). • Encryption techniques to obscure data, making it unreadable without the password.
• Full disk encryption (FDE) including system partition (e.g. BitLocker drive encryption). • Strong passwords to protect system/volume; cracking them is very time consuming and expensive. • File renaming and changing their extensions (e.g., changing DOCX into DLL, which is a known Windows system file type)
• Attempts to destroy evidence through wiping the hard drive • securely using various software tools and techniques. • Removing history from the web browser upon exit and disabling
• Physically damaged digital media; for example, we cannot retrieve • deleted files from a failed HDD before repairing it. • Sensitivity of digital evidence; if not handled carefully it might be destroyed. Heat, cold, moisture, magnetic fields, and even just dropping the media device can destroy it. • Easy alteration of digital evidence; for instance, if a computer is ON, you must leave it ON and acquire its volatile memory (if possible), but if the computer is OFF, leave it OFF to avoid changing any data.
• Cybercrimes can cross boarders easily through the Internet, making the lack of cyberlaw standardization a major issue in this domain. • USB thumb drive that belongs to a suspect, but the data inside it is fully encrypted and protected with a password, the suspect can deny its ownership of this thumb, making the decryption process very difficult to achieve without the correct password/key file.
Who Should Collect Digital Evidence? • Analytical thinking: This includes the ability to make correlations between different events/facts when investigating a crime. • Solid background in IT knowledge: This includes wide knowledge about different IT technologies, hardware devices, operating systems, and applications. This does not mean that an investigator should know how each technology works in detail.
• Hacking skills: To solve a crime, you should think like a hacker. Knowing attack techniques and cybersecurity concepts is essential for a successful investigation. • Understanding of legal issues concerning digital crime investigations. • Excellent knowledge of technical skills related to digital
• forensics like data recovery and acquisition and writing technical reports. • Online searching skills and ability to gather information from publicly available sources (i.e., OSINT).
FIRST RESPONDENT TEAM The first responder is the first person to encounter a crime scene. A first responder has the expertise and skill to deal with the incident. The first responder may be an officer, security personnel, or a member of the IT staff or incident response team. Roles of First Respondent Team: 1. Identifying the crime scene 2. Protecting the crime scene 3. Preserving temporary and fragile evidence
First Responder Toolkit • Crime scene tape. • Stick-on labels and ties. • Color marker pens. • Notepad. • Gloves. • Magnifying glass. • Flashlight.
• Sealable bags of mixed size; should be antistatic bags to preserve evidence integrity. • Camera (can capture both video and images and must be configured to show the date/time when the capture happens). • Radio frequency-shielding material to prevent some types of seized devices (e.g., smartphones and tablets with SIM cards) from receiving calls or messages (also known as a Faraday shielding bag). This bag will also protect evidence against • Bootable CDs.
• Lightning strikes and electrostatic discharges. • Chain of custody forms. • Secure sanitized external hard drive to store image of any digital exhibits. • USB hub.
Locations of Electronic Evidence • Desktops • Laptops • Tablets • Servers and RAIDs • Network devices like hubs, switches, modems, routers, and wireless access points • Internet-enabled devices used in home automation (e.g., AC and smart refrigerator)
• IoT devices • DVRs and surveillance systems • MP3 players • GPS devices • Smartphones
• Game stations (Xbox, PlayStation, etc.) • Digital cameras • Smart cards • Pagers • Digital voice recorders • External hard drives • Flash/thumb drives • Printers • Scanners
Chain of Custody • What is the digital evidence? (E.g., describe the acquired digital evidence.) • Where was the digital evidence found? (E.g., computer, tablet, cell phone, etc.; also to be included is the state of the computing device upon acquiring the digital evidence–ON or OFF?)
• How was the digital evidence acquired? (E.g., tools used; you also need to mention the steps taken to preserve the integrity of evidence during the acquisition phase.) • When was the digital evidence accessed, by whom and for what reason? • How was the digital evidence used during the investigation?
• How was the digital evidence transported, preserved, and handled? • How was the digital evidence examined? (E.g., any tools and techniques used.)
Sample Chain of Custody Form
Chain of custody
Acquisition & Duplication Acquisition • Acquisition is the process of collecting digital evidence from an electronic media.
Duplication • A forensic duplication is an accurate copy of data that is created with the goal of being admissible as evidence in legal proceedings. • We define forensic duplication as an image of every accessible bit from the source medium.
Types of Duplication 1. Simple duplication • Copy selected data; file, folder, partition. 2. Forensic duplication • Every bit on the source is retained • Including deleted files
Hashing & Write Protection Hashing is the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string. Hash value generation in digital forensic: • Generally, hash value is used to check the integrity of any data file but, in digital forensic it is used to check the integrity of evidence disk data. • The image of a disk is created in digital forensic for analysis so, it is necessary the image have exactly or replica of evidence disk. • The hash value generated during imaging should match when that image of evidence disk is extracted for detail analysis. In digital forensic hash value is generated for whole disk data not only single or multiple files.
Hashes • MD5: 464668D58274A7840E264E8739884247 • SHA-1: 4698215F643BECFF6C6F3D2BF447ACE0C067149E • SHA-256: F2ADD4D612E23C9B18B0166BBDE1DB839BFB8A376ED01E32 FADB03A0D1B720C7 • SHA-384: 2707F06FE57800134129D8E10BBE08E2FEB622B76537A7C42 95802FBB94755BBEE814B101ED18CC2D0126BD66E5D77B6
• SHA-512: C526BC709E2C771F9EC039C25965C91EAA3451A8CB43651A 4CD813F338235F495D37891DD25FE456FE2A8CA894576293 78BE63FB3A9A5AD54D9E11E4272D60C • RIPEMD-128: A868B98EAEC84891A7B7BA620EDDE621 • TIGER: F31A22CEED5848E69316649D4BAFBE8F9274DED53E25C02D • PANAMA: 7E703B1798A26A0AF21ECD661CBADB9C72B419455814CA7B 82E29EE0C03FA493
Hash myfiles • https://www.nirsoft.net/utils/hash_m y_files.html
Write Protection: Write protection is any physical mechanism that prevents modification or erasure of valuable data on a device.
Write protection
Analyzing & Investigating Deleted Data Data recovery is the extraction of data from damaged evidence sources in a forensically sound manner. This method of recovering data means that any evidence resulting from it can later be relied on in a court of law. Tools for recovering deleted Data:  Disk Drill  Recuva  MiniTool Power Data Recovery  Lazesoft
• https://www.cleverfiles.com/disk- drill-windows.html Disk Drill
Windows Log Analysis • In an event of a forensic investigation, Windows Event Logs serve as the primary source of evidence as the operating system logs every system activity. Windows Event Log analysis can help an investigator draw a timeline based on the logging information and the discovered artefacts. The information that needs to be logged depends upon the audit features that are turned on which means that the event logs can be turned off with the administrative privileges. From the forensic point of view, the Event Logs catch a lot of data.
• The Windows Event Logs are used in forensics to reconstruct a timeline of events. • The main three components of event logs are: – Application – System – Security • On Windows Operating System, Logs are saved in root location %System32%winevtLogs. • When Maximum Log size is reached: – Oldest Events are Overwritten – Archive the Logs when full – If do not wish to overwrite the events, clear logs manually
The type of events that are recorded can be any occurrence that affects the system: • An Incorrect Login Attempt, • A Hack, Breach, System Settings Modification, • An Application Failure, • System Failure etc. All these events are logged in the “%System32%/Winevt/Log”.
Full Event Log View • https://www.nirsoft.net/utils/full_event_log_view.html#: ~:text=FullEventLogView%20is%20a%20simple%20tool, network%2C%20and%20events%20stored%20in%20.
Linux Log analysis
Kali Linux Password Reset 1. Boot your Kali system and let the GNU Grub page will appear. 2. On the GNU GRUB page select the * Advanced options for Kali GNU/Linux option by down arrow key and press enter. 3. Now simply select the second one Recovery mode option and press E key to go to recovery mode of Kali Linux. 4. To modify it just change read-only mode (ro) to rw (write mode) and add init=/bin/bash like below screenshot then press F10 to reboot the Kali Linux. 5. After rebooting the Kali Linux system, it will bring you the bellow screen to reset Kali Linux password.
• To reset root password of Kali Linux system, simply type “passwd ” and hit the enter. Then type the new password twice for the root user. After successfully resetting Kali Linux lost password, you will see the succeed message*password update successfully*. Well reboot the system with reboot –f and log in with a newly changed password of root user.
Investigation of fake IP
Analyzing malicious File
mobile forensic.pptx

More Related Content

PPT
Introduction to computer forensic
byOnline
 
PDF
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
byCellebrite
 
PPTX
Mobile Forensics
byprimeteacher32
 
PPTX
Mobile Forensics
byabdullah roomi
 
PPT
Lecture2 Introduction to Digital Forensics.ppt
bySurajgroupsvideo
 
PPTX
Mobile forensic
byDINESH KAMBLE
 
PPTX
Digital forensics
byvishnuv43
 
PPTX
Digital Forensics
byMithileysh Sathiyanarayanan
 
Introduction to computer forensic
byOnline
 
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
byCellebrite
 
Mobile Forensics
byprimeteacher32
 
Mobile Forensics
byabdullah roomi
 
Lecture2 Introduction to Digital Forensics.ppt
bySurajgroupsvideo
 
Mobile forensic
byDINESH KAMBLE
 
Digital forensics
byvishnuv43
 
Digital Forensics
byMithileysh Sathiyanarayanan
 

What's hot

PDF
Incident response methodology
byPiyush Jain
 
PPTX
Incident response process
byBhupeshkumar Nanhe
 
PPT
Digital Forensic
byCleverence Kombe
 
PPTX
Cyber Forensics Overview
byYansi Keim
 
PPTX
Digital forensics
byyash sawarkar
 
PPTX
Digital Evidence by Raghu Khimani
byDr Raghu Khimani
 
PPTX
Digital Forensic ppt
bySuchita Rawat
 
PPT
Preserving and recovering digital evidence
byOnline
 
PPTX
Computer forensic ppt
byPriya Manik
 
PPTX
Digital forensic tools
byParsons Corporation
 
PDF
Database forensics
byDenys A. Flores, PhD
 
PDF
Email Forensics
byGol D Roger
 
PPTX
Memory forensics.pptx
by9905234521
 
PPTX
Difference between Cyber and digital Forensic.pptx
byApplied Forensic Research Sciences
 
ODT
Operating System Forensics
byArunJS5
 
PPTX
Analysis of digital evidence
byrakesh mishra
 
PPT
Collecting and preserving digital evidence
byOnline
 
PPT
Cyber forensics
bypranjal dutta
 
PPTX
Digital forensics
byRoberto Ellis
 
PPTX
Data recovery tools
byuniversity of Gujrat, pakistan
 
Incident response methodology
byPiyush Jain
 
Incident response process
byBhupeshkumar Nanhe
 
Digital Forensic
byCleverence Kombe
 
Cyber Forensics Overview
byYansi Keim
 
Digital forensics
byyash sawarkar
 
Digital Evidence by Raghu Khimani
byDr Raghu Khimani
 
Digital Forensic ppt
bySuchita Rawat
 
Preserving and recovering digital evidence
byOnline
 
Computer forensic ppt
byPriya Manik
 
Digital forensic tools
byParsons Corporation
 
Database forensics
byDenys A. Flores, PhD
 
Email Forensics
byGol D Roger
 
Memory forensics.pptx
by9905234521
 
Difference between Cyber and digital Forensic.pptx
byApplied Forensic Research Sciences
 
Operating System Forensics
byArunJS5
 
Analysis of digital evidence
byrakesh mishra
 
Collecting and preserving digital evidence
byOnline
 
Cyber forensics
bypranjal dutta
 
Digital forensics
byRoberto Ellis
 
Data recovery tools
byuniversity of Gujrat, pakistan
 

Similar to mobile forensic.pptx

PPTX
Presentation cyber forensics & ethical hacking
byAmbuj Kumar
 
PPTX
ppt for Module 5 cybersecuirty_023501.pptx
byMayuraD1
 
PPTX
unit 5 understanding computer forensics.pptx
byDimple Relekar
 
PPTX
Introduction to computer forensics in IT society
bynorhasiahakhir1
 
PPT
Digital forensics
byNicholas Davis
 
PPT
Digital Forensics
byNicholas Davis
 
PDF
1.Digital Forensics Collection, Presservation and Appreciation of Electronic ...
byAnandkumar105685
 
PDF
Final Forensics Project
byShaima Alhammadi
 
PPTX
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
byFORnSECSolutions
 
PPTX
Computer forensics toolkit
byMilap Oza
 
PPTX
Most promising cyber forensic solution providers from india forn sec solut...
byFORnSECSolutions
 
PPTX
cyber forensics
byAmbuj Kumar
 
PPT
Cyber Crime Evidence Collection Ifsa 2009
byUniversity of Southern Mississippi
 
PPTX
Digital Forensics Workshop
byTim Fletcher
 
PPTX
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
byMoshoodKareemOlawale
 
PPTX
Cyber forensics 02 mit-2014
byMuzzammil Wani
 
PPTX
Cyber crime - and digital device.pptx
byAlAsad4
 
PPTX
Presentation_AnshumanP.pptx_20250701_192656_0000.pptx
byanshumanpandey841
 
PPT
L11 - Intro to Computer Forensics.ppt
byRebeccaMunasheChimhe
 
PDF
Daniel_CISSP_Dom7__1_.pdf
byAlejandro Daricz
 
Presentation cyber forensics & ethical hacking
byAmbuj Kumar
 
ppt for Module 5 cybersecuirty_023501.pptx
byMayuraD1
 
unit 5 understanding computer forensics.pptx
byDimple Relekar
 
Introduction to computer forensics in IT society
bynorhasiahakhir1
 
Digital forensics
byNicholas Davis
 
Digital Forensics
byNicholas Davis
 
1.Digital Forensics Collection, Presservation and Appreciation of Electronic ...
byAnandkumar105685
 
Final Forensics Project
byShaima Alhammadi
 
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
byFORnSECSolutions
 
Computer forensics toolkit
byMilap Oza
 
Most promising cyber forensic solution providers from india forn sec solut...
byFORnSECSolutions
 
cyber forensics
byAmbuj Kumar
 
Cyber Crime Evidence Collection Ifsa 2009
byUniversity of Southern Mississippi
 
Digital Forensics Workshop
byTim Fletcher
 
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
byMoshoodKareemOlawale
 
Cyber forensics 02 mit-2014
byMuzzammil Wani
 
Cyber crime - and digital device.pptx
byAlAsad4
 
Presentation_AnshumanP.pptx_20250701_192656_0000.pptx
byanshumanpandey841
 
L11 - Intro to Computer Forensics.ppt
byRebeccaMunasheChimhe
 
Daniel_CISSP_Dom7__1_.pdf
byAlejandro Daricz
 

Recently uploaded

PPTX
E waste_management_module 4.pptx_22_scheme_VTU
byvarshinijs3
 
PPT
23 EL PGS Sec-I (Shared).ppt power generation systems
byMehran university of engineering technology Pakistan
 
PDF
TOPIC 1.2 THE CONSTRUCTION PROJECT BY KJFF
byKHEN49
 
PDF
alireza payravi-resume english 1404-07-24.pdf
byAlireza Payravi
 
PDF
Somnath Mukherjee_BIM Specialist_Portfolio.pdf
bySomnathMukherjee980757
 
PPTX
Understanding UL Wire Options that Surpass Industry Standards
byEpec Engineered Technologies
 
PDF
Project photos of Caliagua's new Telemark project for FivePoint.
byjhines4
 
PPTX
DECARBONAZING REFINING INDUSTRY rev2.pptx
bygonzalezolabarriaped
 
PDF
The CULTURIST Design Portfolio 2025 architecture and interior
bydesign and architecture
 
PDF
Performance analysis of recycled PET composites reinforced with waste slate d...
byADITYA CHAUHAN
 
PPT
Basic electronics concepts like what is resistor , inductor capacitor
byibrahimshaikh112026
 
PDF
Boundary Conditions of field components.pdf
byRCC Institute of Information Technology
 
PDF
(36-50)ANCIENT INGENUITY A REAPPRAISAL OF THE ARCHITECTURAL (3 files merged).pdf
byDharmsinh Desai of University
 
PDF
Introduction to Machine Learning: Foundations and Applications
byremoved_2838c0f85dcbdf1a3b55b256d9455357
 
PPTX
Chapter 4 Geosynthetics materials for soil improvement .pptx
byFanastic
 
PPTX
COLLAGE PLACEMENT MANAGEMENT SYSTEM.pptx
bychaitanyachopade08
 
PDF
Overcoming QoS Challenges in a Full Automotive Ethernet Architecture
byRealTime-at-Work (RTaW)
 
PDF
Certified Cloud Security Professional (CCSP): Unit 4
byVICTOR MAESTRE RAMIREZ
 
PDF
Certified Kubernetes Security Specialist (CKS): Unit 8
byVICTOR MAESTRE RAMIREZ
 
PPTX
Heat Transfer Power Point presentation 1.1.pptx
bySolomon Raj
 
E waste_management_module 4.pptx_22_scheme_VTU
byvarshinijs3
 
23 EL PGS Sec-I (Shared).ppt power generation systems
byMehran university of engineering technology Pakistan
 
TOPIC 1.2 THE CONSTRUCTION PROJECT BY KJFF
byKHEN49
 
alireza payravi-resume english 1404-07-24.pdf
byAlireza Payravi
 
Somnath Mukherjee_BIM Specialist_Portfolio.pdf
bySomnathMukherjee980757
 
Understanding UL Wire Options that Surpass Industry Standards
byEpec Engineered Technologies
 
Project photos of Caliagua's new Telemark project for FivePoint.
byjhines4
 
DECARBONAZING REFINING INDUSTRY rev2.pptx
bygonzalezolabarriaped
 
The CULTURIST Design Portfolio 2025 architecture and interior
bydesign and architecture
 
Performance analysis of recycled PET composites reinforced with waste slate d...
byADITYA CHAUHAN
 
Basic electronics concepts like what is resistor , inductor capacitor
byibrahimshaikh112026
 
Boundary Conditions of field components.pdf
byRCC Institute of Information Technology
 
(36-50)ANCIENT INGENUITY A REAPPRAISAL OF THE ARCHITECTURAL (3 files merged).pdf
byDharmsinh Desai of University
 
Introduction to Machine Learning: Foundations and Applications
byremoved_2838c0f85dcbdf1a3b55b256d9455357
 
Chapter 4 Geosynthetics materials for soil improvement .pptx
byFanastic
 
COLLAGE PLACEMENT MANAGEMENT SYSTEM.pptx
bychaitanyachopade08
 
Overcoming QoS Challenges in a Full Automotive Ethernet Architecture
byRealTime-at-Work (RTaW)
 
Certified Cloud Security Professional (CCSP): Unit 4
byVICTOR MAESTRE RAMIREZ
 
Certified Kubernetes Security Specialist (CKS): Unit 8
byVICTOR MAESTRE RAMIREZ
 
Heat Transfer Power Point presentation 1.1.pptx
bySolomon Raj
 
In this document
Powered by AI

Introduction to mobile forensics, its processes, goals, and significance in legal investigations.

Exploration of mobile hardware and operating systems, affecting forensic methods and approaches.

Steps to prepare for mobile forensic investigations, including building teams and reviewing policies.

Methods for collecting, documenting, and preserving mobile evidence effectively.

Duplication processes in forensic imaging with emphasis on hashing and write protection methods.

Common challenges related to acquiring digital evidence and factors affecting its integrity.

Essential skills and tools necessary for digital evidence collection and establishing a chain of custody.

Importance and structure of the chain of custody in managing digital evidence, including acquisition.

Methods for ensuring data integrity through write protection and creating secure backups.

Techniques for recovering deleted data and analyzing logs in both Windows and Linux environments.

Techniques for recovering deleted data and analyzing logs in both Windows and Linux environments.

Techniques for recovering deleted data and analyzing logs in both Windows and Linux environments.

Brief overview of methodologies for analyzing malicious files in mobile forensics.

mobile forensic.pptx

  • 1.
  • 2.
    Topics  Mobile ForensicsFundamentals & Process  Acquisition & Duplication  Hashing & Write Protection  Analyzing & Investigating Deleted Data  Analyzing Malicious file
  • 3.
    WHAT IS MobileFORENSICS? Mobile forensics is an electronic discovery technique used to determine and reveal technical criminal evidence. Mobile forensics involves the  Collection- What needs to be investigated.  Preservation  Analysis  Documentation and  Presentation of computer evidence stored on a computer.
  • 4.
  • 5.
    Mobile Forensics Goals •Finding legal evidence in computing devices and preserving its integrity in a way that is deemed admissible in a court of law. • Preserving and recovering evidence following court- accepted technical procedures. • Identifying data leaks within an organization. • Accessing possible damage occurring during a data breach.
  • 6.
  • 7.
  • 8.
    Mobile hardware and forensic •Mobile forensics highly dependent on the underlying hardware of the mobile devices. • Investigators need to take different approaches for mobile forensics depending upon the mobile hardware architecture. • Knowledge of mobile hardware also become important in case of broken device
  • 9.
    Mobile OS andforensic
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
    Normal and DFUmode booting
  • 16.
  • 17.
  • 18.
    What should youdo before investigation
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
    Set of switchingfor on/off mobile phone
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
    Cybercrime Attack Mode •Insider attacks(most dangerous) • External attacks
  • 35.
    How Are Computers Usedin Cybercrimes? • A computing device is used as a weapon to commit a crime. • Example: Launching denial-of-service (DoS) attacks or sending • Ransomware • Gaining unauthorized access
  • 36.
    Forensics Investigation Types • Publicinvestigations(Public investigations involve law enforcement agencies and are conducted according to country or state law) • Private (corporate) sector investigations (Private investigations are usually conducted by enterprises to investigate policy violations, litigation dispute, wrongful termination, or leaking of enterprise secrets )
  • 37.
    Digital Evidence Types •User-created data includes anything created by a user (human) • using a digital device. It includes the following and more: • Text files (e.g. MS Office documents, IM chat, bookmarks), • spreadsheets, database, and any text stored in digital format, • Audio and video files, • Digital images, • Webcam recordings (digital photos and videos), • Address book and calendar,
  • 38.
    • Hidden andencrypted files (including zipped folders) created by the computer user, • Previous backups (including both cloud storage backups and offline backups like CD/DVDs and tapes), • Account details (username, picture, password), • E-mail messages and attachments (both online and client e- mails as Outlook), • Web pages, social media accounts, cloud storage, and any online accounts created by the user.
  • 39.
    Challenge of Acquiring DigitalEvidence • computer with a password, access card, or dongle. • Digital steganography techniques to conceal incriminating data in images, videos, audio files, file systems, and in plain sight (e.g. Within MS Word document). • Encryption techniques to obscure data, making it unreadable without the password.
  • 40.
    • Full diskencryption (FDE) including system partition (e.g. BitLocker drive encryption). • Strong passwords to protect system/volume; cracking them is very time consuming and expensive. • File renaming and changing their extensions (e.g., changing DOCX into DLL, which is a known Windows system file type)
  • 41.
    • Attempts todestroy evidence through wiping the hard drive • securely using various software tools and techniques. • Removing history from the web browser upon exit and disabling
  • 42.
    • Physically damageddigital media; for example, we cannot retrieve • deleted files from a failed HDD before repairing it. • Sensitivity of digital evidence; if not handled carefully it might be destroyed. Heat, cold, moisture, magnetic fields, and even just dropping the media device can destroy it. • Easy alteration of digital evidence; for instance, if a computer is ON, you must leave it ON and acquire its volatile memory (if possible), but if the computer is OFF, leave it OFF to avoid changing any data.
  • 43.
    • Cybercrimes cancross boarders easily through the Internet, making the lack of cyberlaw standardization a major issue in this domain. • USB thumb drive that belongs to a suspect, but the data inside it is fully encrypted and protected with a password, the suspect can deny its ownership of this thumb, making the decryption process very difficult to achieve without the correct password/key file.
  • 44.
    Who Should CollectDigital Evidence? • Analytical thinking: This includes the ability to make correlations between different events/facts when investigating a crime. • Solid background in IT knowledge: This includes wide knowledge about different IT technologies, hardware devices, operating systems, and applications. This does not mean that an investigator should know how each technology works in detail.
  • 45.
    • Hacking skills:To solve a crime, you should think like a hacker. Knowing attack techniques and cybersecurity concepts is essential for a successful investigation. • Understanding of legal issues concerning digital crime investigations. • Excellent knowledge of technical skills related to digital
  • 46.
    • forensics likedata recovery and acquisition and writing technical reports. • Online searching skills and ability to gather information from publicly available sources (i.e., OSINT).
  • 47.
    FIRST RESPONDENT TEAM Thefirst responder is the first person to encounter a crime scene. A first responder has the expertise and skill to deal with the incident. The first responder may be an officer, security personnel, or a member of the IT staff or incident response team. Roles of First Respondent Team: 1. Identifying the crime scene 2. Protecting the crime scene 3. Preserving temporary and fragile evidence
  • 48.
    First Responder Toolkit •Crime scene tape. • Stick-on labels and ties. • Color marker pens. • Notepad. • Gloves. • Magnifying glass. • Flashlight.
  • 49.
    • Sealable bagsof mixed size; should be antistatic bags to preserve evidence integrity. • Camera (can capture both video and images and must be configured to show the date/time when the capture happens). • Radio frequency-shielding material to prevent some types of seized devices (e.g., smartphones and tablets with SIM cards) from receiving calls or messages (also known as a Faraday shielding bag). This bag will also protect evidence against • Bootable CDs.
  • 50.
    • Lightning strikesand electrostatic discharges. • Chain of custody forms. • Secure sanitized external hard drive to store image of any digital exhibits. • USB hub.
  • 51.
    Locations of Electronic Evidence •Desktops • Laptops • Tablets • Servers and RAIDs • Network devices like hubs, switches, modems, routers, and wireless access points • Internet-enabled devices used in home automation (e.g., AC and smart refrigerator)
  • 52.
    • IoT devices •DVRs and surveillance systems • MP3 players • GPS devices • Smartphones
  • 53.
    • Game stations(Xbox, PlayStation, etc.) • Digital cameras • Smart cards • Pagers • Digital voice recorders • External hard drives • Flash/thumb drives • Printers • Scanners
  • 54.
    Chain of Custody •What is the digital evidence? (E.g., describe the acquired digital evidence.) • Where was the digital evidence found? (E.g., computer, tablet, cell phone, etc.; also to be included is the state of the computing device upon acquiring the digital evidence–ON or OFF?)
  • 55.
    • How wasthe digital evidence acquired? (E.g., tools used; you also need to mention the steps taken to preserve the integrity of evidence during the acquisition phase.) • When was the digital evidence accessed, by whom and for what reason? • How was the digital evidence used during the investigation?
  • 56.
    • How wasthe digital evidence transported, preserved, and handled? • How was the digital evidence examined? (E.g., any tools and techniques used.)
  • 57.
    Sample Chain ofCustody Form
  • 59.
  • 60.
    Acquisition & Duplication Acquisition •Acquisition is the process of collecting digital evidence from an electronic media.
  • 61.
    Duplication • A forensicduplication is an accurate copy of data that is created with the goal of being admissible as evidence in legal proceedings. • We define forensic duplication as an image of every accessible bit from the source medium.
  • 62.
    Types of Duplication 1.Simple duplication • Copy selected data; file, folder, partition. 2. Forensic duplication • Every bit on the source is retained • Including deleted files
  • 63.
    Hashing & WriteProtection Hashing is the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string. Hash value generation in digital forensic: • Generally, hash value is used to check the integrity of any data file but, in digital forensic it is used to check the integrity of evidence disk data. • The image of a disk is created in digital forensic for analysis so, it is necessary the image have exactly or replica of evidence disk. • The hash value generated during imaging should match when that image of evidence disk is extracted for detail analysis. In digital forensic hash value is generated for whole disk data not only single or multiple files.
  • 64.
    Hashes • MD5: 464668D58274A7840E264E8739884247 •SHA-1: 4698215F643BECFF6C6F3D2BF447ACE0C067149E • SHA-256: F2ADD4D612E23C9B18B0166BBDE1DB839BFB8A376ED01E32 FADB03A0D1B720C7 • SHA-384: 2707F06FE57800134129D8E10BBE08E2FEB622B76537A7C42 95802FBB94755BBEE814B101ED18CC2D0126BD66E5D77B6
  • 65.
    • SHA-512: C526BC709E2C771F9EC039C25965C91EAA3451A8CB43651A 4CD813F338235F495D37891DD25FE456FE2A8CA894576293 78BE63FB3A9A5AD54D9E11E4272D60C • RIPEMD-128:A868B98EAEC84891A7B7BA620EDDE621 • TIGER: F31A22CEED5848E69316649D4BAFBE8F9274DED53E25C02D • PANAMA: 7E703B1798A26A0AF21ECD661CBADB9C72B419455814CA7B 82E29EE0C03FA493
  • 66.
  • 67.
    Write Protection: Write protectionis any physical mechanism that prevents modification or erasure of valuable data on a device.
  • 70.
  • 71.
    Analyzing & Investigating DeletedData Data recovery is the extraction of data from damaged evidence sources in a forensically sound manner. This method of recovering data means that any evidence resulting from it can later be relied on in a court of law. Tools for recovering deleted Data:  Disk Drill  Recuva  MiniTool Power Data Recovery  Lazesoft
  • 72.
  • 73.
    Windows Log Analysis •In an event of a forensic investigation, Windows Event Logs serve as the primary source of evidence as the operating system logs every system activity. Windows Event Log analysis can help an investigator draw a timeline based on the logging information and the discovered artefacts. The information that needs to be logged depends upon the audit features that are turned on which means that the event logs can be turned off with the administrative privileges. From the forensic point of view, the Event Logs catch a lot of data.
  • 74.
    • The WindowsEvent Logs are used in forensics to reconstruct a timeline of events. • The main three components of event logs are: – Application – System – Security • On Windows Operating System, Logs are saved in root location %System32%winevtLogs. • When Maximum Log size is reached: – Oldest Events are Overwritten – Archive the Logs when full – If do not wish to overwrite the events, clear logs manually
  • 75.
    The type ofevents that are recorded can be any occurrence that affects the system: • An Incorrect Login Attempt, • A Hack, Breach, System Settings Modification, • An Application Failure, • System Failure etc. All these events are logged in the “%System32%/Winevt/Log”.
  • 79.
    Full Event LogView • https://www.nirsoft.net/utils/full_event_log_view.html#: ~:text=FullEventLogView%20is%20a%20simple%20tool, network%2C%20and%20events%20stored%20in%20.
  • 80.
  • 81.
    Kali Linux PasswordReset 1. Boot your Kali system and let the GNU Grub page will appear. 2. On the GNU GRUB page select the * Advanced options for Kali GNU/Linux option by down arrow key and press enter. 3. Now simply select the second one Recovery mode option and press E key to go to recovery mode of Kali Linux. 4. To modify it just change read-only mode (ro) to rw (write mode) and add init=/bin/bash like below screenshot then press F10 to reboot the Kali Linux. 5. After rebooting the Kali Linux system, it will bring you the bellow screen to reset Kali Linux password.
  • 82.
    • To resetroot password of Kali Linux system, simply type “passwd ” and hit the enter. Then type the new password twice for the root user. After successfully resetting Kali Linux lost password, you will see the succeed message*password update successfully*. Well reboot the system with reboot –f and log in with a newly changed password of root user.
  • 84.
  • 85.