SlideShare a Scribd company logo

Cyber forensics and auditing

•
•
Sweta Kumari Barnwal
Sweta Kumari Barnwal

CYBER FORENSICS AND AUDITING Topics Covered: Introduction to Cyber Forensics, Computer Equipment and associated storage, media Role of forensics Investigator, Forensics Investigation Process, Collecting Network based Evidence Writing, Computer Forensics Reports, Auditing, Plan an audit against a set of audit criteria, Information Security Management, System Management. Introduction to ISO 27001:2013

Education
1 of 9
Download to read offline
Introduction to Cyber Security SWETA KUMARI BARNWAL 1 CYBER FORENSICS AND AUDITING Topics Covered: Introduction to Cyber Forensics, Computer Equipment and associated storage, media Role of forensics Investigator, Forensics Investigation Process, Collecting Network based Evidence Writing, Computer Forensics Reports, Auditing, Plan an audit against a set of audit criteria, Information Security Management, System Management. Introduction to ISO 27001:2013 CYBER FORENSIC It is investigating, gathering, and analysing information from a computer device which can then be transformed into hardware proof to be presented in the court regarding the crime in question. A very important aspect of the investigation is making a digital copy of the storage cell of the computer and further analysing it so that the device itself doesn’t get violated accidentally during the whole process. It finds its application mainly in fighting vicious online crimes like hacking and DOS – denial of service attacks. The above-mentioned proof that gives the upper hand to the investigators in any crime scene even remotely involving a computer device can be in the form of browsing history, email logs, or any other digital footprint of the criminal. Role of forensics Investigator The role of a forensic computer analyst is to investigate criminal incidents and data breaches. These forensic analysts often work for the police, law enforcement agencies, government, private, or other forensic companies. They use specialized tools and techniques to retrieve, analyze, and store data linked to criminal activity like a breach, fraud, network intrusions, illegal usage, unauthorized access, or terrorist communication. Employers look for certified forensic investigators with key digital forensic skills, including: are as follows: • Defeating anti-forensic techniques • Understanding hard disks and file systems • Operating system forensics • Cloud forensic in a cloud environment • Investigating email crimes • Mobile device forensics A Computer Forensics Investigator or Forensic Analyst is a specially trained professional who works with law enforcement agencies, as well as private firms, to retrieve information from computers and other types of data storage devices. Equipment can often be damaged either externally or internally corrupted by hacking or viruses. The Forensic Analyst is most well- known for working within the law enforcement industry; however, he or she can also be tasked to test the security of a private company’s information systems. The Analyst should have an excellent working knowledge of all aspects of the computer including but not limited to hard drives, networking, and encryption. Patience and the willingness to work long hours are qualities that are well-suited for this position. During criminal investigations, an Analyst recovers and examines data from computers and other electronic storage devices in order to use the data as evidence in criminal prosecutions. When equipment is damaged, the Analyst must dismantle and rebuild the system in order to recover lost data. Following data retrieval, the Analyst writes up technical reports detailing
Introduction to Cyber Security SWETA KUMARI BARNWAL 2 how the computer evidence was discovered and all of the steps taken during the retrieval process. The Analyst also gives testimony in court regarding the evidence he or she collected. The Analyst keeps current on new methodologies and forensic technology, and trains law enforcement officers on proper procedure with regard to computer evidence. Forensics Investigation Process For those working in the field, there are five critical steps in computer forensics, all of which contribute to a thorough and revealing investigation. ▪ Policy and Procedure Development. ▪ Evidence Assessment. ▪ Evidence Acquisition. ▪ Evidence Examination. ▪ Documenting and Reporting. This model was the base fundament of further enhancement since it was very consistent and standardized, the phases namely: Identification, Preservation, Collection, Examination, Analysis and Presentation (then a pseudo additional step: Decision). Each phase consists of some candidate techniques or methods. There are 7 steps in identifying analysis at a forensic case: • secure the scene. • separate the witnesses. • scan the scene. • seeing the scene (taking photographs) • sketch the scene. • search for evidence. • secure the collected evidence. ➢ How long does a forensic investigation take? 15 to 35 hours ➢ How many steps are there in digital forensics? three steps ➢ What are the types of evidence at a crime scene? Real evidence; Demonstrative evidence; Documentary evidence; and. Testimonial evidence. Collecting Network based Evidence Network based evidence is also useful when examining host evidence as it provides a second source of event corroboration which is extremely useful in determining the root cause of an incident. The ability to acquire network-based evidence is largely dependent on the preparations that are untaken by an organization prior to an incident. Without some critical components of a proper infrastructure security program, key pieces of evidence will not be
Introduction to Cyber Security SWETA KUMARI BARNWAL 3 available for incident responders in a timely manner. The result is that evidence may be lost as the CSIRT members hunt down critical pieces of information. In terms of preparation, organizations can aid the CSIRT by having proper network documentation, up to date configurations of network devices and a central log management solution in place. Network Forensics is the process of capturing, recording and conducting analysis of the various network events in order to identify the origin of the security attacks and other problems. This helps in figuring out the unauthorized access to the computer system and conducts search for the evidence in such occurrences. Network Forensics has the capability to conduct investigation at a network level as well as the events that take place across an IT system. Intrusion detection, logging and correlating intrusion detection and logging Network-based digital evidence is a type of digital evidence which arises as product of the communications over a network. The primary and the secondary storage media of computers (such as the RAM and hard drives) tend to be productive elements for the forensic analysis and investigation. As a result of all the fragments of data, constant storage can maintain forensically recoverable and appropriate evidence for hours, days and years beyond the file deletion and storage reuse. Network-based digital evidence can be exceedingly unpredictable in variance to this. Within the milliseconds of the blinking of an eye, the packets move swiftly and lightly across the wire and disappear from the switches. Web sites keep changing from when and where they’re viewed. Challenges relating to Networked-based Digital Evidence Network-based evidences lays down certain specific and prominent challenges in various areas, some of the most common challenges which are related to the Network-based digital evidence are as follow: Acquisition: To find or locate specific evidence in a network environment can be a hard task. There are multiple sources of evidence commencing from the wireless access points to the web proxies to the central log servers which makes it often difficult to point out the exact location of an evidence. In certain cases, where we are still aware of specific evidence and as to where it resides, obtaining an access to it can often become complex at times due to the political or technical reasons. Content: Apart from the filesystems, which are mainly designed to contain all the contents of files and their metadata, network devices may or may not store evidence with the level of granularity desired. The storage limit capacity of the network devices is often very limited. Most of the time, only the selected metadata about the data transfer or transaction is maintained as compared to entire records of the data that traversed the network. Storage: Secondary or persistent storage are usually not engaged as part of network devices. As a result of this consequence a device may not be able to survive a reset because the data contained in these network devices are unstable and uncertain. Privacy: Depending on the jurisdiction, legal issues could arise which may include personal privacy issues that are unique to network-based acquisition techniques. Seizure: Seizing of a hard drive can cause trouble and disruption to an individual or
Introduction to Cyber Security SWETA KUMARI BARNWAL 4 organization. However, a copy of the original hard drive can be constructed and deployed where the grave operations can continue with limited disturbance. Seizure done to a network device are most often way more disruptive. In the most serious cases, an entire network segment may be brought down perpetually. In most of the circumstances, investigators have the ability to minimize the impact on network operations. Admissibility: Filesystem-based evidence is being admitted consistently both in criminal and civil proceedings. As long as the filesystem-based evidence is relevant to the case, lawfully acquired & properly handle there is a clear precedent for validating or verifying the evidence and admitting it in court. In variance, the network forensics is one of the newest approaches to digital investigations. Often there arise conflicting or even non-existing legal precedents for the admission of various types of network-based digital evidence. With time the network-based digital evidence may become more widespread and the case precedents will be set and standardized. Writing Computer Forensics Reports The main goal of Computer forensics is to perform a structured investigation on a computing device to find out what happened or who was responsible for what happened, while maintaining a proper documented chain of evidence in a formal report. Syntax or template of a Computer Forensic Report is as follows: 1. Executive Summary: Executive Summary section of computer forensics report template provides background data of conditions that needs a requirement for investigation. Executive Summary or the Translation Summary is read by Senior Management as they do not read detailed report. This section must contain short description, details and important pointers. This section could be one page long. Executive Summary Section consists of following: • Taking account of who authorized the forensic examination. • List of the significant evidences in a short detail. • Explaining why a forensic examination of computing device was necessary. • Including a signature block for the examiners who performed the work.
Introduction to Cyber Security SWETA KUMARI BARNWAL 5 • Full, legitimate and proper name of all people who are related or involved in case, Job Titles, dates of initial contacts or communications. 2. Objectives: Objectives section is used to outline all tasks that an investigation has planned to complete. In some cases, it might happen that forensics examination may not do a full fledged investigation when reviewing contents of media. The prepared plan list must be discussed and approved by legal council, decision makers and client before any forensic analysis. This list should consist tasks undertaken and method undertaken by an examiner for each task and status of each task at the end of report. 3. Computer Evidence Analyzed: The Computer Evidence Analyzed section is where all gathered evidences and its interpretations are introduced. It provides detailed information regarding assignment of evidence’s tag numbers, description of evidence and media serial numbers. 4. Relevant Findings: This section of Relevant Findings gives summary of evidences found of probative Value When a match is found between forensic science material recovered from a crime scene e.g., a fingerprint, a strand of hair, a shoe print, etc. and a reference sample provided by a suspect of case, match is widely considered as strong evidence that suspect is source of recovered material. However, probative value of evidence can vary widely depending on way in which evidence is characterized and hypothesis of its interest. It answers questions such as “What related objects or items were found during investigation of case?”. 5. Supporting Details: Supporting Details is section where in-depth analysis of relevant findings is done. ‘How we found conclusions outlined in Relevant Findings?’, is outlined by this section. It contains table of vital files with a full path name, results of string searches, Emails/URLs reviewed, number of files reviewed and any other relevant data. All tasks undertaken to meet objectives is outlined by this section. In Supporting Details we focus more on technical depth. It includes charts, tables and illustrations as it conveys much more than written texts. To meet outlined objectives, many subsections are also included. This section is longest section. It starts with giving background details of media analyzed. It is not easy to report number of files reviewed and size of hard drive in a human understandable language. Therefore, your client must know how much data you wanted to review to arrive at a conclusion. 6. Investigative Leads: Investigative Leads performs action items that could help to discover additional information related to the investigation of case. The investigators perform all
Introduction to Cyber Security SWETA KUMARI BARNWAL 6 outstanding tasks to find extra information if more time is left. Investigative Lead section is very critical to law enforcement. This section suggests extra tasks that discovers information needed to move on case. e.g. finding out if there are any firewall logs that date any far enough into past to give a correct picture of any attacks that might have taken place. This section is important for a hired forensic consultant. 7. Additional Subsections: Various additional subsections are included in a forensic report. These subsections are dependent on clients want and their need. The following subsections are useful in specific cases : • Attacker Methodology – Additional briefing to help reader understand general or exact attacks performed is given in this section of attacker methodology. This section is useful in computer intrusion cases. Inspection of how attacks are done and what bits and pieces of attacks look like in standard logs is done here. • User Applications – In this section we discuss relevant applications that are installed on media analyzed because it is observed that in many cases applications present on system are very relevant. Give a title to this section, if you are investigating any system that is used by an attacker .e.g Cyber Attack Tools. • Internet Activity – Internet Activity or Web Browsing History section gives web surfing history of user of media analyzed. The browsing history is also useful to suggest intent, downloading of malicious tools, unallocated space, online researches, downloading of secure deleted programs or evidence removal type programs that wipe files slack and temporary files that often harbor evidence very important to an investigation. • Recommendations – This section gives recommendation to posture client to be more prepared and trained for next computer security incident. We investigate some host-based, network-based and procedural countermeasures are given to clients to reduce or eliminate risk of incident security. AUDITING Forensic auditing has taken an important role in both private andpublic organizations since the dawn of the 21st century especiallyin the advance economies. The failure of some formerly prominentpublic companies such as Enron and WorldCom (MCI Inc.) in thelate 1990s, coupled with the terrorist attacks of September 11,2001, fueled the prominence of forensic auditing/ accounting,creating a new, important and lucrative specialty. Forensicauditing procedures target mostly financial and operational fraud, discovery of hidden assets, and adherence to federal regulations. In forensic auditing specific procedures are carried out in order to produce evidence. Audit techniques and procedures are used to identify and to gather evidence to prove, for example, how long have fraudulent activities existed and carried out in the organization, and how it was conducted and concealed by the perpetrators. Evidence may also be gathered
Introduction to Cyber Security SWETA KUMARI BARNWAL 7 to support other issues which would be relevant in the event of a court case. Forensic Audit Thinking- in other words―thinking forensically Forensic Audit Procedures — both proactive and reactive Appropriate use of technology and data analysis Involves the critical assessment throughout the audit of all evidential matter and maintaining a higher degree of professional skepticism that for example fraud or financial irregularity may have occurred, is occurring, or will occur in the future. Furthermore Forensic thinking is a mind shift where the auditor believes that the possibility offraud or financial irregularity may exist and the controls may be overridden to accomplish that possibility. Forensic thinking is used through outthe audit work i.e. from start to finish. FORENSIC AUDIT PROCESS Forensic audit procedures are more specific and geared toward detecting the possible material misstatements in financial statements resulting from fraudulent activities or error. Audit procedures should align with Fraud Risks and Fraud Risk Assessments. According to Donald R. Cressy, in his proposition―”Fraud Triangle‖” he highlighted that there are three interrelated elements that enable someone to commit fraud: the Motive that drives a person to want to commit the fraud, the Opportunity that enables him to commit the fraud, and the ability to Rationalise the fraudulent behaviour. The vulnerability that an organisation has to those capable of overcoming all three elements of the fraud triangle is fraud risk. Fraud risk can come from sources both internal and external to the organisation. Information Security Management System (ISMS)
Introduction to Cyber Security SWETA KUMARI BARNWAL 8 Information security management describes the set of policies and procedural controls that IT and business organizations implement to secure their informational assets against threats and vulnerabilities. Responsibility for information security may be assigned to a Chief Security Officer, Chief Technical Officer, or to an IT Operations manager whose team includes IT operators and security analysts. Many organizations develop a formal, documented process for managing InfoSec - often called an Information Security Management System, or ISMS. An information security management system (ISMS) is a framework of policies and controls that manage security and risks systematically and across your entire enterprise—information security. These security controls can follow common security standards or be more focused on your industry. ISMS is designed to establish holistic information security management capabilities; digital transformation requires organizations to adopt ongoing improvements and evolution of their security policies and controls. The structure and boundaries defined by an ISMS may apply only for a limited time frame and the workforce may struggle to adopt them in the initial stages. The challenge for organizations is to evolve these security control mechanisms as their risks, culture, and resources change. Introduction to ISO 27001:2013 It is the international standard for information security. It sets out the specification for an information security management system (ISMS). The information security management system standard’s best-practice approach helps organisations manage their information security by addressing people, processes and technology. Certification to the ISO 27001 Standard is recognised worldwide as an indication that your ISMS is aligned with information security best practice. Part of the ISO 27000 series of information security standards, ISO 27001 is a framework that helps organisations “establish, implement, operate, monitor, review, maintain and continually improve an ISMS”. An ISMS is a holistic approach to securing the confidentiality, integrity and availability (CIA) of corporate information assets. It consists of policies, procedures and other controls involving people, processes and technology. Informed by regular information security risk assessments, an ISMS is an efficient, risk-based and technology-neutral approach to keeping your information assets secure.
Introduction to Cyber Security SWETA KUMARI BARNWAL 9 According to ISO 27001, ISMS implementation follows a Plan-Do-Check-Act (PCDA) model for continuous improvement in ISM processes: Plan. Identify the problems and collect useful information to evaluate security risk. Define the policies and processes that can be used to address problem root causes. Develop methods to establish continuous improvement in information security management capabilities. Do. Implement the devised security policies and procedures. The implementation follows the ISO standards, but actual implementation is based on the resources available to your company. Check. Monitor the effectiveness of ISMS policies and controls. Evaluate tangible outcomes as well as behavioral aspects associated with the ISM processes. Act. Focus on continuous improvement. Document the results, share knowledge, and use a feedback loop to address future iterations of the PCDA model implementation of ISMS policies and controls.

Recommended

Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineeringSweta Kumari Barnwal
 
Unit ii-hackers and cyber crimes
Unit ii-hackers and cyber crimesUnit ii-hackers and cyber crimes
Unit ii-hackers and cyber crimesSweta Kumari Barnwal
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Module 3-cyber security
Module 3-cyber securityModule 3-cyber security
Module 3-cyber securitySweta Kumari Barnwal
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 

Recommended

Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineeringSweta Kumari Barnwal
 
Unit ii-hackers and cyber crimes
Unit ii-hackers and cyber crimesUnit ii-hackers and cyber crimes
Unit ii-hackers and cyber crimesSweta Kumari Barnwal
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Module 3-cyber security
Module 3-cyber securityModule 3-cyber security
Module 3-cyber securitySweta Kumari Barnwal
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Digital Forensic
Digital ForensicDigital Forensic
Digital ForensicCleverence Kombe
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensicsChaitanya Dhareshwar
 
Hackers and cyber crimes
Hackers and cyber crimesHackers and cyber crimes
Hackers and cyber crimesSweta Kumari Barnwal
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolsN.Jagadish Kumar
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
Incident response process
Incident response processIncident response process
Incident response processBhupeshkumar Nanhe
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Digital investigation
Digital investigationDigital investigation
Digital investigationunnilala11
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsRoberto Ellis
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
Cybercrime investigation
Cybercrime investigationCybercrime investigation
Cybercrime investigationProf. (Dr.) Tabrez Ahmad
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics pptNikhil Mashruwala
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
Social Media Forensics
Social Media ForensicsSocial Media Forensics
Social Media ForensicsJohn J. Carney, Esq.
 
Traditional Problems Associated with Computer Crime
Traditional Problems Associated with Computer CrimeTraditional Problems Associated with Computer Crime
Traditional Problems Associated with Computer CrimeDhrumil Panchal
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Stepsgamemaker762
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortressSTO STRATEGY
 

More Related Content

What's hot

01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolsN.Jagadish Kumar
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
Incident response process
Incident response processIncident response process
Incident response processBhupeshkumar Nanhe
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Digital investigation
Digital investigationDigital investigation
Digital investigationunnilala11
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsRoberto Ellis
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics pptNikhil Mashruwala
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
Traditional Problems Associated with Computer Crime
Traditional Problems Associated with Computer CrimeTraditional Problems Associated with Computer Crime
Traditional Problems Associated with Computer CrimeDhrumil Panchal
 

What's hot (20)

01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
 
Hackers and cyber crimes
Hackers and cyber crimesHackers and cyber crimes
Hackers and cyber crimes
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes
 
Incident response process
Incident response processIncident response process
Incident response process
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
 
Cybercrime investigation
Cybercrime investigationCybercrime investigation
Cybercrime investigation
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigation
 
Social Media Forensics
Social Media ForensicsSocial Media Forensics
Social Media Forensics
 
Traditional Problems Associated with Computer Crime
Traditional Problems Associated with Computer CrimeTraditional Problems Associated with Computer Crime
Traditional Problems Associated with Computer Crime
 

Similar to Cyber forensics and auditing

Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Stepsgamemaker762
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortressSTO STRATEGY
 
Digital forensic
Digital forensicDigital forensic
Digital forensicChandan Sah
 
4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)JIEMS Akkalkuwa
 
Review on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptxReview on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptxVaishnaviBorse8
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicDhiren Gala
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Anpumathews
 
Maintaining The Digital Chain of Custody By John Patzakis .docx
Maintaining The Digital Chain of Custody By John Patzakis .docxMaintaining The Digital Chain of Custody By John Patzakis .docx
Maintaining The Digital Chain of Custody By John Patzakis .docxsmile790243
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensiknewbie2019
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
Computer forensics Slides
Computer forensics SlidesComputer forensics Slides
Computer forensics SlidesVarun Sehgal
 
What is Digital Forensics.docx
What is Digital Forensics.docxWhat is Digital Forensics.docx
What is Digital Forensics.docxAliAshraf68199
 
Predict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and CybersecurityPredict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and CybersecurityMark Scanlon
 
Design for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemDesign for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemCSCJournals
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 

Similar to Cyber forensics and auditing (20)

Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortress
 
Digital forensic
Digital forensicDigital forensic
Digital forensic
 
4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)
 
Review on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptxReview on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptx
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer Forensic
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1
 
Maintaining The Digital Chain of Custody By John Patzakis .docx
Maintaining The Digital Chain of Custody By John Patzakis .docxMaintaining The Digital Chain of Custody By John Patzakis .docx
Maintaining The Digital Chain of Custody By John Patzakis .docx
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensik
 
Computer forencis
Computer forencisComputer forencis
Computer forencis
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 
Computer forensics Slides
Computer forensics SlidesComputer forensics Slides
Computer forensics Slides
 
What is Digital Forensics.docx
What is Digital Forensics.docxWhat is Digital Forensics.docx
What is Digital Forensics.docx
 
Predict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and CybersecurityPredict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and Cybersecurity
 
Design for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemDesign for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic System
 
IT forensic
IT forensicIT forensic
IT forensic
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
180 184
180 184180 184
180 184
 

More from Sweta Kumari Barnwal

MODULE-2-Cloud Computing.docx.pdf
MODULE-2-Cloud Computing.docx.pdfMODULE-2-Cloud Computing.docx.pdf
MODULE-2-Cloud Computing.docx.pdfSweta Kumari Barnwal
 
Cloud Computing_Module-1.pdf
Cloud Computing_Module-1.pdfCloud Computing_Module-1.pdf
Cloud Computing_Module-1.pdfSweta Kumari Barnwal
 
Computer Network-Data Link Layer-Module-2.pdf
Computer Network-Data Link Layer-Module-2.pdfComputer Network-Data Link Layer-Module-2.pdf
Computer Network-Data Link Layer-Module-2.pdfSweta Kumari Barnwal
 
Sensors in Different Applications Area.pdf
Sensors in Different Applications Area.pdfSensors in Different Applications Area.pdf
Sensors in Different Applications Area.pdfSweta Kumari Barnwal
 
Sensor technology module-3-interface electronic circuits
Sensor technology module-3-interface electronic circuitsSensor technology module-3-interface electronic circuits
Sensor technology module-3-interface electronic circuitsSweta Kumari Barnwal
 
Sensors fundamentals and characteristics, physical principle of sensing
Sensors fundamentals and characteristics, physical principle of sensingSensors fundamentals and characteristics, physical principle of sensing
Sensors fundamentals and characteristics, physical principle of sensingSweta Kumari Barnwal
 
Operating system and services
Operating system and servicesOperating system and services
Operating system and servicesSweta Kumari Barnwal
 
Network Layer & Transport Layer
Network Layer & Transport LayerNetwork Layer & Transport Layer
Network Layer & Transport LayerSweta Kumari Barnwal
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDSweta Kumari Barnwal
 
Virtualization - cloud computing
Virtualization - cloud computingVirtualization - cloud computing
Virtualization - cloud computingSweta Kumari Barnwal
 
Process improvement & service oriented software engineering
Process improvement & service oriented software engineeringProcess improvement & service oriented software engineering
Process improvement & service oriented software engineeringSweta Kumari Barnwal
 

More from Sweta Kumari Barnwal (20)

UNIT-1 Start Learning R.pdf
UNIT-1 Start Learning R.pdfUNIT-1 Start Learning R.pdf
UNIT-1 Start Learning R.pdf
 
MODULE-2-Cloud Computing.docx.pdf
MODULE-2-Cloud Computing.docx.pdfMODULE-2-Cloud Computing.docx.pdf
MODULE-2-Cloud Computing.docx.pdf
 
Number System.pdf
Number System.pdfNumber System.pdf
Number System.pdf
 
Cloud Computing_Module-1.pdf
Cloud Computing_Module-1.pdfCloud Computing_Module-1.pdf
Cloud Computing_Module-1.pdf
 
Computer Network-Data Link Layer-Module-2.pdf
Computer Network-Data Link Layer-Module-2.pdfComputer Network-Data Link Layer-Module-2.pdf
Computer Network-Data Link Layer-Module-2.pdf
 
Sensors in Different Applications Area.pdf
Sensors in Different Applications Area.pdfSensors in Different Applications Area.pdf
Sensors in Different Applications Area.pdf
 
Sensor technology module-3-interface electronic circuits
Sensor technology module-3-interface electronic circuitsSensor technology module-3-interface electronic circuits
Sensor technology module-3-interface electronic circuits
 
Sensors fundamentals and characteristics, physical principle of sensing
Sensors fundamentals and characteristics, physical principle of sensingSensors fundamentals and characteristics, physical principle of sensing
Sensors fundamentals and characteristics, physical principle of sensing
 
Logic gates
Logic gatesLogic gates
Logic gates
 
Basic computer system
Basic computer systemBasic computer system
Basic computer system
 
Features of windows
Features of windowsFeatures of windows
Features of windows
 
Operating system and services
Operating system and servicesOperating system and services
Operating system and services
 
Introduction to computers
Introduction to computersIntroduction to computers
Introduction to computers
 
Application Layer
Application LayerApplication Layer
Application Layer
 
Network Layer & Transport Layer
Network Layer & Transport LayerNetwork Layer & Transport Layer
Network Layer & Transport Layer
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUD
 
Module 3-cloud computing
Module 3-cloud computingModule 3-cloud computing
Module 3-cloud computing
 
Virtualization - cloud computing
Virtualization - cloud computingVirtualization - cloud computing
Virtualization - cloud computing
 
Process improvement & service oriented software engineering
Process improvement & service oriented software engineeringProcess improvement & service oriented software engineering
Process improvement & service oriented software engineering
 
Introduction to computers i
Introduction to computers iIntroduction to computers i
Introduction to computers i
 

Recently uploaded

Romantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptxRomantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptxsqpmdrvczh
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxDr.Ibrahim Hassaan
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxEyham Joco
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Quarter 4 Peace-education.pptx Catch Up Friday
Quarter 4 Peace-education.pptx Catch Up FridayQuarter 4 Peace-education.pptx Catch Up Friday
Quarter 4 Peace-education.pptx Catch Up FridayMakMakNepo
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxChelloAnnAsuncion2
 

Recently uploaded (20)

Romantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptxRomantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptx
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Rapple "Scholarly Communications and the Sustainable Development Goals"
Rapple "Scholarly Communications and the Sustainable Development Goals"Rapple "Scholarly Communications and the Sustainable Development Goals"
Rapple "Scholarly Communications and the Sustainable Development Goals"
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptx
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Quarter 4 Peace-education.pptx Catch Up Friday
Quarter 4 Peace-education.pptx Catch Up FridayQuarter 4 Peace-education.pptx Catch Up Friday
Quarter 4 Peace-education.pptx Catch Up Friday
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
 

Cyber forensics and auditing

  • 1. Introduction to Cyber Security SWETA KUMARI BARNWAL 1 CYBER FORENSICS AND AUDITING Topics Covered: Introduction to Cyber Forensics, Computer Equipment and associated storage, media Role of forensics Investigator, Forensics Investigation Process, Collecting Network based Evidence Writing, Computer Forensics Reports, Auditing, Plan an audit against a set of audit criteria, Information Security Management, System Management. Introduction to ISO 27001:2013 CYBER FORENSIC It is investigating, gathering, and analysing information from a computer device which can then be transformed into hardware proof to be presented in the court regarding the crime in question. A very important aspect of the investigation is making a digital copy of the storage cell of the computer and further analysing it so that the device itself doesn’t get violated accidentally during the whole process. It finds its application mainly in fighting vicious online crimes like hacking and DOS – denial of service attacks. The above-mentioned proof that gives the upper hand to the investigators in any crime scene even remotely involving a computer device can be in the form of browsing history, email logs, or any other digital footprint of the criminal. Role of forensics Investigator The role of a forensic computer analyst is to investigate criminal incidents and data breaches. These forensic analysts often work for the police, law enforcement agencies, government, private, or other forensic companies. They use specialized tools and techniques to retrieve, analyze, and store data linked to criminal activity like a breach, fraud, network intrusions, illegal usage, unauthorized access, or terrorist communication. Employers look for certified forensic investigators with key digital forensic skills, including: are as follows: • Defeating anti-forensic techniques • Understanding hard disks and file systems • Operating system forensics • Cloud forensic in a cloud environment • Investigating email crimes • Mobile device forensics A Computer Forensics Investigator or Forensic Analyst is a specially trained professional who works with law enforcement agencies, as well as private firms, to retrieve information from computers and other types of data storage devices. Equipment can often be damaged either externally or internally corrupted by hacking or viruses. The Forensic Analyst is most well- known for working within the law enforcement industry; however, he or she can also be tasked to test the security of a private company’s information systems. The Analyst should have an excellent working knowledge of all aspects of the computer including but not limited to hard drives, networking, and encryption. Patience and the willingness to work long hours are qualities that are well-suited for this position. During criminal investigations, an Analyst recovers and examines data from computers and other electronic storage devices in order to use the data as evidence in criminal prosecutions. When equipment is damaged, the Analyst must dismantle and rebuild the system in order to recover lost data. Following data retrieval, the Analyst writes up technical reports detailing
  • 2. Introduction to Cyber Security SWETA KUMARI BARNWAL 2 how the computer evidence was discovered and all of the steps taken during the retrieval process. The Analyst also gives testimony in court regarding the evidence he or she collected. The Analyst keeps current on new methodologies and forensic technology, and trains law enforcement officers on proper procedure with regard to computer evidence. Forensics Investigation Process For those working in the field, there are five critical steps in computer forensics, all of which contribute to a thorough and revealing investigation. ▪ Policy and Procedure Development. ▪ Evidence Assessment. ▪ Evidence Acquisition. ▪ Evidence Examination. ▪ Documenting and Reporting. This model was the base fundament of further enhancement since it was very consistent and standardized, the phases namely: Identification, Preservation, Collection, Examination, Analysis and Presentation (then a pseudo additional step: Decision). Each phase consists of some candidate techniques or methods. There are 7 steps in identifying analysis at a forensic case: • secure the scene. • separate the witnesses. • scan the scene. • seeing the scene (taking photographs) • sketch the scene. • search for evidence. • secure the collected evidence. ➢ How long does a forensic investigation take? 15 to 35 hours ➢ How many steps are there in digital forensics? three steps ➢ What are the types of evidence at a crime scene? Real evidence; Demonstrative evidence; Documentary evidence; and. Testimonial evidence. Collecting Network based Evidence Network based evidence is also useful when examining host evidence as it provides a second source of event corroboration which is extremely useful in determining the root cause of an incident. The ability to acquire network-based evidence is largely dependent on the preparations that are untaken by an organization prior to an incident. Without some critical components of a proper infrastructure security program, key pieces of evidence will not be
  • 3. Introduction to Cyber Security SWETA KUMARI BARNWAL 3 available for incident responders in a timely manner. The result is that evidence may be lost as the CSIRT members hunt down critical pieces of information. In terms of preparation, organizations can aid the CSIRT by having proper network documentation, up to date configurations of network devices and a central log management solution in place. Network Forensics is the process of capturing, recording and conducting analysis of the various network events in order to identify the origin of the security attacks and other problems. This helps in figuring out the unauthorized access to the computer system and conducts search for the evidence in such occurrences. Network Forensics has the capability to conduct investigation at a network level as well as the events that take place across an IT system. Intrusion detection, logging and correlating intrusion detection and logging Network-based digital evidence is a type of digital evidence which arises as product of the communications over a network. The primary and the secondary storage media of computers (such as the RAM and hard drives) tend to be productive elements for the forensic analysis and investigation. As a result of all the fragments of data, constant storage can maintain forensically recoverable and appropriate evidence for hours, days and years beyond the le deletion and storage reuse. Network-based digital evidence can be exceedingly unpredictable in variance to this. Within the milliseconds of the blinking of an eye, the packets move swiftly and lightly across the wire and disappear from the switches. Web sites keep changing from when and where they’re viewed. Challenges relating to Networked-based Digital Evidence Network-based evidences lays down certain specific and prominent challenges in various areas, some of the most common challenges which are related to the Network-based digital evidence are as follow: Acquisition: To find or locate specific evidence in a network environment can be a hard task. There are multiple sources of evidence commencing from the wireless access points to the web proxies to the central log servers which makes it often difficult to point out the exact location of an evidence. In certain cases, where we are still aware of specific evidence and as to where it resides, obtaining an access to it can often become complex at times due to the political or technical reasons. Content: Apart from the lesystems, which are mainly designed to contain all the contents of les and their metadata, network devices may or may not store evidence with the level of granularity desired. The storage limit capacity of the network devices is often very limited. Most of the time, only the selected metadata about the data transfer or transaction is maintained as compared to entire records of the data that traversed the network. Storage: Secondary or persistent storage are usually not engaged as part of network devices. As a result of this consequence a device may not be able to survive a reset because the data contained in these network devices are unstable and uncertain. Privacy: Depending on the jurisdiction, legal issues could arise which may include personal privacy issues that are unique to network-based acquisition techniques. Seizure: Seizing of a hard drive can cause trouble and disruption to an individual or
  • 4. Introduction to Cyber Security SWETA KUMARI BARNWAL 4 organization. However, a copy of the original hard drive can be constructed and deployed where the grave operations can continue with limited disturbance. Seizure done to a network device are most often way more disruptive. In the most serious cases, an entire network segment may be brought down perpetually. In most of the circumstances, investigators have the ability to minimize the impact on network operations. Admissibility: Filesystem-based evidence is being admitted consistently both in criminal and civil proceedings. As long as the lesystem-based evidence is relevant to the case, lawfully acquired & properly handle there is a clear precedent for validating or verifying the evidence and admitting it in court. In variance, the network forensics is one of the newest approaches to digital investigations. Often there arise conflicting or even non-existing legal precedents for the admission of various types of network-based digital evidence. With time the network-based digital evidence may become more widespread and the case precedents will be set and standardized. Writing Computer Forensics Reports The main goal of Computer forensics is to perform a structured investigation on a computing device to find out what happened or who was responsible for what happened, while maintaining a proper documented chain of evidence in a formal report. Syntax or template of a Computer Forensic Report is as follows: 1. Executive Summary: Executive Summary section of computer forensics report template provides background data of conditions that needs a requirement for investigation. Executive Summary or the Translation Summary is read by Senior Management as they do not read detailed report. This section must contain short description, details and important pointers. This section could be one page long. Executive Summary Section consists of following: • Taking account of who authorized the forensic examination. • List of the significant evidences in a short detail. • Explaining why a forensic examination of computing device was necessary. • Including a signature block for the examiners who performed the work.
  • 5. Introduction to Cyber Security SWETA KUMARI BARNWAL 5 • Full, legitimate and proper name of all people who are related or involved in case, Job Titles, dates of initial contacts or communications. 2. Objectives: Objectives section is used to outline all tasks that an investigation has planned to complete. In some cases, it might happen that forensics examination may not do a full fledged investigation when reviewing contents of media. The prepared plan list must be discussed and approved by legal council, decision makers and client before any forensic analysis. This list should consist tasks undertaken and method undertaken by an examiner for each task and status of each task at the end of report. 3. Computer Evidence Analyzed: The Computer Evidence Analyzed section is where all gathered evidences and its interpretations are introduced. It provides detailed information regarding assignment of evidence’s tag numbers, description of evidence and media serial numbers. 4. Relevant Findings: This section of Relevant Findings gives summary of evidences found of probative Value When a match is found between forensic science material recovered from a crime scene e.g., a fingerprint, a strand of hair, a shoe print, etc. and a reference sample provided by a suspect of case, match is widely considered as strong evidence that suspect is source of recovered material. However, probative value of evidence can vary widely depending on way in which evidence is characterized and hypothesis of its interest. It answers questions such as “What related objects or items were found during investigation of case?”. 5. Supporting Details: Supporting Details is section where in-depth analysis of relevant findings is done. ‘How we found conclusions outlined in Relevant Findings?’, is outlined by this section. It contains table of vital files with a full path name, results of string searches, Emails/URLs reviewed, number of files reviewed and any other relevant data. All tasks undertaken to meet objectives is outlined by this section. In Supporting Details we focus more on technical depth. It includes charts, tables and illustrations as it conveys much more than written texts. To meet outlined objectives, many subsections are also included. This section is longest section. It starts with giving background details of media analyzed. It is not easy to report number of files reviewed and size of hard drive in a human understandable language. Therefore, your client must know how much data you wanted to review to arrive at a conclusion. 6. Investigative Leads: Investigative Leads performs action items that could help to discover additional information related to the investigation of case. The investigators perform all
  • 6. Introduction to Cyber Security SWETA KUMARI BARNWAL 6 outstanding tasks to find extra information if more time is left. Investigative Lead section is very critical to law enforcement. This section suggests extra tasks that discovers information needed to move on case. e.g. finding out if there are any firewall logs that date any far enough into past to give a correct picture of any attacks that might have taken place. This section is important for a hired forensic consultant. 7. Additional Subsections: Various additional subsections are included in a forensic report. These subsections are dependent on clients want and their need. The following subsections are useful in specific cases : • Attacker Methodology – Additional briefing to help reader understand general or exact attacks performed is given in this section of attacker methodology. This section is useful in computer intrusion cases. Inspection of how attacks are done and what bits and pieces of attacks look like in standard logs is done here. • User Applications – In this section we discuss relevant applications that are installed on media analyzed because it is observed that in many cases applications present on system are very relevant. Give a title to this section, if you are investigating any system that is used by an attacker .e.g Cyber Attack Tools. • Internet Activity – Internet Activity or Web Browsing History section gives web surfing history of user of media analyzed. The browsing history is also useful to suggest intent, downloading of malicious tools, unallocated space, online researches, downloading of secure deleted programs or evidence removal type programs that wipe files slack and temporary files that often harbor evidence very important to an investigation. • Recommendations – This section gives recommendation to posture client to be more prepared and trained for next computer security incident. We investigate some host-based, network-based and procedural countermeasures are given to clients to reduce or eliminate risk of incident security. AUDITING Forensic auditing has taken an important role in both private andpublic organizations since the dawn of the 21st century especiallyin the advance economies. The failure of some formerly prominentpublic companies such as Enron and WorldCom (MCI Inc.) in thelate 1990s, coupled with the terrorist attacks of September 11,2001, fueled the prominence of forensic auditing/ accounting,creating a new, important and lucrative specialty. Forensicauditing procedures target mostly financial and operational fraud, discovery of hidden assets, and adherence to federal regulations. In forensic auditing specific procedures are carried out in order to produce evidence. Audit techniques and procedures are used to identify and to gather evidence to prove, for example, how long have fraudulent activities existed and carried out in the organization, and how it was conducted and concealed by the perpetrators. Evidence may also be gathered
  • 7. Introduction to Cyber Security SWETA KUMARI BARNWAL 7 to support other issues which would be relevant in the event of a court case. Forensic Audit Thinking- in other words―thinking forensically Forensic Audit Procedures — both proactive and reactive Appropriate use of technology and data analysis Involves the critical assessment throughout the audit of all evidential matter and maintaining a higher degree of professional skepticism that for example fraud or financial irregularity may have occurred, is occurring, or will occur in the future. Furthermore Forensic thinking is a mind shift where the auditor believes that the possibility offraud or financial irregularity may exist and the controls may be overridden to accomplish that possibility. Forensic thinking is used through outthe audit work i.e. from start to finish. FORENSIC AUDIT PROCESS Forensic audit procedures are more specific and geared toward detecting the possible material misstatements in financial statements resulting from fraudulent activities or error. Audit procedures should align with Fraud Risks and Fraud Risk Assessments. According to Donald R. Cressy, in his proposition―”Fraud Triangle‖” he highlighted that there are three interrelated elements that enable someone to commit fraud: the Motive that drives a person to want to commit the fraud, the Opportunity that enables him to commit the fraud, and the ability to Rationalise the fraudulent behaviour. The vulnerability that an organisation has to those capable of overcoming all three elements of the fraud triangle is fraud risk. Fraud risk can come from sources both internal and external to the organisation. Information Security Management System (ISMS)
  • 8. Introduction to Cyber Security SWETA KUMARI BARNWAL 8 Information security management describes the set of policies and procedural controls that IT and business organizations implement to secure their informational assets against threats and vulnerabilities. Responsibility for information security may be assigned to a Chief Security Officer, Chief Technical Officer, or to an IT Operations manager whose team includes IT operators and security analysts. Many organizations develop a formal, documented process for managing InfoSec - often called an Information Security Management System, or ISMS. An information security management system (ISMS) is a framework of policies and controls that manage security and risks systematically and across your entire enterprise—information security. These security controls can follow common security standards or be more focused on your industry. ISMS is designed to establish holistic information security management capabilities; digital transformation requires organizations to adopt ongoing improvements and evolution of their security policies and controls. The structure and boundaries defined by an ISMS may apply only for a limited time frame and the workforce may struggle to adopt them in the initial stages. The challenge for organizations is to evolve these security control mechanisms as their risks, culture, and resources change. Introduction to ISO 27001:2013 It is the international standard for information security. It sets out the specification for an information security management system (ISMS). The information security management system standard’s best-practice approach helps organisations manage their information security by addressing people, processes and technology. Certification to the ISO 27001 Standard is recognised worldwide as an indication that your ISMS is aligned with information security best practice. Part of the ISO 27000 series of information security standards, ISO 27001 is a framework that helps organisations “establish, implement, operate, monitor, review, maintain and continually improve an ISMS”. An ISMS is a holistic approach to securing the confidentiality, integrity and availability (CIA) of corporate information assets. It consists of policies, procedures and other controls involving people, processes and technology. Informed by regular information security risk assessments, an ISMS is an efficient, risk-based and technology-neutral approach to keeping your information assets secure.
  • 9. Introduction to Cyber Security SWETA KUMARI BARNWAL 9 According to ISO 27001, ISMS implementation follows a Plan-Do-Check-Act (PCDA) model for continuous improvement in ISM processes: Plan. Identify the problems and collect useful information to evaluate security risk. Define the policies and processes that can be used to address problem root causes. Develop methods to establish continuous improvement in information security management capabilities. Do. Implement the devised security policies and procedures. The implementation follows the ISO standards, but actual implementation is based on the resources available to your company. Check. Monitor the effectiveness of ISMS policies and controls. Evaluate tangible outcomes as well as behavioral aspects associated with the ISM processes. Act. Focus on continuous improvement. Document the results, share knowledge, and use a feedback loop to address future iterations of the PCDA model implementation of ISMS policies and controls.