This document provides an introduction to cyber forensics. It discusses computer forensics techniques used to determine and reveal technical criminal evidence, often involving extracting electronic data for legal purposes. The document outlines several modules that will be covered, including information security investigations, corporate cyber forensics, the scientific method in forensic analysis, and investigating large scale data breach cases. It also discusses advantages and disadvantages of cyber forensics and some common cyber forensic techniques.

1. INTRODUCTION TO CYBER
FORENSICS
MODULE 1
Anpu Ann Mathews, AP, Dept. of Cyber Forensics

2. CONTENTS
1. Introduction to computer forensics
2. Information security investigation
3. Corporate cyber forensics
4. Scientific method in forensic analysis
5. Investigating large scale data breach cases
6. Analysing malicious softwares

3. Computer forensics
• Cyber forensics is an electronic discovery technique used to
determine and reveal technical criminal evidence. It often involves
electronic data storage extraction for legal purposes.
• Or It can be described as preservation, identification, extraction,
documentation of magnetically encoded information/data.
• Applications
• Financial fraud detection
• Criminal prosecution
• Co-operate security policy

4. Advantages
• Detect fraud and identity theft
• Facilitates digital forensic analysis
• Shorten processing time
• Enhance Cyber security
• Facilitates cyber defence
Disadvantages
• Cost, Increasing storage space
• Administrative issues
• New technologies and Legal issues.

5. What does cyber forensics mean?
• Cyber forensics is an electronic discovery technique used to
determine and reveal technical criminal evidence. It often involves
electronic data storage extraction for legal purposes.
• Although still in its infancy, cyberforensics is gaining traction as a
viable way of interpreting evidence. Cyberforensics is also known as
computer forensics.

6. • Cybercrimes cover a broad spectrum from email scams to
downloading copyrighted works for distribution and are fuelled by a
desire to profit fro another person’s intellectual property or private
information.
• Cyber forensics can readily display a digital audit trail for analysis by
experts or law enforcement.
• Developers often build program applications to combat and capture
online criminals, these applications are the crux xyberforensics.

7. Cyber forensic techniques include
• Cross driven analysis that correlates data from multiple hard drives
• Live analysis, which obtains data acquisitions before a PC is shut down
• Deleted file discovery
• Each of the above techniques is applied to cyberforensic investigations.

8. Information Security Investigations
• What is cyber investigation?
• Cyber investigation is the process that law enforcement officers
use to track criminals via the computer. This process may be to
investigate computer crimes or may be to track records of
criminals using computer forensics.
• Forensic cases vary greatly
Some deal with computer intruders stealing data.
Others involves hackers that break into web sites and launch
DDoS attack or attempt to gain access to user names and
passwords for identity theft with fraudulent intentions.
Some cases involves cyber stalking or wrongdoers that visits
prohibited sites (eg. Child pornography websites).

9. Corporate cyber forensics
• The cyber forensic practiced with respect to huge corporates are
basically called corporate cyber forensics.
• The employees are monitored regularly and checked whether they
are strictly sticking with the usage policies.
• If any suspicious activities are observes, then the cyber forensics skill
are used to investigate the scenario.
• IT staff use some of the same computer forensic skills practiced by
law enforcement, but investigations often require an extension of
those skills to meet the require nature of corporate surveillance and
investigation.

10. Corporate cyber forensics
• In large companies one can expect to see virtually every type and versions of windows
desktop and servers operating systems. The investigators routinely run into windows,
linux, solaris,HP-UX and AIX plus different versions of each OS.
• Some are running relatively small, self contained servers and desktops that use native
filesystem types. Others use large RAID, SAN or NAS storage or employ a mixture of
various file systems.
• Administration also comes in a variety of flavours. Systems could be accessed by
either direct or virtual consoles.
• A single system could also have one or more administrators. Authentication could be
local or via domain administrative access.

11. • Tow factor authentication: Such as password and something you have
such as RSA SecureID token might be required.
• To perform incident response or remote forensics, computers ofte
need to be accessed via the network.
• Even the environment containing the system of forensic interest is an
important factor. Production, test, laboratory, and desktop
environments are vastly different from each other and greatly affect
the forensic approach.
• There are also many elements supporting a network such as routers,
switches, firewall and intrusion detection systems that are likely to be
a part of the investigation.

12. The investigative approach
• In the corporate world even the simplest of cases can be complex.
Many user computer systems particularly laptops, are now using
encryption, which requires application of appropriate decryption
methods, before acquiring the necessary data.
• AUPs or Usage policy
• In addition to managing the security of data assets, information
technology(IT) has taken a significant role in managing the enforcement of
corporate Acceptable Use Policies (AUPs).
• An AUP is a document stipulating constraints and practices that a user must
agree to for access to a corporate network or the internet.

13. Scientific method in forensic analysis
• Forensic analysis
• It is a branch of digital forensics. Which examines structured data with regard
to incidents of financial crime. The aim is to discover and analyse patterns of
fraudulent activity.
• Main purpose of forensic analysis
• Forensic analysis is a term for in-depth analysis, investigation whose purpose
is to objectively identify.
• Basically forensic analysis investigates an offense or crime shows who, how
and when something caused.

14. Scientific method
1. Making an initial observation
2. Giving provisional hypothesis
3. Testing the hypothesis
4. Create/perform an experiment
5. Scientific theory
6. Scientific law
• The above process is known as the scientific methods.
• The end result of the application of the scientific method is a scientific law.
• Universality and repeatability are key features of scientific laws.

15. Investigating large scale data breach cases
• A large scale data breach incomparable to simpler individual victims
as it scales the risk factor towards a community in millions and
billions and billions either it be credentials or behavioural. It’s more
like resourcing for millions of attack in future.
• A clandestine cybercrime is not successful jus after the action being
committed, it’s when all traces of logs and signatures are also
eliminated that can be used to backtrack the event.
• There are no ideal crimes, it’s just the complexities of the tools being
used make investigating the crimes harder than committing one.

16. • Incident: A security event that compromises the integrity,
confidentiality or availability of an information asset.
• Breach: An incident that results in the confirmed disclosure—not just
potential exposure—of data to an unauthorized party

17. Data breach
• A data breach is any incident where confidential or sensitive information
has been accessed without permission. Breaches are the result of a
cyberattack where criminals gain unauthorized access to a computer
system or network and steal the private, sensitive, or confidential personal
and financial data of the customers or users contained within.
• A data breach occurs when a cybercriminal infiltrates a data source and
extracts confidential information. This can be done by accessing a
computer or network to steal local files or by bypassing network security
remotely. While most data breaches are attributed to hacking or malware
attacks, other breach methods include insider leaks, payment card fraud,
loss or theft of a physical hard drive of files and human error.

18. The most common cyber attacks used in data
breaches
• Ransomware: is software that gains access to and locks down access to
vital data. Files and systems are locked down and a fee is demanded
commonly in the form of cryptocurrency.
• Common Target: Enterprise companies and businesses.
• Malware: commonly referred to as “malicious software,” is a term that
describes any program or code that harmfully probes systems. The
malware is designed to harm your computer or software and commonly
masquerades as a warning against harmful software. The “warning”
attempts to convince users to download varying types of software, and
while it does not damage the physical hardware of systems, it can steal,
encrypt or hijack computer functions.
• Common Target: Individuals and businesses.

19. • Phishing: scams are one of the most common ways hackers gain access to
sensitive or confidential information. Phishing involves sending fraudulent
emails that appear to be from a reputable company, with the goal of
deceiving recipients into either clicking on a malicious link or downloading
an infected attachment, usually to steal financial or confidential
information.
• Common Target: Individuals and businesses
• Denial of Service (DoS): is a cyber-attack in which the perpetrator seeks to
make a machine or network resource unavailable to its intended users by
temporarily or indefinitely disrupting services of a host connected to the
Internet. It is typically accomplished by flooding the targeted machine or
resource with superfluous requests in an attempt to overload systems and
prevent some or all legitimate requests from being fulfilled.
• Common Target: Sites or services hosted on high-profile web servers such as banks

20. List of data breach statistics that led up to and
launched the age of data infiltration.
• The first computer virus, known as “The Creeper,” was discovered in the
early 1970s.
• In 2005 the Privacy Rights Clearinghouse began its chronology of data
breaches.
• AOL was the first victim of phishing attacks in 1996.
• Social media data breaches accounted for 56% of data breaches in the first
half of 2018.
• As of 2019, cyber-attacks are considered among the top five risks to global
stability
• Data breaches exposed 4.1 billion records in the first six months of 2019

21. Largest Data Breaches in History
• Yahoo holds the record for the largest data breach of all time with 3
billion compromised accounts.
• n 2019, Facebook had 540 million user records exposed on the
Amazon cloud server.
• In 2014, Ebay was hacked, accessing 145 million records.

22. • There are many factors to consider when preparing for and managing
a data breach, like the amount of time it takes to respond to a data
breach and the reputational impact it has on your company.
• Healthcare and public sector spent the most time in the data breach lifecycle,
329 days and 324 days, respectively.
• The average time to identify a breach in 2019 was 206 days.
• There was an 80% increase in the number of people affected by health data
breaches from 2017 to 2019.

23. Cost of a Data Breach
• It’s no secret that data breaches are costly for a business. To calculate
the average cost of a data breach, security institutes collect both the
direct and indirect expenses suffered by the breached organization.
• Direct expenses include forensic experts, hotline support and
providing free credit monitoring subscriptions and potential
settlements. Indirect costs include in-house investigations and
communication, as well as customer turnover or diminished rates due
to companies reputations after breaches.
• Healthcare is the most expensive industry for a data breach at $6.45 million.
• The average cost per lost or stolen record in a data breach is $150.
• A mega breach of 50 million records has an average total cost of $388 million,
a growth of almost 11% from 2018.

24. Data breach
Examples 1
• The first major Magecart attack in 2018 was Ticketmaster’s UK
branch. Hackers compromised Inbenta, a third-party functionality
supplier. From Inbenta they placed digital skimmers on several
Ticketmaster websites. The Ticketmaster attack was part of a
campaign targeting third-party providers to perform widespread
compromises of card data. July’s Magecart collections included
indicators of compromise of over 800 victim websites. A malicious
Mobile Device Management platform was used in highly targeted
attacks on 13 iPhones and some Android and Windows platforms.
Russia’s PIR Bank lost ₽58 million ($920,000) after the MoneyTaker
actor compromised an outdated, unsupported Cisco router at a
branch office and used it to pivot into the bank’s network

25. Examples 2
• New intelligence revealed Japanese corporations were being targeted by
the menuPass (APT10) threat actor. On September 6th, British Airways
announced it had suffered a breach resulting in the theft of customer data.
Within a week, we collected intelligence British Airways had become
another victim of a Magecart attack. Intelligence indicated in the preceding
6 months, 7,339 E-commerce sites had hosted Magecart payment card
skimming scripts including online retailer Newegg. Weaponized IQY (Excel
Web Query) attachments were discovered attempting to evade detection
to deliver payloads of FlawedAmmyy remote access Trojan (RAT). The FBI
and DHS issued an alert about the Remote Desktop Protocol (RDP). The
alert listed several threats that exploit RDP connections: Crysis (Dharma),
Crypton and SamSam ransomware families. DanaBot expanded its target
set to Italy, Germany and Austria.

26. Analysing malicious software
• A malware brings harm to the computer system it can be in the form
of worms, virus, spywares, adwares, Trojan horse, and rootkits etc..
• Which steal protected data, delete documents or add software that
are not approved by user.
• The malicious programs provide backdoor entry into computing
devices for stealing personal information, confidential data, and much
more.

27. Why it is needed?
• Malware analysis refers to the process by which the purpose and
functionality of the given malware samples are analysed and
determined.
• Provides a detection technique for the malicious codes. And also
develop an efficient removal tools which can definitely perform
malware removal on an infected system.

28. Types of malware analysis
• There are two types of malware analysis performed by the security experts
• Code (static) Analysis.
• Behavioral (dynamic) Analysis.

29. Behavioral(dynamic) Analysis
• Behavioral Analysis is a method where a behavior of malware is
monitored upon its execution in a sandbox environment.
• The behavior is monitored, such as, creation or deletion of a process,
adding or deleting entries in the register, whether malware is
connecting to a remote server, added itself in auto- run, monitoring
network traffic, etc.
• This technique is easier compared to Code Analysis, where the source
code of malware is obtained or analyzed using a technique called
reverse engineering.

30. Code Analysis
• Code Analysis is a method in which the actual code of the malware is
examined by reverse engineering the malicious executable. The
approach gives us a better understanding of the malware functions.