This document discusses cyber forensics and investigating large scale data breaches. It begins by defining cyber forensics as an electronic discovery technique used to determine and reveal technical criminal evidence, often involving extracting electronic data for legal purposes. It then discusses challenges in investigating corporate networks due to different operating systems, file systems, and administrative access used. When investigating large data breaches, security exploits and employee devices are common entry points, while pace of growth and lack of evidence erasure complicate progress. The Yahoo breach example turned tides by providing data to investigators that aided geopolitical understanding. Immediate actions include response and isolation, while tools like COFEE, SIFT, and ProDiscover aid forensic analysis at different levels.

1. MODULE 1
CYBER FORENSICS

2. INTRODUCTION
CYBER FORENSICS
MODULE 1
What is cyber forensics/computer
forensics?
Cyber forensics is an electronic
discovery technique used to determine
and reveal technical criminal evidence.
It often involves electronic data storage
extraction for legal purposes.

3. CYBER FORENSICS
MODULE 1
OR
It can be described as
● Preservation
● Identification
● Extraction
● Documentation
● Magnetically encoded
information/data

4. CYBER FORENSICS
MODULE 1
APPLICATIONS
❖ Financial Fraud Detection
❖ Criminal Prosecution
❖ Co-operate Security Policy

5. CYBER FORENSICS
MODULE 1
ADVANTAGES
● Detect fraud and identity theft
● Facilitates digital forensic analysis
● Shorten processing time
● Enhance cyber security
● Facilitates cyber defence

6. CYBER FORENSICS
MODULE 1
DISADVANTAGES
● Cost
● Increasing storage space
● Administrative issues
● New technologies
● Legal issues

7. CYBER FORENSICS
INTRODUCTION

8. What does Cyberforensics mean?
● Cyberforensics is an electronic discovery technique used to determine and
reveal technical criminal evidence. It often involves electronic data storage
extraction for legal purposes.
● Although still in its infancy, cyberforensics is gaining traction as a viable
way of interpreting evidence.
● Cyberforensics is also known as computer forensics.

9. Explanation
➢ Cybercrimes cover a broad spectrum, from email scams to downloading
copyrighted works for distribution, and are fueled by a desire to profit from
another person's intellectual property or private information.
➢ Cyberforensics can readily display a digital audit trail for analysis by
experts or law enforcement.
➢ Developers often build program applications to combat and capture online
criminals; these applications are the crux of cyberforensics.
Cyberforensic techniques include:
● Cross-driven analysis that correlates data from multiple hard drives
● Live analysis, which obtains data acquisitions before a PC is shut down
● Deleted file recovery
Each of the above techniques is applied to cyberforensic investigations.

10. Information Security Investigations
What is Cyber Investigation ?
● Cyber investigation is the process that law enforcement officers use to
track criminals via the computer. This process may be to investigate
computer crimes or it may be to track records of criminals using
computer forensics.

11. Forensic cases vary greatly
❖ Some deal with computer intruders stealing data
❖ others involve hackers that break into web sites and launch DDoS
attacks or attempt to gain access to user names and passwords for
identity theft with fraudulent intentions.
❖ Some cases involve cyber-stalking or wrongdoers that visit
prohibited sites (e.g., child pornography websites).

12. The Computer Forensic Process
The purpose of a computer forensic examination is to recover data from computers seized
as evidence in criminal investigations. Experts use a systematic approach to examine
evidence that could be presented in court during proceedings. The involvement of forensic
experts needs to be early on in an investigation as they can help in properly collecting
technical material in a way that allows the content without any damage to its integrity.
Forensic investigation efforts can involve many (or all) of the following steps:
● Collection – search and seizing of digital evidence, and acquisition of data
● Examination – applying techniques to identify and extract data
● Analysis – using data and resources to prove a case
● Reporting – presenting the info gathered (e.g., written case report)

13. ➔ Once a criminal case is open, computers and other digital media equipment
and software will be seized and/or investigated for evidence.
➔ During the retrieval process, all essential items are collected in order to give
the forensic analyst what s/he needs to give testimony in court.
➔ Then it is time to extract and analyze data. A computer forensic investigator
takes into account the 5Ws (Who, What, When, Where, Why) and How a
computer crime or incident occurred.
➔ Using standard evaluation criteria, the examiner can identify
security-related lapses in a network environment looking for suspicious
traffic and any kind of intrusions, or they can gather messages, data,
pictures, and other information to be uniquely attributed to a specific user
involved in a case.
➔ The forensics process includes also report writing. Computer forensic
examiners are required to create such reports for the attorney to discuss
available factual evidence.

14. Ways to Obtain Evidence Forensically
● Dead Analysis
● Live Analysis

15. CORPORATE CYBER
FORENSICS
By Radhika Rajan

16. CYBER FORENSICS
Cyberforensics is an electronic
discovery technique used to
determine and reveal technical
criminal evidence. It often involves
electronic data storage extraction for
legal purposes.

17. •In large companies one can expect to see virtually every type and
version of Windows desktop and server operating systems. The
investigators routinely run into Windows, Linux, Solaris, HP-UX, and
AIX, plus different versions of each OS.
•Not only are there different operating systems, but also they are
deployed in a wide array of implementations. Some are running
relatively small, self-contained servers and desktops that use native
file system types. Others use large RAID, SAN, or NAS storage or
employ a mixture of various file systems
•Administration also comes in a variety of flavors.Systems could be
accessed by either direct or virtual consoles.

18. • A single system could have one or more administrators. Authentication could be
local or via domain administrative access.
• Two-factor authentication : “something you know” such as a password and
“something you have” such as an RSA SecurID token might be required.
• To perform incident response or remote forensics, computers often need to be
accessed via the network.
• Even the environment containing the system of forensic interest is an important
factor. Production, test, laboratory, and desktop environments are vastly different
from each other and greatly affect the forensic approach.
• There are also many elements supporting a network such as routers, switches,
firewalls, and intrusion detection systems that are likely to be part of the
investigation.

19. •The most important aspect of successfully managing cyber forensics
in a corporate environment is cooperation.
•The Investigative Approach: In the corporate world even the simplest
of cases can be complex. Many user computer systems, particularly
laptops, are now using full disk encryption, which requires application
of appropriate decryption methods, before acquiring the necessary
data.

20. AUPs OR USAGE POLICIES
•In addition to managing the security of data assets,
Information Technology (IT) has taken a significant
role in managing the enforcement of corporate
Acceptable Use Policies (AUPs).
•An acceptable use policy (AUP) is a document
stipulating constraints and practices that a user must
agree to for access to a corporate network or the
Internet.

21. CORPORATE CYBER FORENSICS
•The cyber forensics practiced with respect to huge corporates are
basically called corporate cyber forensics.
•The employees are monitored regularly and checked whether they
are strictly sticking with the usage policies.
•If any suspicious activities are observed, then the cyber forensics skills
are used to investigate the scenario.
• IT staff use some of the same computer forensic skills practiced by
law enforcement, but investigations often require an extension of
those skills to meet the unique nature of corporate surveillance and
investigation.

22. SCIENTIFIC METHOD IN
FORENSIC ANALYSIS

23. What is forensic analysis?
► Forensic Data Analysis is a branch of
Digital forensics.
► It examines structured data with regard
to incidents of financial crime.
► The aim is to discover and analyse
patterns of fraudulent activity.
► Unstructured data usually referred to as
Computer forensics.

24. What is the main purpose of
forensic analysis?
Forensic Analysis is a term for in-depth
analysis, investigation whose purpose is to
objectively identify.
Basically forensic analysis investigates an
offense or crime shows who,how and when
something caused.

25. SCIENTIFIC METHOD
1. Making an Initial observation
2. Giving a provisional hypothesis
3. Testing the hypothesis
4. Create/perform an experiment
5. Scientific Theory
6. Scientific Law

26. ► The above process is known as the scientific
methods.
► The end result of the application of the
scientific method is a scientific law.
► Universality and repeatability are key
features of scientific laws

27. Soda Can Demo

28. How could we use the scientific method
here?
1. Initial observation:Can contain diet soda float and
regular soda sink.
2. Hypothesis:Cans with more sugar will sink down
move in the bin.
3. Testing the Hypothesis:Doing the experiment by
adding higher and medium sugar amount.
4. Perform the experiment:Higher amount of sugar
in the can sink more down.

29. Analyzing Malicious software
Athira Sajeev
Roll No:15
S7 IT

30. What is malicious software?
• Known as malware
• It brings harm to your computer system.
• Malware can be in the form of worms,
viruses, trojans, spyware, adware and
rootkits, etc.,
• which steal protected data, delete documents
or add software not approved by a user.

31. What is malware analysis?
• Malware is an umbrella term for various types of
malicious programs designed by cybercriminals.
• Today, more and more online users are becoming
victims of cyber attacks and organizations
invariable of their size are also being targeted.
• The malicious programs provide backdoor entry
into computing devices for stealing personal
information, confidential data, and much more.
• There are two types of malware analysis, Static
and Dynamic.

32. Why Is It Needed?
• Malware Analysis refers to the process by which the
purpose and functionality of the given malware samples are
analyzed and determined.
• Provides a detection technique for the malicious codes. And
also develop an efficient removal tools which can definitely
perform malware removal on an infected system.
• Before 10 to 15 years, malware analysis was conducted
manually by experts ,
• It was a time-consuming and cumbersome process.
• The number of malware that required to be analyzed by
security experts kept slowly creeping up on a daily basis.
• This demand led for effective malware analysis procedures.

33. Types Of Malware Analysis
Static Analysis
• Static Analysis also called static code analysis, is a process of
software debugging without executing the code or
program. In other words, it examines the malware without
examining the code or executing the program. The
techniques of static malware analysis can be implemented
on various representations of a program. The techniques
and tools instantaneously discover whether a file is of
malicious intent or not. Then the information on its
functionality and other technical indicators help create its
simple signatures.
• The source code will help static analysis tools in finding
memory corruption flaws and verify the accuracy of models
of the given system.

34. Dynamic Analysis
• The dynamic analysis runs malware to examine its
behavior, learn its functionality and recognize
technical indicators. When all these details are
obtained, they are used in the detection signatures.
The technical indicators exposed may comprise of IP
addresses, domain names, file path locations,
additional files, registry keys, found on the network or
computer.
• Additionally, it will identify and locate the
communication with the attacker-controlled external
server. The intention to do so may involve in zeroing in
on the command and control purposes or to download
additional malware files. This can be related to many
of the common dynamic malware or automated
sandbox analysis engines perform today.

35. INVESTIGATING LARGE SCALE
DATA-BREACH CASES
S7IT
43
Sreehari Vishnu

36. •When you think “data breaches,” the first thing that comes to mind is
likely “hackers”, people who maliciously attack your systems to get
ahold of your data.
•A large scale data breach incomparable to simpler individual victims
as it scales the risk factor towards a community in millions and
billions either it be credentials or behavioral. It's more like resourcing
for millions of attacks in future.
•A clandestine cybercrime is not successful just after the action being
committed, its when all traces of logs and signatures are also
eliminated that can be used to backtrack the event.
•There are no Ideal Crimes, it's just the complexities of the tools being
used make investigating the crime harder than committing one.

37. DATA BREACH
•SECURITY EXPLOIT
vulnerabilities are researched and utilised inclusive of both physical
and non-physical
Employees, Unsecure Mobile Devices, Cloud Storage Applications,
Third-Party Service Providers, Malicious Malware Attacks,..
•ENTRY
as most cybercrimes are not confined to geographical jurisdiction, it
limits it to the requirement of connectivity towards the API physically
or by network

38. •PACE IN GROWTH
Data breach reports see 75% increase in last two years
and that's only census of 10%, the globally reported crimes.
•PROGRESS
the action taken on reported crimes have increased
investigating massive data breaches are a turmoil as the attackers does
necessary precautions to erase traces and evidences for forensics
training cyber crime units and developing and provide tools that help
them collect and process evidence.
Recruiting Blackhats to Greyhats from security conventions

44. Yahoo Attack Turned Tides
Yahoo's user database and the Account Management Tool
Backdoor on a Yahoo server
phone numbers, password challenge questions and answers
and, crucially, password recovery emails and a cryptographic
value unique to each account
The hacked users included an assistant to the deputy chairman of Russia,
an officer in Russia's Ministry of Internal Affairs and a trainer working in
Russia's Ministry of Sports. Others belonged to Russian journalists, officials
of states bordering Russia, U.S. government workers, an employee of a
Swiss Bitcoin wallet company and a U.S. airline worker.

46. •IMMEDIATE ACTIONS
reporting and deployment of response team
isolation of infected component
backing up and cloning to work on
•TOOLS
Computer Online Forensic Evidence Extractor (COFEE) by microsoft
SIFT- SANS Investigative Forensic Toolkit-byte level FOSS
ProDiscover Forensic-sector level
Specific Suits Used Internally or Externally Private Investigators..