SlideShare a Scribd company logo

FCL-Introduction.pptx

Download as PPTX, PDF
A
aratibhavsar

Cyber Forensics and Auditing: Introduction to Cyber Forensics, Computer Equipment and associated storage media

Education
1 of 61
2OEE6102:Cyber Security chapter 3 Cyber Forensics and Auditing 1. Reference Book: - Cyber Security Understanding Cyber Crimes, Computer Forensics and Legal Perspectives by Nina God bole and Sunit Belpure, Publication Wiley 2. Lecture Materials
 Forensics - The science of investigating compromised computer systems to understand attacker tools, techniques, and procedures, and also to determine indicators of compromise. Forensic investigation involves analyzing logs, files, and sometimes program code to understand attacker activities and methods.
Cyber Crime What is cybercrime? Cybercrime is criminal activity that either targets or uses a computer, a computer network or a networked device. Most, but not all, cybercrime is committed by cybercriminals or hackers who want to make money. Cybercrime is carried out by individuals or organizations. Some cybercriminals are organized, use advanced techniques and are highly technically skilled. Others are novice hackers. Rarely, cybercrime aims to damage computers for reasons other than profit. These could be political or personal.
What are the categories of cybercrime? Individual: This cyber crime category includes disseminating malicious or illegal information via the internet and digital-applications by one person. Cyber speaking, pornography distribution, and trafficking are a few examples of this category of cyber crime. Property: This cyber crime is similar to a real-life incident where a criminal keeps the bank or credit card information illegally. The hacker steals an individual’s bank details to acquire money or makes phishing scams online to obtain information from people. Government: It is the least frequent cyber crime, but it is the most serious misconduct. A cyber crime against the government is also regarded as Cyber Terrorism. Government cyber crime involves the hacking of websites, military websites, or the distribution of government propaganda.
Cybercrime Cybercrimes are often classified as: Internal Attacks: Examples of internal attacks: spy, theft of property , manipulation of records, and computer virus attack. External Attacks: Examples of external attacks: SQL attack, bruteforce cracking, fraud, phishing/spoofing, denial of service attack, and cyber defamation.
Types of cybercrime Cyberespionage (Govt. or Company Data) Crypto-jacking Email and internet fraud. Theft of financial/Card payment data. Theft and sale of corporate data. Ransomware attacks (Type of cyber extortion).
The Case 1: Insider Attack Research Company Chief Information Security Officer (CISO) Unusual Activity by one worker Found Bit of Software (Hacking Tools) Run Observe Seen (Black Screen + Scrolling white Text All Worker’s System Decided to contact Forensic Team
The Investigation 1 : The forensic team performed covert forensic imaging and examination of the suspect’s laptop and desktop computers. The examination revealed several interesting facts. The suspect cracked the ‘local’ admire password on both of his computers and installed a key logger on all. This is often to understand if someone became suspicious and accessed his computer while he was away. He would catch anyone trying to place any sort of monitoring software on either one among his computers. For this purpose, he deployed a potent detection mechanism to alert him if he was under investigation. In his laptop, the suspect installed various hacker tools (network sniffers, password crackers, network vulnerability scanners, etc.) additionally to data scrubber software. Initially, the laptop revealed no evidence of wrong doing thanks to the presence of a knowledge scrubber, which he used periodically to wash his disk drive . Later, the forensic team collected the network traffic and analyzed the logs, the reality was finally revealed: he had successfully compromised the whole network and cracked all other researcher’s passwords. He would periodically log in to the server, access other researcher’s data and download it to his laptop to require it home. He would then remove the info from his laptop and run scrubber software to eliminate any evidence that other scientists’ data were ever present on his disk drive .
The Case 2: External Attack ABC Bank (ABC) identified unauthorized wire transfers from their environment. They needed to understand when and the way it happened quickly, so as to mitigate future attacks and notify affected customers. ABC engaged the “Security Engineering Research Team (SERT) to supply on-demand critical incident response services. The Result 2:  ABC could quickly notify only those customers suffering from the attacks, avoiding the necessity for a broader public disclosure of the incident.  Doing so reduced the general cost of the incident and helped to preserve ABCs reputation with customers not affected.  It also helped to stop additional fraudulent wire transfers from occurring.
The Investigation 2 : SERT identified and provided an inventory of compromise indicators to ABC and assisted with investigations of their network infrastructure to spot additional unauthorized remote administration or other attacker tools. Because the attacker used the cloud to mask the attack, SERT wrote special tools to research the multi-host command and control the attacker used. While reverse engineering malware identified during the attack, SERI experts pieced together the precise methods the attacker wont to obtain an initial foothold into the ABC protected network, Analysis revealed not only findings from the present incident, but also aspects of security and process recommendations ABC should consider improving to stop and detect future attacks. during this case, SERI also found a SQL injection attack within a cloud application employed by ABC Bank that allowed controls to be bypassed.
Cyber Crime Investigation Digital crime or cybercrime is a crime that involves the usage of a computer, phone or any other digital device connected to a network. Cybercrime investigation is the process of investigating, analysing and recovering critical forensic digital data from the networks involved in the attack—this could be the Internet and/or a local network. Cybercrime investigators must be: • An experts in computer science, • Understanding software, file systems and OS, • Also know how networks and hardware work. They must be knowledgeable enough to: • Determine how the interactions between these components occur, • To get a full picture of what happened, • Why it happened, • When it happened, • Who performed the cybercrime itself, • And how victims can protect themselves in the future against these types of cyber threats.
Cyber Crime Investigation Conduct the Initial Investigation The investigator should ask the following questions: Who are the potential suspects? What crimes were committed? When were the crimes committed? Were these crime limited to US jurisdiction? What evidence is there to collect? Where might the physical and digital evidence be located? What types of physical and digital evidence were involved with the crime? Does any of the evidence need to be photographed/preserved immediately? How can the evidence be preserved and maintained for court proceedings? Who conducts cybercrime investigations? Criminal justice agencies National security agencies Private security agencies
Cybercrime investigation cases Cybercrime investigation cases: Criminal, Civil, Administrative Criminal Investigators must follow the set of standard forensic processes accepted by law in the respective jurisdiction. Investigators, under court’s warrant, have the authority to force seize the computing devices. A formal investigation report is required. The law enforcement agencies are responsible for collecting and analyzing evidence. Standard of proof needs to be very high. Difficult to capture certain evidence, e.g., GPS device evidences.
Cybercrime investigation cases Cybercrime investigation cases: Criminal, Civil, Administrative Civil Investigators try to show some information to the opposite party to support the claims and induce them for settlement. Searching of the devices is generally based on mutual understanding and provides a wider time window to the opposite party to hide the evidence. The initial reporting of the evidence is generally informal. The claimant is responsible for the collection and analysis of the evidence. Punishments include monetary compensation. Sometimes, evidence can be within the third party control.
Cybercrime investigation cases Cybercrime investigation cases: Criminal, Civil, Administrative Administrative Generally involves an agency or government performing inquiries to identify facts with reference to its own management and performance. Such investigations are non-criminal in nature and are related to misconduct or activities of an employee that includes but are not limed to: Violation of organization’s policies, rules or protocols Resources misuse or damage or theft Threatening or violent behavior Improper promotion or pay rises. Any violation may result in disciplinary action such as demotion, suspension, revocation, penalties, and dismissal. For situations like promotions, increments, transfers, etc., administrative investigations can result in positive outcomes, like modifications to existing policies, rules, or protocols.
Cybercrime investigation techniques Background check: Creating and defining the background of the crime with known facts will help investigators set a starting point to establish what they are facing, and how much information they have when handling the initial cybercrime report. Information gathering: One of the most important things any cybersecurity researcher must do is grab as much information as possible about the incident. Tracking and identifying the authors: This next step is sometimes performed during the information-gathering process, depending on how much information is already in hand. Digital forensics: Once researchers have collected enough data about the cybercrime, it’s time to examine the digital systems that were affected, or those supposed to be involved in the origin of the attack.
Steps of Forensic Investigation The incident occurred in any company or organization. The employees or members contact the company's advocate for legal advice. Advocate contact cyber forensics investigator (external or internal). The forensic investigator will come and prepare the FRP, i.e., First Response Procedure documentation. The investigator then seizes the evidence and other assets related to the crime scene and transports them to a forensics lab. He/she will start analysing the files and other assets. Examine all the data one after another and further contact the person or group of people associated with the incident. The report will be formed and concludes the investigation, where all the analyses will be written and explained. The report is then handed to the organization's legal authorities. The legal authority will then go through the report(s) and will press charges against the offensive in the court of law. The forensic investigator will delete all the data once the entire case is closed.
Challenges cyber crimes present to Investigators Cyber crimes pose new challenges because of Speed Anonymity Volatile nature of Evidence Evidence Size and Complexity Anti-Digital Forensics Global origin and difference in laws Limited legal understanding
Cyber Forensics (Computer Forensics / Digital Forensics) Cyber forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The goal of cyber forensics is to perform a structured investigation and maintain a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it. Computer Forensics - A set of methodological procedures and techniques that help identify, gather, preserve, extract, interpret, document, and present evidence from computers in a way that is legally admissible.
Computer forensics -- which is sometimes referred to as computer forensic science -- essentially is data recovery with legal compliance guidelines to make the information admissible in legal proceedings. The terms digital forensics and cyber forensics are often used as synonyms for computer forensics. Digital forensics starts with the collection of information in a way that maintains its integrity. Investigators then analyze the data or system to determine if it was changed, how it was changed and who made the changes. The use of computer forensics isn't always tied to a crime. The forensic process is also used as part of data recovery processes to gather data from a crashed server, failed drive, reformatted operating system (OS) or other situation where a system has unexpectedly stopped working.
Cyber forensics plays a key role in investigation of cybercrime. "Evidence in the case of "cyber forensic is extremely imponent from legal perspective. There are legal aspects involved in the investigation as well as handling of the digital forensics evidence. Only the technically trained and experienced experts should be involved in the forensics activities.
WHAT IS COMPUTER FORENSICS? Computer forensics is the process of methodically examining computer media (hard disks, diskettes, tapes, etc.) for evidence. In other words, computer forensics is the collection, preservation, analysis, and presentation of computer-related evidence. Computer forensics also referred to as computer forensic analysis, electronic discovery, electronic evidence discovery, digital discovery, data recovery, data discovery, computer analysis, and computer examination. Computer evidence can be useful in criminal cases, civil disputes, and human resources/ employment proceedings.
Objectives of Computer Forensics Identify, gather, and preserve the evidence of a cybercrime Track and prosecute the perpetrators in a court of law Interpret, document and present the evidence to be admissible during prosecution Estimate the potential impact of a malicious activity on the victim and assess the intent of the perpetrator Find vulnerabilities and security loopholes that help attackers Understand the techniques and methods used by attackers to avoid prosecution, and overcome them Recover deleted files, hidden files, and temporary data that could be used as evidence Perform incident response to prevent further loss of intellectual property, finances and reputation during an attack
USE OF COMPUTER FORENSICS IN LAW ENFORCEMENT Computer forensics assists in Law Enforcement. This can include: Recovering deleted files such as documents, graphics, and photos. Searching unallocated space on the hard drive, places where an abundance of data often resides. Tracing artifacts, those tidbits of data left behind by the operating system. Our experts know how to find these artifacts and, more importantly, they know how to evaluate the value of the information they find.
USE OF COMPUTER FORENSICS IN LAW ENFORCEMENT Processing hidden files — files that are not visible or accessible to the user — that contain past usage information. Often, this process requires reconstructing and analyzing the date codes for each file and determining when each file was created, last modified, last accessed and when deleted. Running a string-search for e-mail, when no e-mail client is obvious.
COMPUTER FORENSICS SERVICES Computer forensics professionals should be able to successfully perform complex evidence recovery procedures with the skill and expertise that lends credibility to your case. For example, they should be able to perform the following services: 1. DATA SEIZURE Following federal guidelines, computer forensics experts should act as the representative, using their knowledge of data storage technologies to track down evidence. The experts should also be able to assist officials during the equipment seizure process. 2. DATA DUPLICATION/PRESERVATION When one party must seize data from another, two concerns must be addressed: the data must not be altered in any way the seizure must not put an undue burden on the responding party The computer forensics experts should acknowledge both of these concerns by making an exact duplicate of the needed data. When experts works on the duplicate data, the integrity of the original is maintained
COMPUTER FORENSICS SERVICES 3. DATA RECOVERY Using proprietary tools, your computer forensics experts should be able to safely recover and analyze otherwise inaccessible evidence. The ability to recover lost evidence is made possible by the expert’s advanced understanding of storage technologies. 4. DOCUMENT SEARCHES Computer forensics experts should also be able to search over 200,000 electronic documents in seconds rather than hours. The speed and efficiency of these searches make the discovery process less complicated and less intrusive to all parties involved. 5. MEDIA CONVERSION Computer forensics experts should extract the relevant data from old and un-readable devices, convert it into readable formats, and place it onto new storage media for analysis.
COMPUTER FORENSICS SERVICES 6. EXPERT WITNESS SERVICES Computer forensics experts should be able to explain complex technical processes in an easy-to- understand fashion. This should help judges and juries comprehend how computer evidence is found, what it consists of, and how it is relevant to a specific situation.
The main aim of cyber forensics is to maintain the thread of evidence and documentation to find out who did the crime digitally. Cyber forensics can do the following: • It can recover deleted files, chat logs, emails, etc • It can also get deleted SMS, Phone calls. • It can get recorded audio of phone conversations. • It can determine which user used which system and for how much time. • It can identify which user ran which program.
Incident handling Cybersecurity and forensics have another essential terminology that is often used in this field - incident handling. Computer security incidents are some real or suspected offensive events related to cybercrime and cybersecurity and computer networks. Forensics investigators or internal cybersecurity professionals are hired in organizations to handle such events and incidents, known as incident handlers. Incidents are categorized into three types: Low-level incidents: where the impact of cybercrime is low. Mid-level incidents: The impact of cybercrime is comparatively high and needs security professionals to handle the situations. High-level events: where the impact of cybercrime is the most serious and needs security professionals, and forensic investigators to handle the situations and analyze the scenario, respectively.
Digital forensics is the process that deals with the recovery and investigation of data that is stored on digital devices. It also pertains to the hardware and software tools that experts use to retrieve the data without loss. In this lesson, we will discuss data storage devices, what these devices are, how they are used, and the benefits of each separately in digital forensics.
Objectives of computer forensics Here are the essential objectives of using Computer forensics: It helps to recover, analyze, and preserve computer and related materials in such a manner that it helps the investigation agency to present them as evidence in a court of law. It helps to postulate the motive behind the crime and identity of the main culprit. Designing procedures at a suspected crime scene which helps you to ensure that the digital evidence obtained is not corrupted. Data acquisition and duplication: Recovering deleted files and deleted partitions from digital media to extract the evidence and validate them. Helps you to identify the evidence quickly, and also allows you to estimate the potential impact of the malicious activity on the victim Producing a computer forensic report which offers a complete report on the investigation process. Preserving the evidence by following the chain of custody.
Data Forensics Introduction Forensic technologies are designed to prepare and extract evidence from computer systems. Any devices that store data (e.g. computers, laptops, smartphones, memory cards or external hard drives) are within the ambit of digital forensics. The forensics process is outlined as follows: 1.Identification 2.Preservation 3.Collection 4.Examination 5.Analysis 6.Presentation
Identification It is the first step in the forensic process. The identification process mainly includes things like what evidence is present, where it is stored, and lastly, how it is stored (in which format). Electronic storage media can be personal computers, Mobile phones, PDAs, etc. Preservation In this phase, data is isolated, secured, and preserved. It includes preventing people from using the digital device so that digital evidence is not tampered with. Analysis In this step, investigation agents reconstruct fragments of data and draw conclusions based on evidence found. However, it might take numerous iterations of examination to support a specific crime theory. Documentation In this process, a record of all the visible data must be created. It helps in recreating the crime scene and reviewing it. It Involves proper documentation of the crime scene along with photographing, sketching, and crime-scene mapping. Presentation In this last step, the process of summarization and explanation of conclusions is done.
The two basic types of data that are collected in computer forensics are persistent data, or data stored on a local hard drive (or another device) which is preserved when the computer is turned off. volatile data, or data that is stored in memory and lost when the computer loses power. loses power. In forensics, to handle this data there exist experts in operating and file systems, data recovery, cloud computing, and more. They analyze hard disks or hard-disk images from a variety of different operating systems and provide an interface so that files can be analyzed and information or data gathered in an electronic format is extremely easy to extract and store.
Forensics & Storage Devices Solid State Disks (SSD) Solid State Disks (SSD's) store data with the use of flash-memory chips (called NAND flash memory). There are no moving parts to break and data is stored electronically, not magnetically. The advantages of SSD's are its size, weight, and less power usage than hard disks. They come in many different shapes depending on chip count and how those chips are arranged. They are more expensive, but are faster in reading and writing data. One drawback is that there are no warning signs if a total drive failure is about to occur. They are a suitable replacement for hard drives in desktop and laptop computers. Traditional forensic methods fail when attempting recovering information deleted from SSD drives, so new methods have been determined.
Forensics & Storage Devices Magnetic Media Magnetic media store data on a magnetized medium. There are three types of storage devices in this area: • Floppy disks: These devices contain soft magnetic disks used for data transfer, storage and backup of small amounts of data. An important disadvantage is that they can be affected by heat, dust and magnetic fields. Floppy disks have been largely replaced by flash memory, optical disks, and external hard drives. • Magnetic tapes: These devices are similar to an audio cassette tape. They are well-suited for archiving because of their high capacity, low cost and long durability. • Compared to a hard disk, these are very slow. You can only get to data by winding through the tape. Data is downloaded to magnetic tapes mostly for long-term storage. Because data is stored magnetically, care must be taken to keep tapes away from all types of magnetic fields. They differ in the way that data is retrieved because they must be read in a linear fashion, from the start of the tape through the end of the tape. This drastically increases the time it takes to make a forensic recovery.
Forensics & Storage Devices Hard drives: These devices contain hard magnetic platters which store and retrieve digital information. They are more accessible and affordable than SSD's and with the largest capacity. One drawback is that they consume more power and produce noise while in operation than do SSD's. Because of movable, mechanical parts, a hard drive it is vulnerable to damage when shaken or dropped. Data resides on these disks even after the power supply is turned off. Information from hard drives may be recoverable using data carving techniques or by using a commercial data recovery tool. Another forensic recovery method is to clone a hard drive to an image file. This is more practical but depends of the size of the source hard drive and the equipment that it is used.
Forensics & Storage Devices Digital Audio Tapes DAT (Digital Audio Tape) is an electronic cassette that has a background recording facility and playback singing medium. It is similar to a compact cassette, but it has the main difference. Earlier tapes were analog, but DAT is digital. Unlike standard tapes, digital tapes do their work in only one direction. The DATs can record multiple vibrations or rates than CD, which can be higher or lower. Consumers took it pretty casually, and its market produces the right amount of revenue.
Guide to Computer Forensics and Investigations 41 Understanding Storage Formats for Digital Evidence Three formats Raw format Proprietary formats Advanced Forensics Format (AFF)
Guide to Computer Forensics and Investigations 42 Raw Format Makes it possible to write bit-stream data to files Advantages Fast data transfers Can ignore minor data read errors on source drive Most computer forensics tools can read raw format Disadvantages Requires as much storage as original disk or data Tools might not collect marginal (bad) sectors
Guide to Computer Forensics and Investigations 43 Proprietary Formats Features offered Option to compress or not compress image files Can split an image into smaller segmented files Can integrate metadata into the image file Disadvantages Inability to share an image between different tools File size limitation for each segmented volume
Guide to Computer Forensics and Investigations 44 Advanced Forensics Format Developed by Dr. Simson L. Garfinkel of Basis Technology Corporation Design goals Provide compressed or uncompressed image files No size restriction for disk-to-image files Provide space in the image file or segmented files for metadata Simple design with extensibility Open source for multiple platforms and OSs
Guide to Computer Forensics and Investigations 45 Advanced Forensics Format (continued) Design goals (continued) Internal consistency checks for self-authentication File extensions include .afd for segmented image files and .afm for AFF metadata AFF is open source
Guide to Computer Forensics and Investigations 46 Determining the Best Acquisition Method Types of acquisitions Static acquisitions and live acquisitions Four methods Bit-stream disk-to-image file Bit-stream disk-to-disk Logical disk-to-disk or disk-to-disk data Sparse data copy of a file or folder
Guide to Computer Forensics and Investigations 47 Determining the Best Acquisition Method (continued) Bit-stream disk-to-image file Most common method Can make more than one copy Copies are bit-for-bit replications of the original drive ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook Bit-stream disk-to-disk When disk-to-image copy is not possible Consider disk’s geometry configuration EnCase, SafeBack, SnapCopy
Guide to Computer Forensics and Investigations 48 Determining the Best Acquisition Method (continued) Logical acquisition or sparse acquisition When your time is limited Logical acquisition captures only specific files of interest to the case Sparse acquisition also collects fragments of unallocated (deleted) data For large disks PST or OST mail files, RAID servers
Guide to Computer Forensics and Investigations 49 Determining the Best Acquisition Method (continued) When making a copy, consider: Size of the source disk Lossless compression might be useful Use digital signatures for verification When working with large drives, an alternative is using tape backup systems Whether you can retain the disk
Guide to Computer Forensics and Investigations 50 Contingency Planning for Image Acquisitions Create a duplicate copy of your evidence image file Make at least two images of digital evidence Use different tools or techniques Copy host protected area of a disk drive as well Consider using a hardware acquisition tool that can access the drive at the BIOS level Be prepared to deal with encrypted drives Whole disk encryption feature in Windows Vista Ultimate and Enterprise editions
Guide to Computer Forensics and Investigations 51 Using Acquisition Tools Acquisition tools for Windows Advantages Make acquiring evidence from a suspect drive more convenient Especially when used with hot-swappable devices Disadvantages Must protect acquired data with a well-tested write-blocking hardware device Tools can’t acquire data from a disk’s host protected area
WHY INVESTIGATE A CYBERCRIME? Conducting a cyber investigation may be initiated for many reasons and not just to find out who the bad guy is and prosecute them. Some reasons include identifying where the weaknesses in systems are, how they were exploited, how to tighten security, and developing training packages for staff to make them more aware of cyber safety. Clients who have their data stolen may want answers as to the severity of the attack, and should the data stolen belong to another party, there is the potential for the process of taking legal action to follow. A final reason is that cyber insurers may want to know whether there were security failures that allowed the attack to occur or if system flaws magnified the attack.
THE CYBER INVESTIGATOR The role of the cyber investigator is different from that of the IR(Incident Response) team. The investigator is like the detective at the homicide scene. The lead detective directs the investigation, including tasking experts to perform photography, scientific examination, area inquiries, forensic examination of exhibits, ballistic examination, interviews, and so on at the scene. The investigator does not have to be an expert in each of these fields, but they must understand the role of each expert, be able to direct the experts, and be able to understand the relevance of the evidence each produces, which will then lead to further lines of inquiry. Whereas on television a cyber investigator may be an expert on everything digital they see and touch, in a real-world investigation this is not even close to reality. There is just too much technology: it is constantly changing and no one person is an expert on everything.
Role of forensics Investigator  The forensics investigator is the person initially responsible for examining the “captured” evidence from the scene of the incident or event.  The investigator documents the various types of data captured, provides the research in the parameters and technical specifications of the data storage devices, and details the types and locations of the various data components of the evidence as it is presented to him by the data capture specialist identified above. The forensics investigator needs to have “expert-level” skills and technical knowledge for: 1. The operating system under review 2. The application and its data structures under review 3. The hardware and machines under review 4. Any databases being reviewed for data 5. The network appliances and devices and their data
Role of forensics Investigator The basic steps for the forensics investigator process include: 1. Record how the data was acquired from the suspect drive or dataset. 2. Process the data methodically and logically. 3. List all folders and files on the image or drive. 4. If possible, examine the contents of all data files in all folders, starting at the root directory of the volume partition. 5. For all password-protected files that might be related to the investigation, make a best effort to recover file contents. 6. Identify the function of every executable (binary or .exe) file that doesn’t match known hash values. 7. Maintain control of all evidence and findings, and document everything as the examination is conducted. 8. Document every step as the reason for each step of the examination.
Types of computer forensics There are multiple types of computer forensics depending on the field in which digital investigation is needed. The fields are: Network forensics: This involves monitoring and analyzing the network traffic to and from the criminal’s network. The tools used here are network intrusion detection systems and other automated tools. Email forensics: In this type of forensics, the experts check the email of the criminal and recover deleted email threads to extract out crucial information related to the case. Malware forensics: This branch of forensics involves hacking related crimes. Here, the forensics expert examines the malware, trojans to identify the hacker involved behind this.
Types of computer forensics Memory forensics: • This branch of forensics deals with collecting data from the memory(like cache, RAM, etc.) in raw and then retrieve information from that data. Mobile Phone forensics: This branch of forensics generally deals with mobile phones. They examine and analyze data from the mobile phone. Database forensics: This branch of forensics examines and analyzes the data from databases and their related metadata. Disk forensics: This branch of forensics extracts data from storage media by searching modified, active, or deleted files.
Techniques that cyber forensic investigators use Cyber forensic investigators use various techniques and tools to examine the data and some of the commonly used techniques are: Reverse steganography: Steganography is a method of hiding important data inside the digital file, image, etc. So, cyber forensic experts do reverse steganography to analyze the data and find a relation with the case. Stochastic forensics: In Stochastic forensics, the experts analyze and reconstruct digital activity without using digital artifacts. Here, artifacts mean unintended alterations of data that occur from digital processes.
Cross-drive analysis: In this process, the information found on multiple computer drives is correlated and cross-references to analyze and preserve information that is relevant to the investigation. Live analysis: In this technique, the computer of criminals is analyzed from within the OS in running mode. It aims at the volatile data of RAM to get some valuable information. Deleted file recovery: This includes searching for memory to find fragments of a partially deleted file in order to recover it for evidence purposes.
What are the required set of skills needed to be a cyber forensic expert? The following skills are required to be a cyber forensic expert: As we know, cyber forensic based on technology. So, knowledge of various technologies, computers, mobile phones, network hacks, security breaches, etc. is required. The expert should be very attentive while examining a large amount of data to identify proof/evidence. The expert must be aware of criminal laws, a criminal investigation, etc. As we know, over time technology always changes, so the experts must be updated with the latest technology. Cyber forensic experts must be able to analyse the data, derive conclusions from it and make proper interpretations. The communication skill of the expert must be good so that while presenting evidence in front of the court, everyone understands each detail with clarity. The expert must have strong knowledge of basic cyber security.
FCL-Introduction.pptx

Recommended

Cyber Forensics|Digital Forensics|Cyber Crime-2023
Cyber Forensics|Digital Forensics|Cyber Crime-2023Cyber Forensics|Digital Forensics|Cyber Crime-2023
Cyber Forensics|Digital Forensics|Cyber Crime-2023
Cyber Security Experts
 
UNIT 1Computer forensics science. .pptx
UNIT 1Computer forensics science. .pptxUNIT 1Computer forensics science. .pptx
UNIT 1Computer forensics science. .pptx
ramkumarttf69
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Secure Computer Forensics and its tools
Secure Computer Forensics and its toolsSecure Computer Forensics and its tools
Secure Computer Forensics and its tools
Kathirvel Ayyaswamy
 
CYBERFORENSICS
CYBERFORENSICSCYBERFORENSICS
CYBERFORENSICS
Dr. Prashant Vats
 
Cyber crime - and digital device.pptx
Cyber crime - and digital device.pptxCyber crime - and digital device.pptx
Cyber crime - and digital device.pptx
AlAsad4
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.ppt
Surajgroupsvideo
 

Recommended

Cyber Forensics|Digital Forensics|Cyber Crime-2023
Cyber Forensics|Digital Forensics|Cyber Crime-2023Cyber Forensics|Digital Forensics|Cyber Crime-2023
Cyber Forensics|Digital Forensics|Cyber Crime-2023
Cyber Security Experts
 
UNIT 1Computer forensics science. .pptx
UNIT 1Computer forensics science. .pptxUNIT 1Computer forensics science. .pptx
UNIT 1Computer forensics science. .pptx
ramkumarttf69
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Secure Computer Forensics and its tools
Secure Computer Forensics and its toolsSecure Computer Forensics and its tools
Secure Computer Forensics and its tools
Kathirvel Ayyaswamy
 
CYBERFORENSICS
CYBERFORENSICSCYBERFORENSICS
CYBERFORENSICS
Dr. Prashant Vats
 
Cyber crime - and digital device.pptx
Cyber crime - and digital device.pptxCyber crime - and digital device.pptx
Cyber crime - and digital device.pptx
AlAsad4
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.ppt
Surajgroupsvideo
 
The Scope of Cyber Forensic.pptx
The Scope of Cyber Forensic.pptxThe Scope of Cyber Forensic.pptx
The Scope of Cyber Forensic.pptx
Applied Forensic Research Sciences
 
Scope of Cyber forensics
Scope of Cyber forensicsScope of Cyber forensics
Scope of Cyber forensics
Applied Forensic Research Sciences
 
CS 1.ppt
CS 1.pptCS 1.ppt
CS 1.ppt
JAYANTHKUMARTM
 
What is Digital Forensics.docx
What is Digital Forensics.docxWhat is Digital Forensics.docx
What is Digital Forensics.docx
AliAshraf68199
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
gamemaker762
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Binit Kumar
 
Computer Forensics-An Introduction of New Face to the Digital World
Computer Forensics-An Introduction of New Face to the Digital WorldComputer Forensics-An Introduction of New Face to the Digital World
Computer Forensics-An Introduction of New Face to the Digital World
rahulmonikasharma
 
Obstacles to Cybercrime Investigations
Obstacles to Cybercrime InvestigationsObstacles to Cybercrime Investigations
Obstacles to Cybercrime Investigations
Dr. Prashant Vats
 
Report of cyber crime
Report of cyber crimeReport of cyber crime
Report of cyber crimeAlisha Korpal
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeRajat Jain
 
C018131821
C018131821C018131821
C018131821
IOSR Journals
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1
Anpumathews
 
Cyber Crime.ppt
Cyber Crime.pptCyber Crime.ppt
Cyber Crime.ppt
TanviModi14
 
cyberlaws and cyberforensics,biometrics
cyberlaws and cyberforensics,biometricscyberlaws and cyberforensics,biometrics
cyberlaws and cyberforensics,biometrics
Mayank Diwakar
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1anilinvns
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeRanjana Adhikari
 
Cyber crime
Cyber crimeCyber crime
Cyber crime24sneha
 
4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)
JIEMS Akkalkuwa
 
Cybercrime
CybercrimeCybercrime
Cybercrime
MobeenaJavid
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer Forensic
Dhiren Gala
 
Best Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDABest Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDA
deeptiverma2406
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 

More Related Content

Similar to FCL-Introduction.pptx

The Scope of Cyber Forensic.pptx
The Scope of Cyber Forensic.pptxThe Scope of Cyber Forensic.pptx
The Scope of Cyber Forensic.pptx
Applied Forensic Research Sciences
 
Scope of Cyber forensics
Scope of Cyber forensicsScope of Cyber forensics
Scope of Cyber forensics
Applied Forensic Research Sciences
 
CS 1.ppt
CS 1.pptCS 1.ppt
CS 1.ppt
JAYANTHKUMARTM
 
What is Digital Forensics.docx
What is Digital Forensics.docxWhat is Digital Forensics.docx
What is Digital Forensics.docx
AliAshraf68199
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
gamemaker762
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Binit Kumar
 
Computer Forensics-An Introduction of New Face to the Digital World
Computer Forensics-An Introduction of New Face to the Digital WorldComputer Forensics-An Introduction of New Face to the Digital World
Computer Forensics-An Introduction of New Face to the Digital World
rahulmonikasharma
 
Obstacles to Cybercrime Investigations
Obstacles to Cybercrime InvestigationsObstacles to Cybercrime Investigations
Obstacles to Cybercrime Investigations
Dr. Prashant Vats
 
Report of cyber crime
Report of cyber crimeReport of cyber crime
Report of cyber crimeAlisha Korpal
 
C018131821
C018131821C018131821
C018131821
IOSR Journals
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1
Anpumathews
 
Cyber Crime.ppt
Cyber Crime.pptCyber Crime.ppt
Cyber Crime.ppt
TanviModi14
 
cyberlaws and cyberforensics,biometrics
cyberlaws and cyberforensics,biometricscyberlaws and cyberforensics,biometrics
cyberlaws and cyberforensics,biometrics
Mayank Diwakar
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1anilinvns
 
Cyber crime
Cyber crimeCyber crime
Cyber crime24sneha
 
4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)
JIEMS Akkalkuwa
 
Cybercrime
CybercrimeCybercrime
Cybercrime
MobeenaJavid
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer Forensic
Dhiren Gala
 

Similar to FCL-Introduction.pptx (20)

The Scope of Cyber Forensic.pptx
The Scope of Cyber Forensic.pptxThe Scope of Cyber Forensic.pptx
The Scope of Cyber Forensic.pptx
 
Scope of Cyber forensics
Scope of Cyber forensicsScope of Cyber forensics
Scope of Cyber forensics
 
CS 1.ppt
CS 1.pptCS 1.ppt
CS 1.ppt
 
What is Digital Forensics.docx
What is Digital Forensics.docxWhat is Digital Forensics.docx
What is Digital Forensics.docx
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Computer Forensics-An Introduction of New Face to the Digital World
Computer Forensics-An Introduction of New Face to the Digital WorldComputer Forensics-An Introduction of New Face to the Digital World
Computer Forensics-An Introduction of New Face to the Digital World
 
Obstacles to Cybercrime Investigations
Obstacles to Cybercrime InvestigationsObstacles to Cybercrime Investigations
Obstacles to Cybercrime Investigations
 
Report of cyber crime
Report of cyber crimeReport of cyber crime
Report of cyber crime
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
C018131821
C018131821C018131821
C018131821
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1
 
Cyber Crime.ppt
Cyber Crime.pptCyber Crime.ppt
Cyber Crime.ppt
 
cyberlaws and cyberforensics,biometrics
cyberlaws and cyberforensics,biometricscyberlaws and cyberforensics,biometrics
cyberlaws and cyberforensics,biometrics
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer Forensic
 

Recently uploaded

Best Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDABest Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDA
deeptiverma2406
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
Balvir Singh
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
vaibhavrinwa19
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
Thiyagu K
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
Tamralipta Mahavidyalaya
 
Chapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdfChapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdf
Kartik Tiwari
 
Azure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHatAzure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHat
Scholarhat
 
Digital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion DesignsDigital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion Designs
chanes7
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
Nguyen Thanh Tu Collection
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
Vivekanand Anglo Vedic Academy
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
SACHIN R KONDAGURI
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
Jisc
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
DhatriParmar
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
Celine George
 
Group Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana BuscigliopptxGroup Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana Buscigliopptx
ArianaBusciglio
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
Peter Windle
 
Normal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of LabourNormal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of Labour
Wasim Ak
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
TechSoup
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
siemaillard
 

Recently uploaded (20)

Best Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDABest Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDA
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
 
Chapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdfChapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdf
 
Azure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHatAzure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHat
 
Digital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion DesignsDigital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion Designs
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
 
Group Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana BuscigliopptxGroup Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana Buscigliopptx
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
 
Normal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of LabourNormal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of Labour
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 

FCL-Introduction.pptx

  • 1. 2OEE6102:Cyber Security chapter 3 Cyber Forensics and Auditing 1. Reference Book: - Cyber Security Understanding Cyber Crimes, Computer Forensics and Legal Perspectives by Nina God bole and Sunit Belpure, Publication Wiley 2. Lecture Materials
  • 2.  Forensics - The science of investigating compromised computer systems to understand attacker tools, techniques, and procedures, and also to determine indicators of compromise. Forensic investigation involves analyzing logs, files, and sometimes program code to understand attacker activities and methods.
  • 3. Cyber Crime What is cybercrime? Cybercrime is criminal activity that either targets or uses a computer, a computer network or a networked device. Most, but not all, cybercrime is committed by cybercriminals or hackers who want to make money. Cybercrime is carried out by individuals or organizations. Some cybercriminals are organized, use advanced techniques and are highly technically skilled. Others are novice hackers. Rarely, cybercrime aims to damage computers for reasons other than profit. These could be political or personal.
  • 4. What are the categories of cybercrime? Individual: This cyber crime category includes disseminating malicious or illegal information via the internet and digital-applications by one person. Cyber speaking, pornography distribution, and trafficking are a few examples of this category of cyber crime. Property: This cyber crime is similar to a real-life incident where a criminal keeps the bank or credit card information illegally. The hacker steals an individual’s bank details to acquire money or makes phishing scams online to obtain information from people. Government: It is the least frequent cyber crime, but it is the most serious misconduct. A cyber crime against the government is also regarded as Cyber Terrorism. Government cyber crime involves the hacking of websites, military websites, or the distribution of government propaganda.
  • 5. Cybercrime Cybercrimes are often classified as: Internal Attacks: Examples of internal attacks: spy, theft of property , manipulation of records, and computer virus attack. External Attacks: Examples of external attacks: SQL attack, bruteforce cracking, fraud, phishing/spoofing, denial of service attack, and cyber defamation.
  • 6. Types of cybercrime Cyberespionage (Govt. or Company Data) Crypto-jacking Email and internet fraud. Theft of financial/Card payment data. Theft and sale of corporate data. Ransomware attacks (Type of cyber extortion).
  • 7. The Case 1: Insider Attack Research Company Chief Information Security Officer (CISO) Unusual Activity by one worker Found Bit of Software (Hacking Tools) Run Observe Seen (Black Screen + Scrolling white Text All Worker’s System Decided to contact Forensic Team
  • 8. The Investigation 1 : The forensic team performed covert forensic imaging and examination of the suspect’s laptop and desktop computers. The examination revealed several interesting facts. The suspect cracked the ‘local’ admire password on both of his computers and installed a key logger on all. This is often to understand if someone became suspicious and accessed his computer while he was away. He would catch anyone trying to place any sort of monitoring software on either one among his computers. For this purpose, he deployed a potent detection mechanism to alert him if he was under investigation. In his laptop, the suspect installed various hacker tools (network sniffers, password crackers, network vulnerability scanners, etc.) additionally to data scrubber software. Initially, the laptop revealed no evidence of wrong doing thanks to the presence of a knowledge scrubber, which he used periodically to wash his disk drive . Later, the forensic team collected the network traffic and analyzed the logs, the reality was finally revealed: he had successfully compromised the whole network and cracked all other researcher’s passwords. He would periodically log in to the server, access other researcher’s data and download it to his laptop to require it home. He would then remove the info from his laptop and run scrubber software to eliminate any evidence that other scientists’ data were ever present on his disk drive .
  • 9. The Case 2: External Attack ABC Bank (ABC) identified unauthorized wire transfers from their environment. They needed to understand when and the way it happened quickly, so as to mitigate future attacks and notify affected customers. ABC engaged the “Security Engineering Research Team (SERT) to supply on-demand critical incident response services. The Result 2:  ABC could quickly notify only those customers suffering from the attacks, avoiding the necessity for a broader public disclosure of the incident.  Doing so reduced the general cost of the incident and helped to preserve ABCs reputation with customers not affected.  It also helped to stop additional fraudulent wire transfers from occurring.
  • 10. The Investigation 2 : SERT identified and provided an inventory of compromise indicators to ABC and assisted with investigations of their network infrastructure to spot additional unauthorized remote administration or other attacker tools. Because the attacker used the cloud to mask the attack, SERT wrote special tools to research the multi-host command and control the attacker used. While reverse engineering malware identified during the attack, SERI experts pieced together the precise methods the attacker wont to obtain an initial foothold into the ABC protected network, Analysis revealed not only findings from the present incident, but also aspects of security and process recommendations ABC should consider improving to stop and detect future attacks. during this case, SERI also found a SQL injection attack within a cloud application employed by ABC Bank that allowed controls to be bypassed.
  • 11. Cyber Crime Investigation Digital crime or cybercrime is a crime that involves the usage of a computer, phone or any other digital device connected to a network. Cybercrime investigation is the process of investigating, analysing and recovering critical forensic digital data from the networks involved in the attack—this could be the Internet and/or a local network. Cybercrime investigators must be: • An experts in computer science, • Understanding software, file systems and OS, • Also know how networks and hardware work. They must be knowledgeable enough to: • Determine how the interactions between these components occur, • To get a full picture of what happened, • Why it happened, • When it happened, • Who performed the cybercrime itself, • And how victims can protect themselves in the future against these types of cyber threats.
  • 12. Cyber Crime Investigation Conduct the Initial Investigation The investigator should ask the following questions: Who are the potential suspects? What crimes were committed? When were the crimes committed? Were these crime limited to US jurisdiction? What evidence is there to collect? Where might the physical and digital evidence be located? What types of physical and digital evidence were involved with the crime? Does any of the evidence need to be photographed/preserved immediately? How can the evidence be preserved and maintained for court proceedings? Who conducts cybercrime investigations? Criminal justice agencies National security agencies Private security agencies
  • 13. Cybercrime investigation cases Cybercrime investigation cases: Criminal, Civil, Administrative Criminal Investigators must follow the set of standard forensic processes accepted by law in the respective jurisdiction. Investigators, under court’s warrant, have the authority to force seize the computing devices. A formal investigation report is required. The law enforcement agencies are responsible for collecting and analyzing evidence. Standard of proof needs to be very high. Difficult to capture certain evidence, e.g., GPS device evidences.
  • 14. Cybercrime investigation cases Cybercrime investigation cases: Criminal, Civil, Administrative Civil Investigators try to show some information to the opposite party to support the claims and induce them for settlement. Searching of the devices is generally based on mutual understanding and provides a wider time window to the opposite party to hide the evidence. The initial reporting of the evidence is generally informal. The claimant is responsible for the collection and analysis of the evidence. Punishments include monetary compensation. Sometimes, evidence can be within the third party control.
  • 15. Cybercrime investigation cases Cybercrime investigation cases: Criminal, Civil, Administrative Administrative Generally involves an agency or government performing inquiries to identify facts with reference to its own management and performance. Such investigations are non-criminal in nature and are related to misconduct or activities of an employee that includes but are not limed to: Violation of organization’s policies, rules or protocols Resources misuse or damage or theft Threatening or violent behavior Improper promotion or pay rises. Any violation may result in disciplinary action such as demotion, suspension, revocation, penalties, and dismissal. For situations like promotions, increments, transfers, etc., administrative investigations can result in positive outcomes, like modifications to existing policies, rules, or protocols.
  • 16. Cybercrime investigation techniques Background check: Creating and defining the background of the crime with known facts will help investigators set a starting point to establish what they are facing, and how much information they have when handling the initial cybercrime report. Information gathering: One of the most important things any cybersecurity researcher must do is grab as much information as possible about the incident. Tracking and identifying the authors: This next step is sometimes performed during the information-gathering process, depending on how much information is already in hand. Digital forensics: Once researchers have collected enough data about the cybercrime, it’s time to examine the digital systems that were affected, or those supposed to be involved in the origin of the attack.
  • 17. Steps of Forensic Investigation The incident occurred in any company or organization. The employees or members contact the company's advocate for legal advice. Advocate contact cyber forensics investigator (external or internal). The forensic investigator will come and prepare the FRP, i.e., First Response Procedure documentation. The investigator then seizes the evidence and other assets related to the crime scene and transports them to a forensics lab. He/she will start analysing the files and other assets. Examine all the data one after another and further contact the person or group of people associated with the incident. The report will be formed and concludes the investigation, where all the analyses will be written and explained. The report is then handed to the organization's legal authorities. The legal authority will then go through the report(s) and will press charges against the offensive in the court of law. The forensic investigator will delete all the data once the entire case is closed.
  • 18. Challenges cyber crimes present to Investigators Cyber crimes pose new challenges because of Speed Anonymity Volatile nature of Evidence Evidence Size and Complexity Anti-Digital Forensics Global origin and difference in laws Limited legal understanding
  • 19. Cyber Forensics (Computer Forensics / Digital Forensics) Cyber forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The goal of cyber forensics is to perform a structured investigation and maintain a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it. Computer Forensics - A set of methodological procedures and techniques that help identify, gather, preserve, extract, interpret, document, and present evidence from computers in a way that is legally admissible.
  • 20. Computer forensics -- which is sometimes referred to as computer forensic science -- essentially is data recovery with legal compliance guidelines to make the information admissible in legal proceedings. The terms digital forensics and cyber forensics are often used as synonyms for computer forensics. Digital forensics starts with the collection of information in a way that maintains its integrity. Investigators then analyze the data or system to determine if it was changed, how it was changed and who made the changes. The use of computer forensics isn't always tied to a crime. The forensic process is also used as part of data recovery processes to gather data from a crashed server, failed drive, reformatted operating system (OS) or other situation where a system has unexpectedly stopped working.
  • 21. Cyber forensics plays a key role in investigation of cybercrime. "Evidence in the case of "cyber forensic is extremely imponent from legal perspective. There are legal aspects involved in the investigation as well as handling of the digital forensics evidence. Only the technically trained and experienced experts should be involved in the forensics activities.
  • 22. WHAT IS COMPUTER FORENSICS? Computer forensics is the process of methodically examining computer media (hard disks, diskettes, tapes, etc.) for evidence. In other words, computer forensics is the collection, preservation, analysis, and presentation of computer-related evidence. Computer forensics also referred to as computer forensic analysis, electronic discovery, electronic evidence discovery, digital discovery, data recovery, data discovery, computer analysis, and computer examination. Computer evidence can be useful in criminal cases, civil disputes, and human resources/ employment proceedings.
  • 23. Objectives of Computer Forensics Identify, gather, and preserve the evidence of a cybercrime Track and prosecute the perpetrators in a court of law Interpret, document and present the evidence to be admissible during prosecution Estimate the potential impact of a malicious activity on the victim and assess the intent of the perpetrator Find vulnerabilities and security loopholes that help attackers Understand the techniques and methods used by attackers to avoid prosecution, and overcome them Recover deleted files, hidden files, and temporary data that could be used as evidence Perform incident response to prevent further loss of intellectual property, finances and reputation during an attack
  • 24. USE OF COMPUTER FORENSICS IN LAW ENFORCEMENT Computer forensics assists in Law Enforcement. This can include: Recovering deleted files such as documents, graphics, and photos. Searching unallocated space on the hard drive, places where an abundance of data often resides. Tracing artifacts, those tidbits of data left behind by the operating system. Our experts know how to find these artifacts and, more importantly, they know how to evaluate the value of the information they find.
  • 25. USE OF COMPUTER FORENSICS IN LAW ENFORCEMENT Processing hidden files — files that are not visible or accessible to the user — that contain past usage information. Often, this process requires reconstructing and analyzing the date codes for each file and determining when each file was created, last modified, last accessed and when deleted. Running a string-search for e-mail, when no e-mail client is obvious.
  • 26. COMPUTER FORENSICS SERVICES Computer forensics professionals should be able to successfully perform complex evidence recovery procedures with the skill and expertise that lends credibility to your case. For example, they should be able to perform the following services: 1. DATA SEIZURE Following federal guidelines, computer forensics experts should act as the representative, using their knowledge of data storage technologies to track down evidence. The experts should also be able to assist officials during the equipment seizure process. 2. DATA DUPLICATION/PRESERVATION When one party must seize data from another, two concerns must be addressed: the data must not be altered in any way the seizure must not put an undue burden on the responding party The computer forensics experts should acknowledge both of these concerns by making an exact duplicate of the needed data. When experts works on the duplicate data, the integrity of the original is maintained
  • 27. COMPUTER FORENSICS SERVICES 3. DATA RECOVERY Using proprietary tools, your computer forensics experts should be able to safely recover and analyze otherwise inaccessible evidence. The ability to recover lost evidence is made possible by the expert’s advanced understanding of storage technologies. 4. DOCUMENT SEARCHES Computer forensics experts should also be able to search over 200,000 electronic documents in seconds rather than hours. The speed and efficiency of these searches make the discovery process less complicated and less intrusive to all parties involved. 5. MEDIA CONVERSION Computer forensics experts should extract the relevant data from old and un-readable devices, convert it into readable formats, and place it onto new storage media for analysis.
  • 28. COMPUTER FORENSICS SERVICES 6. EXPERT WITNESS SERVICES Computer forensics experts should be able to explain complex technical processes in an easy-to- understand fashion. This should help judges and juries comprehend how computer evidence is found, what it consists of, and how it is relevant to a specific situation.
  • 29. The main aim of cyber forensics is to maintain the thread of evidence and documentation to find out who did the crime digitally. Cyber forensics can do the following: • It can recover deleted files, chat logs, emails, etc • It can also get deleted SMS, Phone calls. • It can get recorded audio of phone conversations. • It can determine which user used which system and for how much time. • It can identify which user ran which program.
  • 30. Incident handling Cybersecurity and forensics have another essential terminology that is often used in this field - incident handling. Computer security incidents are some real or suspected offensive events related to cybercrime and cybersecurity and computer networks. Forensics investigators or internal cybersecurity professionals are hired in organizations to handle such events and incidents, known as incident handlers. Incidents are categorized into three types: Low-level incidents: where the impact of cybercrime is low. Mid-level incidents: The impact of cybercrime is comparatively high and needs security professionals to handle the situations. High-level events: where the impact of cybercrime is the most serious and needs security professionals, and forensic investigators to handle the situations and analyze the scenario, respectively.
  • 31. Digital forensics is the process that deals with the recovery and investigation of data that is stored on digital devices. It also pertains to the hardware and software tools that experts use to retrieve the data without loss. In this lesson, we will discuss data storage devices, what these devices are, how they are used, and the benefits of each separately in digital forensics.
  • 32. Objectives of computer forensics Here are the essential objectives of using Computer forensics: It helps to recover, analyze, and preserve computer and related materials in such a manner that it helps the investigation agency to present them as evidence in a court of law. It helps to postulate the motive behind the crime and identity of the main culprit. Designing procedures at a suspected crime scene which helps you to ensure that the digital evidence obtained is not corrupted. Data acquisition and duplication: Recovering deleted files and deleted partitions from digital media to extract the evidence and validate them. Helps you to identify the evidence quickly, and also allows you to estimate the potential impact of the malicious activity on the victim Producing a computer forensic report which offers a complete report on the investigation process. Preserving the evidence by following the chain of custody.
  • 33. Data Forensics Introduction Forensic technologies are designed to prepare and extract evidence from computer systems. Any devices that store data (e.g. computers, laptops, smartphones, memory cards or external hard drives) are within the ambit of digital forensics. The forensics process is outlined as follows: 1.Identification 2.Preservation 3.Collection 4.Examination 5.Analysis 6.Presentation
  • 34. Identification It is the first step in the forensic process. The identification process mainly includes things like what evidence is present, where it is stored, and lastly, how it is stored (in which format). Electronic storage media can be personal computers, Mobile phones, PDAs, etc. Preservation In this phase, data is isolated, secured, and preserved. It includes preventing people from using the digital device so that digital evidence is not tampered with. Analysis In this step, investigation agents reconstruct fragments of data and draw conclusions based on evidence found. However, it might take numerous iterations of examination to support a specific crime theory. Documentation In this process, a record of all the visible data must be created. It helps in recreating the crime scene and reviewing it. It Involves proper documentation of the crime scene along with photographing, sketching, and crime-scene mapping. Presentation In this last step, the process of summarization and explanation of conclusions is done.
  • 35.
  • 36. The two basic types of data that are collected in computer forensics are persistent data, or data stored on a local hard drive (or another device) which is preserved when the computer is turned off. volatile data, or data that is stored in memory and lost when the computer loses power. loses power. In forensics, to handle this data there exist experts in operating and file systems, data recovery, cloud computing, and more. They analyze hard disks or hard-disk images from a variety of different operating systems and provide an interface so that files can be analyzed and information or data gathered in an electronic format is extremely easy to extract and store.
  • 37. Forensics & Storage Devices Solid State Disks (SSD) Solid State Disks (SSD's) store data with the use of flash-memory chips (called NAND flash memory). There are no moving parts to break and data is stored electronically, not magnetically. The advantages of SSD's are its size, weight, and less power usage than hard disks. They come in many different shapes depending on chip count and how those chips are arranged. They are more expensive, but are faster in reading and writing data. One drawback is that there are no warning signs if a total drive failure is about to occur. They are a suitable replacement for hard drives in desktop and laptop computers. Traditional forensic methods fail when attempting recovering information deleted from SSD drives, so new methods have been determined.
  • 38. Forensics & Storage Devices Magnetic Media Magnetic media store data on a magnetized medium. There are three types of storage devices in this area: • Floppy disks: These devices contain soft magnetic disks used for data transfer, storage and backup of small amounts of data. An important disadvantage is that they can be affected by heat, dust and magnetic fields. Floppy disks have been largely replaced by flash memory, optical disks, and external hard drives. • Magnetic tapes: These devices are similar to an audio cassette tape. They are well-suited for archiving because of their high capacity, low cost and long durability. • Compared to a hard disk, these are very slow. You can only get to data by winding through the tape. Data is downloaded to magnetic tapes mostly for long-term storage. Because data is stored magnetically, care must be taken to keep tapes away from all types of magnetic fields. They differ in the way that data is retrieved because they must be read in a linear fashion, from the start of the tape through the end of the tape. This drastically increases the time it takes to make a forensic recovery.
  • 39. Forensics & Storage Devices Hard drives: These devices contain hard magnetic platters which store and retrieve digital information. They are more accessible and affordable than SSD's and with the largest capacity. One drawback is that they consume more power and produce noise while in operation than do SSD's. Because of movable, mechanical parts, a hard drive it is vulnerable to damage when shaken or dropped. Data resides on these disks even after the power supply is turned off. Information from hard drives may be recoverable using data carving techniques or by using a commercial data recovery tool. Another forensic recovery method is to clone a hard drive to an image file. This is more practical but depends of the size of the source hard drive and the equipment that it is used.
  • 40. Forensics & Storage Devices Digital Audio Tapes DAT (Digital Audio Tape) is an electronic cassette that has a background recording facility and playback singing medium. It is similar to a compact cassette, but it has the main difference. Earlier tapes were analog, but DAT is digital. Unlike standard tapes, digital tapes do their work in only one direction. The DATs can record multiple vibrations or rates than CD, which can be higher or lower. Consumers took it pretty casually, and its market produces the right amount of revenue.
  • 41. Guide to Computer Forensics and Investigations 41 Understanding Storage Formats for Digital Evidence Three formats Raw format Proprietary formats Advanced Forensics Format (AFF)
  • 42. Guide to Computer Forensics and Investigations 42 Raw Format Makes it possible to write bit-stream data to files Advantages Fast data transfers Can ignore minor data read errors on source drive Most computer forensics tools can read raw format Disadvantages Requires as much storage as original disk or data Tools might not collect marginal (bad) sectors
  • 43. Guide to Computer Forensics and Investigations 43 Proprietary Formats Features offered Option to compress or not compress image files Can split an image into smaller segmented files Can integrate metadata into the image file Disadvantages Inability to share an image between different tools File size limitation for each segmented volume
  • 44. Guide to Computer Forensics and Investigations 44 Advanced Forensics Format Developed by Dr. Simson L. Garfinkel of Basis Technology Corporation Design goals Provide compressed or uncompressed image files No size restriction for disk-to-image files Provide space in the image file or segmented files for metadata Simple design with extensibility Open source for multiple platforms and OSs
  • 45. Guide to Computer Forensics and Investigations 45 Advanced Forensics Format (continued) Design goals (continued) Internal consistency checks for self-authentication File extensions include .afd for segmented image files and .afm for AFF metadata AFF is open source
  • 46. Guide to Computer Forensics and Investigations 46 Determining the Best Acquisition Method Types of acquisitions Static acquisitions and live acquisitions Four methods Bit-stream disk-to-image file Bit-stream disk-to-disk Logical disk-to-disk or disk-to-disk data Sparse data copy of a file or folder
  • 47. Guide to Computer Forensics and Investigations 47 Determining the Best Acquisition Method (continued) Bit-stream disk-to-image file Most common method Can make more than one copy Copies are bit-for-bit replications of the original drive ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook Bit-stream disk-to-disk When disk-to-image copy is not possible Consider disk’s geometry configuration EnCase, SafeBack, SnapCopy
  • 48. Guide to Computer Forensics and Investigations 48 Determining the Best Acquisition Method (continued) Logical acquisition or sparse acquisition When your time is limited Logical acquisition captures only specific files of interest to the case Sparse acquisition also collects fragments of unallocated (deleted) data For large disks PST or OST mail files, RAID servers
  • 49. Guide to Computer Forensics and Investigations 49 Determining the Best Acquisition Method (continued) When making a copy, consider: Size of the source disk Lossless compression might be useful Use digital signatures for verification When working with large drives, an alternative is using tape backup systems Whether you can retain the disk
  • 50. Guide to Computer Forensics and Investigations 50 Contingency Planning for Image Acquisitions Create a duplicate copy of your evidence image file Make at least two images of digital evidence Use different tools or techniques Copy host protected area of a disk drive as well Consider using a hardware acquisition tool that can access the drive at the BIOS level Be prepared to deal with encrypted drives Whole disk encryption feature in Windows Vista Ultimate and Enterprise editions
  • 51. Guide to Computer Forensics and Investigations 51 Using Acquisition Tools Acquisition tools for Windows Advantages Make acquiring evidence from a suspect drive more convenient Especially when used with hot-swappable devices Disadvantages Must protect acquired data with a well-tested write-blocking hardware device Tools can’t acquire data from a disk’s host protected area
  • 52. WHY INVESTIGATE A CYBERCRIME? Conducting a cyber investigation may be initiated for many reasons and not just to find out who the bad guy is and prosecute them. Some reasons include identifying where the weaknesses in systems are, how they were exploited, how to tighten security, and developing training packages for staff to make them more aware of cyber safety. Clients who have their data stolen may want answers as to the severity of the attack, and should the data stolen belong to another party, there is the potential for the process of taking legal action to follow. A final reason is that cyber insurers may want to know whether there were security failures that allowed the attack to occur or if system flaws magnified the attack.
  • 53. THE CYBER INVESTIGATOR The role of the cyber investigator is different from that of the IR(Incident Response) team. The investigator is like the detective at the homicide scene. The lead detective directs the investigation, including tasking experts to perform photography, scientific examination, area inquiries, forensic examination of exhibits, ballistic examination, interviews, and so on at the scene. The investigator does not have to be an expert in each of these fields, but they must understand the role of each expert, be able to direct the experts, and be able to understand the relevance of the evidence each produces, which will then lead to further lines of inquiry. Whereas on television a cyber investigator may be an expert on everything digital they see and touch, in a real-world investigation this is not even close to reality. There is just too much technology: it is constantly changing and no one person is an expert on everything.
  • 54. Role of forensics Investigator  The forensics investigator is the person initially responsible for examining the “captured” evidence from the scene of the incident or event.  The investigator documents the various types of data captured, provides the research in the parameters and technical specifications of the data storage devices, and details the types and locations of the various data components of the evidence as it is presented to him by the data capture specialist identified above. The forensics investigator needs to have “expert-level” skills and technical knowledge for: 1. The operating system under review 2. The application and its data structures under review 3. The hardware and machines under review 4. Any databases being reviewed for data 5. The network appliances and devices and their data
  • 55. Role of forensics Investigator The basic steps for the forensics investigator process include: 1. Record how the data was acquired from the suspect drive or dataset. 2. Process the data methodically and logically. 3. List all folders and files on the image or drive. 4. If possible, examine the contents of all data files in all folders, starting at the root directory of the volume partition. 5. For all password-protected files that might be related to the investigation, make a best effort to recover file contents. 6. Identify the function of every executable (binary or .exe) file that doesn’t match known hash values. 7. Maintain control of all evidence and findings, and document everything as the examination is conducted. 8. Document every step as the reason for each step of the examination.
  • 56. Types of computer forensics There are multiple types of computer forensics depending on the field in which digital investigation is needed. The fields are: Network forensics: This involves monitoring and analyzing the network traffic to and from the criminal’s network. The tools used here are network intrusion detection systems and other automated tools. Email forensics: In this type of forensics, the experts check the email of the criminal and recover deleted email threads to extract out crucial information related to the case. Malware forensics: This branch of forensics involves hacking related crimes. Here, the forensics expert examines the malware, trojans to identify the hacker involved behind this.
  • 57. Types of computer forensics Memory forensics: • This branch of forensics deals with collecting data from the memory(like cache, RAM, etc.) in raw and then retrieve information from that data. Mobile Phone forensics: This branch of forensics generally deals with mobile phones. They examine and analyze data from the mobile phone. Database forensics: This branch of forensics examines and analyzes the data from databases and their related metadata. Disk forensics: This branch of forensics extracts data from storage media by searching modified, active, or deleted files.
  • 58. Techniques that cyber forensic investigators use Cyber forensic investigators use various techniques and tools to examine the data and some of the commonly used techniques are: Reverse steganography: Steganography is a method of hiding important data inside the digital file, image, etc. So, cyber forensic experts do reverse steganography to analyze the data and find a relation with the case. Stochastic forensics: In Stochastic forensics, the experts analyze and reconstruct digital activity without using digital artifacts. Here, artifacts mean unintended alterations of data that occur from digital processes.
  • 59. Cross-drive analysis: In this process, the information found on multiple computer drives is correlated and cross-references to analyze and preserve information that is relevant to the investigation. Live analysis: In this technique, the computer of criminals is analyzed from within the OS in running mode. It aims at the volatile data of RAM to get some valuable information. Deleted file recovery: This includes searching for memory to find fragments of a partially deleted file in order to recover it for evidence purposes.
  • 60. What are the required set of skills needed to be a cyber forensic expert? The following skills are required to be a cyber forensic expert: As we know, cyber forensic based on technology. So, knowledge of various technologies, computers, mobile phones, network hacks, security breaches, etc. is required. The expert should be very attentive while examining a large amount of data to identify proof/evidence. The expert must be aware of criminal laws, a criminal investigation, etc. As we know, over time technology always changes, so the experts must be updated with the latest technology. Cyber forensic experts must be able to analyse the data, derive conclusions from it and make proper interpretations. The communication skill of the expert must be good so that while presenting evidence in front of the court, everyone understands each detail with clarity. The expert must have strong knowledge of basic cyber security.

Editor's Notes

  1. Novice: aperson who is new to the circumstances, work
  2. Disseminating:spread (something, especially information) widely malicious :intending or intended to do harm
  3. In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found SQL injection is a code injection technique that might destroy your database. fraud, phishing:the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information. A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users
  4. Spoofing is the act of disguising a communication or identity so that it appears to be associated with a trusted, authorized source
  5. https://www.guru99.com/digital-forensics.html
  6. Severity: the fact or condition of being severe. Flaw: a fault or weakness in a person's character.