VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
CS6004- CYBER FORENSICS UNIT I NETWORK LAYER SECURITY &TRANSPORT LAYER SECURITY IPSec Protocol - IP Authentication Header - IP ESP - Key Management Protocol for IPSec. Transport layer Security: SSL protocol, Cryptographic Computations – TLS Protocol.
1.IPSec Protocol
➢ IPSec is designed to protect communication in a secure manner by using TCP/IP. ➢ The IPSec protocol is a set of security extensions developed by the IETF and it provides privacy and authentication services at the IP layer by using modern cryptography. ➢ There are two main transformation types that form the basics of IPSec: ✓ The Authentication Header (AH) and ✓ The Encapsulating Security Payload (ESP). ➢ Both AH and ESP are two protocols that provide connectionless integrity, data origin authentication, confidentiality and an anti-replay service. ➢ These protocols may be applied alone or in combination to provide a desired set of security services for the IP layer. They are configured in a data structure called a Security Association (SA). ➢ The basic components of the IPSec security architecture are explained in terms of the following functionalities:
✓ Security Protocols for AH and ESP ✓ Security Associations for policy management and traffic processing ✓ Manual and automatic key management for the Internet Key Exchange (IKE), the Oakley key determination protocol and ISAKMP. ✓ Algorithms for authentication and encryption
➢ The seven-group documents describing the set of IPSec protocols are explained in the following:
✓ Architecture: The main architecture document covers the general concepts, security requirements, definitions and mechanisms defining IPSec technology. ✓ ESP: This document covers the packet format and general issues related to the use of the ESP for packet encryption and optional authentication. This protocol document also contains default values if appropriate, and dictates some of the values in the Domain of Interpretation (DOI). ✓ AH: This document covers the packet format and general issue related to the use of AH for packet authentication. This document also contains default values such as the default padding contents, and dictates some of the values in the DOI document. ✓ Encryption algorithm: This is a set of documents that describe how various encryption algorithms are used for ESP. Specifically:
– Specification of the key sizes and strengths for each algorithm. – Any available estimates on performance of each algorithm. – General information on how this encryption algorithm is to be used in ESP.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 1
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Figure -Document overview that defines IPsec.
2. IP Authentication Header NOV /DEC 2016) ➢ The IP AH is used to provide data integrity and authentication for IP packets. ➢ It also provides protection against replays. The AH provides authentication for the IP header, as well as for upper-level protocol
➢ (TCP, UDP) data.
2.1 AH Format
The IPSec AH format is shown in Figure.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 2
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Figure: IPSec AH format.
The following six fields comprise the AH format:
➢ Next header (8 bits): This field identifies the type of the next payload after the AH. The value of this field is chosen from the set of IP numbers defined in the Internet Assigned Number Authority (IANA).
➢ Payload length (8 bits): This field specifies the length of the AH in 32-bit words, minus 2. The default length of the authentication data field is 96 bits, or three 32-bit words.
➢ Reserved (16 bits): This field is reserved for future use. It must be set to ‘zero’.
SPI (32 bits): This field uniquely identifies the SA for this datagram, in combination
➢ with the destination IP address and security protocol (AH).
➢ Sequence number (32 bits): This field contains the monotonically increasing counter value which provides an anti-replay function.
➢ Authentication data (variable): This field is a variable-length field that contains the Integrity Check Value (ICV) or MAC for this packet. This field must be an integral multiple of 32-bit words. It may include explicit padding. This padding is included to ensure that the length of AH is an integral multiple of 32 bits (IPv4) or 64 bits (IPv6).
3. IP ESP
➢ The ESP header is designed to provide security services in IPv4 and IPv6. ➢ ESP can be applied in combination with the IP AH or through the use of tunnel mode. Security services are provided between a pair of hosts, between a pair of security gateways or between a security gateway and a host. ➢ The ESP header is inserted after the IP header and before the upper-layer protocol header (transport mode) or before an encapsulated IP header (tunnel mode). ➢ ESP is used to provide confidentiality (encryption), data authentication, integrity and anti-replay
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 3
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
service, and limited traffic flow confidentiality.
3.1 ESP Packet Format
Figure IPSec ESP format.
➢ SPI (32 bits): The set of SPI values in the range 1 – 255 is reserved by the IANA for future use. The SPI field in the ESP packet format is mandatory and always present.
➢ Sequence number (32 bits): This field contains a monotonically increasing counter value. This provides an anti-replay function. It is mandatory and is always present even if the receiver does not elect to enable the anti-replay service for a specific SA. ➢ Payload data (variable): This variable-length field contains data described by the next header field. The field is an integral number of bytes in length. If the algorithm requires an initialization vector (IV) to encrypt payload, then this data may be carried explicitly in the payload field.
➢ Padding : This field for encryption requires several factors:
✓ Pad length: This field indicates the number of pad bytes immediately preceding it. The range of valid values is 0 – 255, where a value of 0 indicates that no padding bytes are present. This field is mandatory.
✓ Next header (8 bits): This field identifies the type of data contained in the payload data field, i.e. an extension header in IPv6 or an upper-layer protocol identifier, The next header field is mandatory.
✓ Authentication data (variable): This is a variable-length field containing an ICV com-putted over the ESP packet minus the authentication data. The length of this field is specified by the authentication function selected. The field is optional and is included only if the authentication service has been selected for the SA in question/8
4. Key Management Protocol for IPsec
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 4
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
➢ The key management mechanism of IPsec involves the determination and distribution of a secret key. Key establishment is at the heart of data protection that relies on cryptography. A secure key distribution for the Internet is an essential part of packet protection. 4.1 OAKLEY Key Determination Protocol
➢ Oakley a refinement of the Diffie – Hellman key exchange algorithm, it is a method to establish an authentication key exchange. ➢ The Oakley protocol is truly used to establish a shared key with an assigned identifier and associated authenticated identities for the two parties. ➢ Oak-ley can be used directly over the IP protocol or over UDP protocol using a well-known port number assignment available. ➢ Oakley uses the cookies for two purposes: ✓ anti-clogging (denial of service) ✓ Key naming. ➢ The anti-clogging tokens provide a form of source address identification for both parties. The construction of the cookies prevents an attacker from obtain a cookie using a real IP address and UDP port. Oakley employs nonces to ensure against replay attacks. Each nonce is a pseudorandom number which is generated by the transmitting entity. The nonce payload contains this random data used to guarantee liveness during a key exchange and protect against replay attacks 4.2 ISAKMP
➢ ISAKMP defines a framework for SA management and cryptographic key establishment for the Internet. ➢ This framework consists of defined exchange, payloads and processing guidelines that occur within a given DOI. ➢ ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete SAs. ➢ It also defines payloads for exchanging key generation and authentication data.
4.3 ISAKMP Header
➢ Initiator Cookie (64 bits) This field is the cookie of entity that initiated SA establishment, SA notification, and SA deletion.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 5
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
➢ Responder Cookie (64 bits) This field is the cookie of entity that is corresponded to an SA establishment request, SA notification, or SA deletion. ➢ Next Payload (8 bits) This field indicates the type of the first payload in the message ➢ Major Version (4 bits) This field indicates the Major version of the ISAKMP protocol in use. Set the Major version to 1 according to ISAKMP Internet-Draft. ➢ Minor Version (4 bits) This field indicates the Minor version of ISAKMP protocol in use. Set the Minor version to 0 according to implementations based on the ISAKMP Internet-Draft. ➢ Exchange Type (8 bits) This field indicates the type of exchange being used. This dictates the message and payload orderings in the ISAKMP exchanges. ➢ Flags (8 bits) This field indicates specific options that are set for the ISAKMP exchange. The Flags are specified in the Flags field beginning with the least significant bit: the encryption bit is bit 0 of the Flags field, the commit bit is bit 1, and authentication only bit is bit 2 of the Flags field. The remaining bits of the Flags field must be set to 0 prior to transmission. ➢ Message ID (32 bits) Message ID is used to identify protocol state during Phase 2 negotiations. This value is randomly generated by the initiator of the phase 2 negotiation. During Phase 1 negotiation, this value must be set to 0. ➢ Length (32 bits) Length of total message (header || payload) is 32 bits. Encryption can expand the size of an ISAKMP message.
5. SSL Protocol (NOV/DEC 2017)
➢ SSL is a layered protocol. Is a two layered protocol. ➢ At the lower level, the SSL Record Protocol is layered on top of some reliable transport protocol such as TCP. A higher-level protocol can layer on top of the SSL protocol transparently. ➢ The SSL Record Protocol takes the upper-layer application message to be transmitted, fragments the data into manageable blocks, optionally compresses the data, applies an MAC, encrypts, adds a header, and transmits the result to TCP. The received data is
5.1 Session and Connection States
There are two defined specifications: SSL session and SSL connection. 5.1.1 SSL session
➢ An SSL session is an association between a client and a server. Sessions are created by the Handshake Protocol. They define a set of cryptographic security parameters, which can be shared among multiple connections. Sessions are used to avoid the ➢ The session state is defined by the following elements:
✓ Session identifier: This is a value generated by a server that identifies an active or resemble session state. ✓ Peer certificate: This is an X.509 v3 certificate of the peer. This element of the state may
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 6
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
be null. ✓ Compression method: This is the algorithm used to compress data prior to encryption. ✓ Cipher spec: This specifies the bulk data encryption algorithm (such as null, DES, etc.) and a hash algorithm (such as MD5 or SHA-1) used for MAC computation. It also defines cryptographic attributes such as the hash size. ✓ Master secret: This is a 48-byte secret shared between the client and server. It represents secure secret data used for generating encryption keys, MAC secrets and IVs. ✓ Is resembled: This designates a flag indicating whether the session can be used to initiate new connections. 5.1.2 SSL connection
➢ A connection is a transport (in the OSI layering model definition) that provides a suitable type of service. For SSL, such connections are peer-to-peer relationships. The connections are transient. Every connection is associated with one session.
➢ The connection state is defined by the following elements:
✓ Server and client random: These are byte sequences that are chosen by the server and client for each connection. ➢ Server write MAC secret: This indicates the secret key used in ➢ SSL SSL Change SSL Alert Handshake Cipher Spec HTTP Protocol Protocol Protocol
✓ MAC operations on data sent by the server. ✓ Client write MAC secret: This represents the secret key used in MAC operations on data sent by the client. ✓ Server write key: This is the conventional cipher key for data encrypted by the server and decrypted by the client. ✓ Client write key: This is the conventional cipher key for data encrypted by the client and decrypted by the server. ✓ Initialization vectors:This field is first initialized by the SSL Handshake Protocol. Thereafter the final cipher text block from each record is preserved for use as the IV with the following record. The IV is XORed with the first plaintext block prior to encryption. ✓ Sequence numbers: Each party maintains separate sequence numbers for transmitted and received messages for each connection. When a party sends or receives a change cipher spec message, the appropriate sequence number is set to zero. Sequence numbers may not exceed 264 − 1. 6. Cryptographic Computations
6.1 Computing the Master Secret
➢ For all key exchange methods, the same algorithm is used to convert the premaster secret into the master secret. ➢ In order to create the master secret, a premaster secret is first exchanged between two parties and then
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 7
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
the master secret is calculated from it. ➢ The master secret is always exactly 48 bytes (384 bits) shared between the client and server. But the length of the premaster secret is not fixed and will vary depending on the key exchange method. ➢ There are two ways for the exchange of the premaster secret:
✓ RSA: When RSA is used for server authentication and key exchange, a 48-byte pre-master secret is generated by the client, encrypted with the server’s public key and sent to the server. The server decrypts the cipher text (of the premaster secret) using its private key to recover the premaster secret. Both parties then convert the premaster secret into the master secret as specified below. ✓ Diffie –Hellman: A conventional Diffie – Hellman computation is performed. Both client and server generate a Diffie-Hellman common key. This negotiated key is used as the premaster secret and is converted into the master secret, as specified below.
➢ The client and server then compute the master secret as follows: ➢ master_secret=MD5(pre_master_secret||SHA(‘A’||pre_master_secret|| ClientHello.random||ServerHello.random))||MD5(pre_master_secret||SHA(‘BB’|| pre_master_secret||ClientHello.random||ServerHello.random))|| MD5(pre_master_secret||SHA(‘CCC’||pre_master_secret|| ClientHello.random||ServerHello.random))
➢ Where ClientHello.random and ServerHello.random are the two nonce values exchanged in the initial hello messages.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 8
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
6.2 Converting the Master Secret into Cryptographic Parameters
➢ Cipher Spec specifies the bulk data encryption algorithm and a hash algorithm used for MAC computation, and defines cryptographic attributes such as the hash size. ➢ To generate the key material, the following is computed: key_block=MD5(master_secret||SHA(‘A’||master_secret|| ServerHello.random||ClientHello.random))|| MD5(master_secret||SHA(‘BB’||master_secret|| ServerHello.random||ClientHello.random))|| MD5(master_secret||SHA(‘CCC’||master_secret|| ServerHello.random||ClientHello.random))||. . .
Figure Generation of key block.
➢ Until enough output has been generated. Note that the generation of the key block from the master secret uses the same format for generation of the master secret from the premaster secret. Above Figure illustrates the steps for generation of the key block from the master secret.
7 TLS Protocol (NOV/DEC 2017)
➢ The TLS v1 protocol itself is based on the SSLv3 protocol specification as published by Netscape. Many of the algorithm-dependent data structures and rules are very close so that the differences between TLSv1 and SSLv3 are not dramatic.
7.1 HMAC Algorithm
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 9
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
➢ A Keyed-hashing Message Authentication Code (HMAC) is a secure digest of some data protected by a secret. Forging the HMAC is infeasible without knowledge of the MAC secret. ➢ HMAC can be used with a variety of different hash algorithms, namely MD5 and SHA-1, denoting these as HMAC MD5(secret, data) and HMAC SHA-1(secret, data). ➢ There are two differences between the SSLv3 and TLSMAC schemes. TLS makes use of the HMAC algorithm defined in RFC 2104.
HMAC = H [(K ⊕ opad)||H [(K ⊕ ipad)||M]]
Where
✓ ipad = 00110110(0x36) repeated 64 times (512 bits) ✓ opad = 01011100(0x5c) repeated 64 times (512 bits) ✓ H = one-way hash function for TLS (either MD5 or SHA-1) M = message input to HMAC ✓ K = padded secret key equal to the block length of the hash code (512 bits for MD5 and SHA-1)
➢ The following explains the HMAC equation:
✓ Append zeros to the end of K to create a b-byte string (i.e. if K = 160 bits in length and b = 512 bits, then K will be appended with 352 zero bits or 44 zero bytes 0x00). ✓ XOR (bitwise exclusive-OR) K with ipad to produce the b-bit block computed in step 1. ✓ Append M to the b-byte string resulting from step 2. ✓ Apply H to the stream generated in step 3. ✓ XOR (bitwise exclusive-OR) K with opad to produce the b-byte string computed in step 1. ✓ Append the hash result H from step 4 to the b-byte string resulting from step 5. ✓ Apply H to the stream generated in step 6 and output the result.
➢ Below figure illustrates the overall operation of HMAC – MD5 or HMAC – SHA-1.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 10
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Figure Overall operation of HMAC computation using either MD5 or SHA-1 (message length computation based on _i ||M).
Example 8.1 HMAC – SHA-1 computation using RFC method:
Data : 0x 7104f218 a3192e65 1cf7025d 8011bf79 4a19
Key : 0x 31fa7062 c45113e3 2679fd13 53b71264
– A B C D E
IV 67452301 efcdab89 98badcfe 10325476 c3d2e1f0 H [(K ⊕ ipad)||M] 8efeef30 f64b360f 77fd8236 273f0784 613bbd4b H [(K ⊕ opad)||H [(K ⊕ 31db10b8 ed346850 d0f0b7dd 50fd71f4 2dacd24c ipad)||M]]
HMAC – SHA-1 = 0x 31 db10b8 ed346850 d0f0b7dd 50fd71f4 2dacd24c
➢ The alternative operation for computation of either HMAC – MD5 or HMAC – SHA-1 is described in the following:
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 11
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Figure Alternative operation of HMAC computation using MD5 (message length computation is based on M only).
_ ✓ Append zeros to K to create a b-bit string K , where b = 512 bits. ✓ XOR K_ (padding with zero) with ipad to produce the b-bit block. _ ✓ Apply the compression function f(IV, K ⊕ ipad) to produce (IV)i = 128 bits. ✓ Compute the hash code h with (IV)i and Mi . ✓ Raise the hash value computed from step 4 to a b-bit string. ✓ XOR K_ (padded with zeros) with opad to produce the b-bit block. _ ✓ Apply the compression function f(IV, K ⊕ opad) to produce (IV)o = 128 bits. ✓ Compute the HMAC with (IV)o and the raised hash value resulting from step 5.
Example 8.2 HMAC-MD5 computation using alternative method: Data : 0x 2143f501 f014a713 c1059e23 7123fd68 Key : 0x 31fa7062 c45113e3 2679fd13 53b71264 296 INTERNET SECURITY
– A B C D
IV 67452301 efcdab89 98badcfe 10325476 f[(K ⊕ ipad), I V ] = (I V )i 13fbaf34 034879ab 35e73505 526a8d28 H [M, (I V )i] 90c6d9b0 0f281bc8 94d04b33 7f0f4265
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 12
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING f[(K ⊕ opad), I V ] = (I V )o 5f8647d7 fa8e9afa bffa4989 3cd471d1
H [H [M, (I V )i ], (I V )o] 2c47cd5b 68830268 7d255059 45c7bef0
HMAC – MD5 = 0x 2c47cd5b 68830268 7d255059 45c7bef0
➢ For TLS, the MAC computation encompasses the fields indicated in the following expression:
HMAC_hash(MAC_write_secret,seq_num||TLScompressed.type||TLSCompressed.version||T LSCompressed.length|| TLSCompressed.fragment)
➢ Note that the MAC calculation includes all of the fields covered by the SSLv3 computation, plus the field TLSCompressed.version, which is the version of the protocol being employed.
UNIT II- E-MAIL SECURITY & FIREWALLS PGP - S/MIME - Internet Firewalls for Trusted System: Roles of Firewalls – Firewall related terminology- Types of Firewalls - Firewall designs - SET for E-Commerce Transactions.
1.PGP ➢ Pretty Good Privacy (PGP) was invented by Philip Zimmermann who released version 1.0 in 1991. ➢ . PGP is widely used in the individual and commercial versions that run on a variety of platforms throughout the computer community. ➢ PGP uses a combination of symmetric secret-key and asymmetric public-key encryption to provide security services for electronic mail and data files. ➢ It also provides data integrity services for messages and data files by using digital signature, encryption, compression (zip) and radix-64 conversion (ASCII Armor).
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 13
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
1.1Confidentiality via Encryption ➢ In PGP, each symmetric key, known as a session key, is used only once. A new session key is generated as a random 128-bit number for each message. ➢ Figure illustrates the sequence, which is described as follows:
Figure: PGP confidentiality computation scheme with compression/decompression Algorithms.
➢ The sender creates a message. ➢ The sending PGP generates a random 128-bit number to be used as a session key for this message only. ➢ The session key is encrypted with RSA, using the recipient’s public key. ➢ The sending PGP encrypts the message, using CAST-128 or IDEA or 3DES, with the session key. Note that the message is also usually compressed. ➢ The receiving PGP uses RSA with its private key to decrypt and recover the session key. ➢ The receiving PGP decrypts the message using the session key. If the message was compressed, it will be decompressed.
1.2 Authentication via Digital Signature ➢ The digital signature uses a hash code of the message digest algorithm, and a public-key signature algorithm. ➢ Below Figure illustrates the digital signature service provided by PGP. The sequence is as follows
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 14
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Figure: PGP authentication computation scheme using compression algorithm
➢ The sender creates a message. ➢ SHA-1 is used to generate a 160-bit hash code of the message. ➢ The hash code is encrypted with RSA using the sender’s private key and a digital signature is produced. ➢ The binary signature is attached to the message. ➢ The receiver uses RSA with the sender’s public key to decrypt and recover the hash code. ➢ The receiver generates a new hash code for the received message and compares it with the decrypted hash code. If the two match, the message is accepted as authentic.
1.3 PGP Packet Headers
Packet tag Packet length
MSB
7 6 5 4 3 2 1 0
Content tag Length
1
(4 bits) type
Content tag
2
(6 bits) 1 Old format packets: content tag (bits 5, 4, 3, 2); length type (bits 1,0) 2 New format packets: content tag (bits 5, 4, 3, 2, 1, 0)
0 – Reserved 8 – Compressed data packet 1 – Session key packet encrypted by public key 9 – Symmetrically encrypted data packet 2 – Signature packet 10 – Marker packet 3 – Session key packet encrypted by symmetric 11 – Literal data packet key 12 – Trust packet 4 – One-pass signature packet 13 – User ID packet 5 – Secret-key packet 14 – Public sub key packet 6 – Public-key packet 60 ∼ 63 – Private or experimental values 7 – Secret-sub key packet
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 15
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
➢ A PGP message is constructed from a number of packets. A packet is a chunk of data which has a tag specifying its meaning. Each packet consists of a packet header of variable length, followed by the packet body. ➢ The first octet of the packet header is called the packet tag as shown in Figure 9.4. The MSB is ‘bit 7’ (the leftmost bit) whose mask is 0x80 (10000000) in hexadecimal. PGP 2.6.x only uses old format packets. ➢ Hence, software that interoperates with PGP 2.6.x must only use old format packets. These packets have 4 bits of content tags, but new format packets have 6 bits of content tags.
1.4 PGP Packet Structure ➢ A PGP file consists of a ✓ Message packet, ✓ Signature packet and ✓ Session key packet. ➢ Message Packet This packet includes the actual data to be transmitted or stored as well as a header that includes control information generated by PGP such as a filename and a timestamp. A timestamp specifies the time of creation. The message component consists of a single literal data packet.
➢ Signature Packet This packet describes a binding between some public key and some data. The most common signatures are a signature of a file or a block of text, and a signature that is a certification of a user ID. ➢ The signature includes the following components: Timestamp: This is the time at which the signature was created. Message digest (or hash code): A hash code represents the 160-bit SHA-1 digest, encrypted with sender A’s private key. The hash code is calculated over the signature timestamp concatenated with the data portion of the message component.
➢ Session Key Packets This component includes the session key and the identifier of the receiver’s public key that was used by the sender to encrypt the session key. A public-key-encrypted session key packet, EKPb (Ks), holds the session key used to encrypt a message.
Content
Message Signature Session key
packet packet packet
Leading two Key ID Key ID K M T FN H(M) T S of KP of KP octets of H(M) a b
E E
KS KP
a b
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 16
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
ZIP
E KS
Radix-64 conversion function
Operation
M : Data T : Timestamp
FN : Filename H(M) : Message digest
K : Session key E : Encryption with user A’s private key S KSa E KP : Encryption with user B’s public key
B
Figure PGP message format.
2. S/MIME ➢ S/MIME provides a way to send and receive 7-bit MIME data. S/MIME can be used with any system that transports MIME data. ➢ It can also be used by traditional mail user agents (MUAs) to add cryptographic security services to mail that is sent, and to interpret cryptographic security services in mail that is received. 2.1 Definitions ➢ ASN.1: Abstract Syntax Notation One, as defined in ITU-T X.680 – 689. ➢ BER: Basic Encoding Rules for ASN.1, as defined in ITU-T X.690. ➢ DER: Distinguished Encoding Rules for ASN.1, as defined in ITU-T X.690. ➢ Certificate: A type that binds an entity’s distinguished name to a public key with a digital signature. This type is defined in the PKIX certificate and CRL profile. The certificate also contains the distinguished name of the certificate issuer (the signer), an issuer-specific serial number, the issuer’s signature algorithm identifier, a validity period and extensions also defined in that certificate. ➢ CRL: The Certificate Revocation List that contains information about certificates whose validity the issuer has prematurely revoked. The information consists of an issuer name, the time of issue, the next scheduled time of issue, a list of certificate serial numbers and their associated revocation times, and extensions as defined in Chapter 6. The CRL is signed by the issuer. ➢ Attribute certificate: An X.509 AC is a separate structure from a subject’s PKIXcertificate. A subject may have multiple X.509 ACs associated with each of its PKIX certificates. Each X.509 AC binds one or more attributes with one of the subject’s PKIXs. ➢ Sending agent: Software that creates S/MIME CMS objects, MIME body parts that contains CMS objects, or both. ➢ Receiving agent: Software that interprets and processes S/MIME CMS objects, MIME parts that contain CMS objects, or both. ➢ S/MIME agent: User software that is a receiving agent, a sending agent, or both.
2.2 Enhanced Security Services for S/MIME
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 17
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
✓ Triple Wrapped Message ✓ Security Services with Triple Wrapping ✓ Signed Receipts ✓ Receipt Request Creation
2.3 Triple Wrapped Message
➢ A triple wrapped message is one that has been signed, then encrypted and then signed again. The signers of the inner and outer signatures may be different entities or the same entity. ➢ The S/MIME specification does not limit the number of nested encapsulations, so there may be more than three wrappings. ➢ The inside signature is used for content integrity, non-repudiation with proof of origin, and binding attributes to the original content. ➢ The outside signature provides authentication and integrity for information that is processed hop by hop, where each hop is an intermediate entity such as a mail list agent. ➢ The steps to create a triple wrapped message are as follows: 1. Start with the original content (a message body). 2. Encapsulate the original content with the appropriate MIME content-type headers. 3. Sign the inner MIME headers and the original content resulting from step 2. 4. Add an appropriate MIME construct to the signed message from step 3. The resulting message is called the inside signature. ✓ If it is signed using multipart/signed, the MIME construct added consists of a content type of multipart/signed with parameters, the boundary, the step 2 result, a content type of application/pkcs7-signature, optional MIME headers, and a body part that is the result of step 3. ✓ If it is instead signed using application/pkcs7-mime, the MIME construct added consists of a content type of application/pkcs7-mime with parameters, optional MIME headers and the result of step 3. 5. Encrypt the step 4 result as a single block, turning it into an application/pkcs7-mime object. 6. Add the appropriate MIME headers: a content type of application/pkcs7-mime with parameters, and optional MIME headers such as Content-Transfer-Encoding and Content- Disposition. 7. Sign the step 6 result (the MIME headers and the encrypted body) as a single block. 8. Using the same logic as in step 4, add an appropriate MIME construct to the signed message from step 7. The resulting message is called the outside signature, and is also the triple wrapped message. ➢ A triple wrapped message has many layers of encapsulation. The structure differs depending on the choice of format for the signed portions of the message. Because of the way that MIME encapsulates data, the layers do not appear in order
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 18
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
2.4 Security Services with Triple Wrapping ➢ If a signed receipt is requested for a triple wrapped message, the receipt request must be in the inside signature, not in the outside signature. ➢ A security label is included in the signed attributes of any Signed Data object. A security label attribute may be included in either the inner signature or the outer signature, or both. ➢ The inner security label is used for access control decisions related to the original plaintext content. The inner signature provides authentication and cryptographically protects the integrity of the original signer’s security label that is in the inside body. ➢ The outer security label is used for access control and routing decisions related to the encrypted message.
2.5 Signed Receipts ➢ Returning a signed receipt provides to the originator proof of delivery of a message, and allows the originator to demonstrate to a third party that the recipient was able to Verify the signature of the original message ➢ This receipt is bound to the original message through the signature. Consequently, this service may be requested only if a message is signed. The receipt sender may optionally also encrypt a receipt to provide confidentiality between the sender and recipient of the receipt. ➢ The interaction steps in a typical transaction are: ✓ Sender creates a signed message including a receipt request attribute. ✓ Sender transmits the resulting message to the recipient(s). ✓ Recipient receives message and determines if there are a valid signature and receipt request in the message. ✓ Recipient creates a signed receipt. ✓ Recipient transmits the resulting signed receipt message to the sender. ✓ Sender receives the message and validates that it contains a signed receipt for the original message
2.6 Receipt Request Creation ➢ Multilayer S/MIME messages may contain multiple Signed Data layers. Receipts are requested only for the innermost Signed Data layer in a multilayer S/MIME message such as a triple wrapped message.
3. Internet Firewalls for Trusted Systems
3.1 FIREWALL DESIGN PRINCIPLES ➢ Definition: Firewall is software or hardware based network security system that controls the incoming and outgoing network traffic, based on applied rule set. ➢ A firewall establishes a barrier between a trusted secure internal network and another network. ➢ Firewalls can be an effective means of protecting a local system or network of systems from network-based security threats while at the same time affording access to the outside world via wide area networks and the Internet.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 19
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
3.2 Roles of Firewalls ✓ Centralized data processing system, with a central mainframe supporting a number of directly connected terminals ✓ Local area networks (LANs) interconnecting PCs and terminals to each other and the mainframe ✓ Premises network, consisting of a number of LANs, interconnecting PCs, servers, and perhaps a mainframe or two ✓ Enterprise-wide network, consisting of multiple, geographically distributed premises networks interconnected by a private wide area network (WAN) ✓ Internet connectivity, in which the various premises networks all hook into the Internet and may or may not also be connected by a private WAN
3.3 FIREWALL CHARACTERISTICS The following design goals for a firewall: 1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the local network except via the firewall. Various configurations are possible available in fire wall. 2. Only authorized traffic, as defined by the local security policy, will be allowed to pass. Various types of firewalls are used, which implement various types of security policies, as explained later in this chapter. 3. The firewall itself is immune to penetration. This implies the use of a hardened system with a secured operating system. Trusted computer systems are suitable for hosting a firewall and often required in government applications 3.4 Firewall controls: Firewalls use to control access and enforce the site’s security policy. Originally, firewalls focused primarily on service control, but they have since evolved to provide all four: 1. Service control: Determines the types of Internet services that can be accessed, inbound or outbound. The firewall may filter traffic on the basis of IP address, protocol, or port number; may provide proxy software that receives and interprets each service request before passing it on; or may host the server software itself, such as a Web or mail service. 2. Direction control: Determines the direction in which particular service requests may be initiated and allowed to flow through the firewall. 3. User control: Controls access to a service according to which user is attempting to access it. This feature is typically applied to users inside the firewall perimeter (local users). It may also be
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 20
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
applied to incoming traffic from external users; the latter requires some form of secure authentication technology, such as is provided in IPsec. 4. Behavior control: Controls how particular services are used. For example, the firewall may filter e-mail to eliminate spam, or it may enable external access to only a portion of the information on a local Web server. 3.5 Capabilities of firewall: The following capabilities are within the scope of a firewall: 1. A firewall defines a single choke point that keeps unauthorized users out of the protected network, prohibits potentially vulnerable services from entering or leaving the network, and provides protection from various kinds of IP spoofing and routing attacks. The use of a single choke point simplifies security management because security capabilities are consolidated on a single system or set of systems. 2. A firewall provides a location for monitoring security-related events. Audits and alarms can be implemented on the firewall system. 3. A firewall is a convenient platform for several Internet functions that are not security related. These include a network address translator, which maps local addresses to Internet addresses, and a network management function that audits or logs Internet usage. 4. A firewall can serve as the platform for IPsec. 3.6 Limitations of Firewalls: Firewalls have their limitations 1. The firewall cannot protect against attacks that bypass the firewall. Internal systems may have dial-out capability to connect to an ISP. An internal LAN may support a modem pool that provides dial-in capability for travelling employees and telecommuters. 2. The firewall may not protect fully against internal threats, such as a disgruntled employee or an employee who unwittingly cooperates with an external attacker. 3. An improperly secured wireless LAN may be accessed from outside the organization. An internal firewall that separates portions of an enterprise network cannot guard against wireless communications between local systems on different sides of the internal firewall. 4. A laptop, PDA, or portable storage device may be used and infected outside the corporate network, and then attached and used internally.
3.7 TYPES OF FIREWALLS: ➢ Packet Filtering Firewall ➢ Application Level Gateway ➢ Circuit Level Gateway 3.7.1 Packet Filtering Firewall: Packet filtering firewall applies a set of rules to each incoming and outgoing IP packet and then forwards or discards the packet .The firewall is typically configured to filter packets going in both directions (from and to the internal network). Filtering rules are based on information contained in a network packet: ➢ Source IP address: The IP address of the system that originated the IP packet (e.g., 192.178.1.1)
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 21
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
➢ Destination IP address: The IP address of the system the IP packet is trying to reach (e.g., 192.168.1.2) ➢ Source and destination transport-level address: The transport-level (e.g., TCP or UDP) port number, which defines applications such as SNMP or TELNET ➢ IP protocol field: Defines the transport protocol ➢ Interface: For a firewall with three or more ports, which interface of the firewall the packet came from or which interface of the firewall the packet is destined for. ➢ possible default policies Default = discard: That which is not expressly permitted is prohibited. Default = forward: That which is not expressly prohibited is permitted.
Attacks on Packet Filters ➢ IP address spoofing: fake source address to be trusted add filters on router to block ➢ Source routing attacks: attacker sets a route other than default block source routed packets. ➢ Tiny fragment attacks: split header info over several tiny packets, either discard or reassemble before check
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 22
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
3.7.2 Application Level Gateway (or Proxy) •Have application specific gateway / proxy •Has full access to Protocol User requests service from proxy Proxy validates request as legal Then actions request and returns result to user Can log / audit traffic at application level? •Need separate proxies for each service Some services naturally support proxying Others are more problematic.
3.7.3 Circuit Level Gateway: ➢ It is a stand a-lone system or it can be a specialized function performed by an application level gate way for certain applications. ➢ It does not permit end to end TCP connection; this relays two TCP connections, one between itself and a TCP user on an inner host, and one between itself and TCP user on outside host. ➢ Once the two connections are established, the gateway typically relays TCP segments from one connection to the other without examining the content.
Example: Circuit level gateway example is implementation of the SOCKS package. SOCKS: ➢ This protocol designed to provide a framework for client-server application in both the TCP & UDP domains to conveniently and securely use the services of a Network firewall.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 23
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
➢ SOCKS server, which runs on a UNIX based firewall. ➢ SOCKS client library, which runs on internal hosts protected by the firewall. ➢ The implementation of the SOCKS protocol typically involves the recompilation or re-linking of TCP-based client applications to use the appropriate encapsulation routines in the SOCKS library. ➢ The SOCKS service is located on TCP port 1080
Firewall Design Configurations In the screened host firewall, single-homed bastion configuration, the firewall consists of two systems: a packet-filtering router and a bastion host. The router is configured so that 1. For traffic from the Internet, only IP packets destined for the bastion host are allowed in. 2. For traffic from the internal network, only IP packets from the bastion host are allowed out. Bastion Host: A bastion host is a system identified by the firewall administrator as a critical strong point in the network's security. Typically, the bastion host serves as a platform for an application-level or circuit- level gateway. Common characteristics of a bastion host include the following: ➢ The bastion host hardware platform executes a secure version of its operating system, making it a trusted system. ➢ Only the services that the network administrator considers essential are installed on the bastion host. These include proxy applications such as Telnet, DNS, FTP, SMTP, and user authentication. ➢ The bastion host may require additional authentication before a user is allowed access to the proxy services. In addition, each proxy service may require its own authentication before granting user access. ➢ Each proxy is configured to support only a subset of the standard application's command set.
Screened host firewall: ➢ In the screened host firewall, single-homed bastion configuration (Figure 20.2a), the firewall consists of two systems: a packet-filtering router and a bastion host. Typically, the router is configured so that 1. For traffic from the Internet, only IP packets destined for the bastion host are allowed in.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 24
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
2. For traffic from the internal network, only IP packets from the bastion host are allowed out. ➢ The bastion host performs authentication and proxy functions. This configuration has greater security than simply a packet-filtering router or an application-level gateway alone, for two reasons. ➢ First, this configuration implements both packet-level and application-level filtering, allowing for considerable flexibility in defining security policy. Second, an intruder must generally penetrate two separate systems before the security of the internal network is compromised.
➢ This configuration also affords flexibility in providing direct Internet access. For example, the internal network may include a public information server, such as a Web server, for which a high level of security is not required. ➢ In that case, the router can be configured to allow direct traffic between the information server and the Internet. SECURE ELECTRONIC TRANSACTION [SET]
➢ SET is an open encryption and security specification designed to protect credit card transactions on the Internet. SET is not itself a payment system. ➢ Rather it is a set of security protocols and formats that enables users to employ the existing credit card payment infrastructure on an open network, such as the Internet, in a secure fashion.
SET provides three services: ➢ Provides a secure communications channel among all parties involved in a transaction ➢ Provides trust by the use of X.509v3 digital certificates ➢ Ensures privacy because the information is only available to parties in a transaction when and where necessary Key Features of SET ➢ Confidentiality of information ➢ Integrity of data ➢ Cardholder account authentication ➢ Merchant authentication SET Participants 1. Cardholder:A cardholder is an authorized holder of a payment card (e.g., MasterCard, Visa) that has been issued by an issuer. 2. Merchant:A merchant is a person or organization that has goods or services to sell to the cardholder.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 25
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
3. Issuer:This is a financial institution, such as a bank, that provides the cardholder with the payment card. 4. Acquirer:This is a financial institution that establishes an account with a merchant and processes payment card authorizations and payments. 5. Payment gateway:This is a function operated by the acquirer or a designated third party that processes merchant payment messages. 6. Certification authority (CA):This is an entity that is trusted to issue X.509v3 public-key certificates for cardholders, merchants, and payment gateways.
Dual Signature ➢ The purpose of the dual signature is to link two messages that are intended for two different recipients. In this case, the customer wants to send the order information (OI) to the merchant and the payment information (PI) to the bank. ➢ The merchant does not need to know the customer's credit card number, and the bank does not need to know the details of the customer's order. The customer is afforded extra protection in terms of privacy by keeping these two items separate. However, the two items must be linked in a way that can be used to resolve disputes if necessary. ➢ The link is needed so that the customer can prove that this payment is intended for this order and not for some other goods or service. ➢ The customer takes the hash (using SHA-1) of the PI and the hash of the OI. These two hashes are then concatenated and the hash of the result is taken. ➢ Finally, the customer encrypts the final hash with his or her private signature key, creating the dual signature. The operation can be summarized as DS = E(PRc, [H(H(PI)||H(OI)])
➢ Where PRc is the customer's private signature key. Now suppose that the merchant is in possession of the dual signature (DS), the OI, and the message digest for the PI (PIMD). ➢ The merchant also has the public key of the customer, taken from the customer's certificate. Then the merchant can compute the quantities
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 26
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Payment Processing Following transactions: ➢ Purchase request ➢ Payment authorization ➢ Payment capture Purchase Request ➢ Before the Purchase Request exchange begins, the cardholder has completed browsing, selecting, and ordering. The end of this preliminary phase occurs when the merchant sends a completed order form to the customer. ➢ The purchase request exchange consists of four messages: ✓ Initiate Request, ✓ Initiate Response, ✓ Purchase Request, ✓ Purchase Response.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 27
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Purchase Request – Customer
PURCHASE REQUEST – MERCHANT
➢ verifies cardholder certificates using ca sigs ➢ verifies dual signature using customer's public signature key to ensure order has not been tampered with in transit & that it was signed using cardholder's private signature key ➢ processes order and forwards the payment information to the payment gateway for authorization (described later) ➢ sends a purchase response to cardholder
Purchase Request – Merchant
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 28
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
PAYMENT GATEWAY AUTHORIZATION ➢ verifies all certificates ➢ decrypts digital envelope of authorization block to obtain symmetric key & then decrypts authorization block ➢ verifies merchant's signature on authorization block ➢ decrypts digital envelope of payment block to obtain symmetric key & then decrypts payment block ➢ verifies dual signature on payment block ➢ verifies that transaction id received from merchant matches that in pi received (indirectly) from customer ➢ requests & receives an authorization from issuer ➢ sends authorization response back to merchant
PAYMENT CAPTURE ➢ merchant sends payment gateway a payment capture request ➢ gateway checks request ➢ then causes funds to be transferred to merchants account ➢ notifies merchant using capture response
.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 29
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
UNIT III INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques - Incident and incident response methodology - Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. - Forensics Technology and Systems - Understanding Computer Investigation – Data Acquisition.
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime.
Computer Crime
➢ Computer crime is any criminal offense, activity or issue that involves computers ➢ Computer misuse tends to fall into two categories ✓ Computer is used to commit a crime ✓ Computer itself is a target of a crime. Computer is the victim. Computer Security Incident
Computer is used to commit a crime
➢ Computer is used in illegal activities: child pornography, threatening letters, e-mail spam or harassment, extortion, fraud and theft of intellectual property, embezzlement – all these crimes leave digital tracks ➢ Investigation into these types of crimes include searching computers that are suspected of being involved in illegal activities ➢ Analysis of gigabytes of data looking for specific keywords, examining log files to see what happened at certain times
Computer Security Incident
➢ Unauthorized or unlawful intrusions into computing systems ➢ Scanning a system - the systematic probing of ports to see which ones are open ➢ Denial–of–Service (DoS) attack - any attack designed to disrupt the ability of authorized users to access data ➢ Malicious Code – any program or procedure that makes unauthorized modifications or triggers unauthorized actions (virus, worm, Trojan horse)
Computer Forensics
➢ Involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 30
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
➢ Multiple methods of ✓ Discovering data on computer system ✓ Recovering deleted, encrypted, or damaged file information ✓ Monitoring live activity ✓ Detecting violations of corporate policy
Traditional problems associated with Computer Crime
Hacking
➢ Hacking is a crime, which entails cracking systems and gaining unauthorized access to the data stored in them. Hacking had witnessed a 37 per cent increase this year.
Cyber Squatting
➢ Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune.
Phishing
➢ Phishing is just one of the many frauds on the Internet, trying to fool people into parting with their money. ➢ Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions, requesting them to enter their Username, Password or other personal information to access their Account for some reason. ➢ The fraudster then has access to the customer's online bank account and to the funds contained in that account.
Cyber Stalking
➢ Cyber Stalking is use of the Internet or other electronic means to stalk someone. ➢ This term is used interchangeably with online harassment and online abuse. ➢ Stalking generally involves harassing or threatening behavior that an individual engages in repeatedly, such as following a person, appearing at a person's home or place of business, making harassing phone calls, leaving written messages or objects, or vandalizing a person's property.
Vishing
➢ Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private personal and financial information from the public for the purpose of financial reward. ➢ Vishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.
Introduction to Identity Theft & Identity Fraud.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 31
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Identity theft:
➢ Someone steals your personal information ➢ Uses it without permission ➢ Can damage your finances, credit history and reputation
How do you know if your identity was stolen?
➢ mistakes on accounts or your Explanation of Medical benefits ➢ regular bills go missing ➢ calls from debt collectors for debts that aren’t yours ➢ notice from the IRS ➢ calls or mail about accounts in your minor child’s name
How to reduce identity theft
➢ Keep your important papers secure. ➢ Be careful with your mail. ➢ Shred sensitive documents. ➢ Don’t over share on social networking sites.
Things to do
STEP 1: Place an initial fraud alert on your credit report. Contact any one of the three nationwide credit reporting companies.
Step 2: Order your credit reports. Contact each of the three credit reporting companies. ID theft victims get a copy of their reports for free. Read your reports carefully and correct any errors.
Step 3: Create an Identity Theft Report. Gives you rights that help you to recover more quickly file a police report.
Types of CF techniques
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 32
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Incident and incident response methodology
➢ Incident Response: Actions taken to deal with an incident. ➢ Structure and Organization Incidents create pandemonium ➢ Incidents occur in bursts ➢ Efficiency ➢ Facilitates the process of responding to incidents ➢ Facilitates dealing with the unexpected. ➢ Legal Considerations.
Incident response life cycle
2. DETECTION 1. PREPERATION
3. CONTAINMENT
6. Follow-up
4. ERADICTION 5. RECOVERY
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 33
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Preparation
➢ Setting up a reasonable set of defenses and controls based on threads. ➢ Creating a set of procedures to deal with the incident efficiently. ➢ Obtaining the resources and personnel to deal with the problem. ➢ Establish an infrastructure to support incident response activity.
Detection
➢ Intrusion Detection Systems ➢ Detection Software ➢ Reporting
Containment
➢ Strategies ✓ Shutting down a system ✓ Disconnect from the network ✓ Change filtering rules of firewalls ✓ Disabling or deleting compromised accounts ✓ Increasing monitoring levels ✓ Setting traps ✓ Striking back at the attacker’s system ➢ Adhering to containment procedures. ➢ Record all actions ➢ Define acceptable risks in advance
Eradication
➢ Eliminate the cause of the incident. Software available for most viruses, worm attacks.
Recovery
➢ Return compromised systems back to its normal mission status. ➢ Recovery procedures: Safest is: ✓ Full rebuilt for system files. ✓ Restore data from last backup. ➢ Record every action. ➢ Keep users aware of status. ➢ Advise appropriate people of major developments that might affect them. ➢ Adhere to policy regarding media contact.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 34
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
➢ Return logging to normal level. ➢ Install patches for any exploited vulnerability.
Follow-Up
➢ Perform a post mortem analysis on each significant incident. ✓ Exact description and timeline. ✓ Adequacy of staff response. ✓ What information was needed at what time? ✓ What would the staff do differently? ✓ How was interaction with management? ✓ What was the damage?
Forensic duplication and investigation
➢ Forensic Duplicate: File that contains every bit of information from the source in a raw bit stream format. ➢ Qualified Duplicate: Same as above, but allows embedded metadata or certain types of compression. ➢ Tools that create forensic duplicates ✓ dd ✓ FTK Imager, Access Data ✓ Dfcldd, US DOD Computer Forensics Lab version of the dd command. ➢ Tools that create qualified forensic duplicate output files: ✓ Safe Back ✓ Encase ✓ FTK Imager
Restored Image
➢ A restored image is what you get when you restore a forensic duplicate or a qualified forensic duplicate to another storage medium. ➢ Mismatched drive geometries can cause problems. ✓ Mismatched drive geometries can cause problems.
HD Development
➢ When hard drives grew beyond 512MB, the PC-BIOS needed to be updated (to recognize larger drives). ➢ Safeback, EnCase, FTK Imager, and dd will create a restored image from the qualified forensic duplicate. ➢ EnCase and dd images may not need to be restored.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 35
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Mirror Image
➢ Created from hardware that does at bit for bit copy from one hard drive to another.
Legal Issues
➢ Tools used for forensic duplication must pass the legal tests for reliability. ➢ Note, when tool is generally accepted by others in the field, it is easier to prove that information was gathered in a reliable, accurate manner.
Preparation FOR IR
Incident Response Team
No. IRTMember Role in IRT
1. Senior Management Apart fromprovidingthe team the authority for operation, themanagement has to makebusiness- relateddecisionsbasedon input fromthe othermembers of the team. 2. InformationSecurity Assess the extentof the damage incurred andperformcontainment, basic forensics,and 3. IT/MIS recovery.Minimise the impact to systemend users, and to assist theInformationSecurity team with technicalissues.
4. ITAuditor Understand the cause ofthe incident, ensure proceduresarecomplied with, andwork with IT/Securityto eradicate theincident. 5. Security Assess physical damageincurred, investigatephysicalevidence, and guardevidence during a forensics investigationto maintain a chain ofevidence.
6. Legal Ensure the usabilityofanyevidence collected duringaninvestigation if the company chooses totake legalaction.Therole also includesproviding adviceregardingliability issuesintheevent that an incidentaffects customers, vendors,and/orthe general 7. Human Resource public.Provide advice insituationsinvolvingemployees.HRwillonlybe involved in handling the incident if anemployee is foundtobe responsible for the intrusion.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 36
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
8. Public Relations Communicate with team leaders to have an accurateunderstanding of the issueandthe company’sstatusbeforecommunicating with the press and/orinforming thestockholdersofthe currentsituation. 9. Financial Auditor Assess the damageincurred interms of monetary value, whichis frequently required for insurancecompanies or if thecompany intends to presschargesagainst the perpetrator. FORENSICS TECHNOLOGY AND SYSTEMS
➢ Computer forensics has become a buzz word in today’s world of increased concern for security. It seems that any product that can remotely be tied to network or computer security is quickly labeled as a “forensics” system. ➢ This phenomenon makes designing clear incident response plans and corporate security plans that support computer forensics difficult.
✓ Intrusion detection systems
✓ Firewall security systems
✓ Storage area network security systems
✓ Network disaster recovery systems
✓ Public key infrastructure security systems
✓ Wireless network security systems
✓ Satellite encryption security systems
✓ Instant messaging (IM) security systems
✓ Net privacy systems
✓ Identity management security systems
✓ Identity theft prevention systems
✓ Biometric security systems
✓ Homeland security systems
Planning Your Investigation
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 37
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
✓ Acquire the floppy disk from George’s manager.
✓ Complete an evidence form and establish a chain of custody.
✓ Transport the evidence to your computer forensics lab.
✓ Secure your evidence in an approved secure container.
✓ Prepare your forensic workstation.
✓ Obtain the evidence from the secure evidence container.
✓ Make a forensic copy of the evidence floppy disk.
✓ Return the evidence floppy disk to the secure evidence container.
✓ Process the copied floppy disk with your computer forensics tools
Data Acquisition
➢ Data acquisition involves gathering signals from measurement sources and digitizing the signals for storage, analysis, and presentation on a PC. ➢ Data acquisition systems come in many different PC technology forms to offer flexibility when choosing your system. You can choose from PCI, PXI, PCI Express, PXI Express, PCMCIA, USB, wireless, and Ethernet data acquisition for test, measurement, and automation applications. ➢ All industrial processing systems, factories, machinery, test facilities, and vehicles consist of hardware components and computer software whose behavior follow the laws of physics as we understand them. ➢ These systems contain thousands of mechanical and electrical phenomena that are continuously changing; they are not steady state. ➢ The measurable quantities that represent the characteristics of all systems are called variables. The proper functioning of a particular system depends on certain events in time and the parameters of these variables. ➢ Often, we are interested in the location, magnitude, and speed of the variables, and we use instruments to measure them. ➢ We assign the variables units of measure such as volts, pounds, and miles per hour, to name a few.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 38
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
UNIT IV EVIDENCE COLLECTION AND FORENSICS TOOLS
Processing Crime and Incident Scenes – Working with Windows and DOS Systems. Current Computer Forensics Tools: Software/ Hardware Tools.
Processing Crime and Incident Scenes
Identifying Digital Evidence
➢ Digital evidence Can be any information stored or transmitted in digital form ➢ U.S. courts accept digital evidence as physical evidence – Digital data is a tangible object ➢ Some require that all digital evidence be printed out to be presented in court ➢ General tasks investigators perform when working with digital evidence ✓ Identify digital information or artifacts that can be used as evidence ✓ Collect, preserve, and document evidence ✓ Analyze, identify, and organize evidence ✓ Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably ➢ Collecting computers and processing a criminal or incident scene must be done systematically
Understanding Rules of Evidence
➢ Consistent practices help verify your work and enhance your credibility ➢ Comply with your state’s rules of evidence or with the Federal Rules of Evidence ➢ Evidence admitted in a criminal case can be used in a civil suit, and vice versa ➢ Keep current on the latest rulings and directives on collecting, processing, storing, and admitting digital evidence ➢ Data you discover from a forensic examination falls under your state’s rules of evidence
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 39
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
✓ Or the Federal Rules of Evidence ➢ Digital evidence is unlike other physical evidence because it can be changed more easily ✓ The only way to detect these changes is to compare the original data with a duplicate ➢ Most federal courts have interpreted computer records as hearsay evidence ✓ Hearsay is secondhand or indirect evidence ➢ Computer records must be shown to be authentic and trustworthy ✓ To be admitted into court ➢ Computer-generated records are considered authentic ✓ If the program that created the output is functioning correctly ➢ Collecting evidence according to the proper steps of evidence control helps ensure that the computer evidence is authentic ➢ When attorneys challenge digital evidence ✓ Often they raise the issue of whether computer generated records were altered ➢ Or damaged after they were created ➢ One test to prove that computer-stored records are authentic is to demonstrate that a specific person created the records ✓ The author of a Microsoft Word document can be identified by using file metadata
Types of Evidence
✓ Direct evidence ✓ Circumstantial evidence ✓ Class evidence ✓ Individual evidence
Direct evidence
➢ It includes firsthand observations such as eyewitness accounts or police dashboard video cameras. ✓ Example: a witness states that she saw a defendant pointing a gun at a victim during a robbery. In court, direct evidence involves testimony by a witness about what that witness personally saw, heard, or did. Confessions are also considered direct evidence.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 40
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Circumstantial evidence
➢ It is indirect evidence that can be used to imply a fact but that does not directly prove it. No one, other than the suspect and victim, actually sees when circumstantial evidence is left at the crime scene. ➢ But circumstantial evidence found at a crime scene may provide a link between a crime scene and a suspect. ✓ Example: finding a suspect’s gun at the site of a shooting is circumstantial evidence of the suspect’s presence there. Circumstantial evidence can be either physical or biological in nature. Physical evidence includes impressions such as fingerprints, footprints, shoe prints, tire impressions, and tool marks.
Class evidence
➢ Narrows an identity to a group of persons or things. Knowing the ABO blood type of a sample of blood from a crime scene tells us that one of many persons with that blood type may have been there. It also allows us to exclude anyone with a different blood type.
Individual evidence
➢ Narrows an identity to a single person or thing. Individual evidence typically has such a unique combination of characteristics that it could only belong to one person or thing, such as a fingerprint.
Common examples of trace evidence.
✓ Animal or human hair ✓ Fingerprints ✓ Soil or plant material (pollen) ✓ Body fluids such as mucus, semen, saliva, or blood ✓ Fiber or debris from clothing ✓ Paint chips, broken glass, or chemicals such as drugs or explosives ✓ Evidence
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 41
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
✓ Direct Circumstantial ✓ Physical Biological ✓ It is relatively easy to recover DNA from cigarette ends found at the scene of a crime.
Working with Windows and DOS Systems.
➢ 3 types of file systems have been File Systems used by Windows: FAT, FAT32, NTFS
FAT x
➢ File Allocation Table – family of file systems for DOS/Windows operating systems ➢ FAT table – stores info. on status of all clusters on the disk = ‘table of content’ ➢ x = 12, 16, 32 – number of bits used for cluster identification/numbering bit-size of each FAT table entry
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 42
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 43
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
NTFS File System ➢ NTFS – New Technology File System – introduced for Windows NT and Vista ➢ file and folder permissions – folder and file access can be controlled individually ➢ file encryption – NTFS enables strong encryption of files and folders extremely resistant to attacks ➢ file compression – NTFS enables lossy compression on both files and folders ➢ disk efficiency – NTFS supports smaller cluster size than FAT32 ➢ greater reliability – NTFS writes a log of change being made to files and folders (NTFS journal), which helps the OS to recover from system failures
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 44
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Windows Registry
➢ critical part of any Windows OSs - hierarchical database containing configuration information about: ➢ system hardware; ✓ installed software (programs); ✓ property settings; ✓ Profile for each user, etc. ➢ OS uses instructions stored in the registry to determine how installed hardware and software should function ➢ e.g. typical software comes with a Windows installer that writes to the registry during installation ➢ system must be restarted for changes to take place
Current Computer Forensics Tools: Software/ Hardware Tools. ➢ computer forensics tools can also be classified into various categories:
✓ Disk and data capture tools ✓ File viewers ✓ File analysis tools ✓ Registry analysis tools ✓ Internet analysis tools ✓ Email analysis tools ✓ Mobile devices analysis tools ✓ Mac OS analysis tools ✓ Network forensics tools ✓ Database forensics tools
➢ Digital Forensics Framework ✓ Digital Forensics Framework is another popular platform dedicated to digital forensics. ✓ The tool is open source and comes under GPL License. It can be used either by professionals or non-experts without any trouble.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 45
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
✓ It can be used for digital chain of custody, to access the remote or local devices, forensics of Windows or Linux OS, recovery hidden of deleted files, quick search for files’ Meta data, and various other things.
➢ Open Computer Forensics Architecture ✓ Open Computer Forensics Architecture (OCFA) is another popular distributed open- source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data. ✓ It was built by the Dutch National Police Agency for automating digital forensics process. It is available to download under GPL license. ➢ CAINE ✓ CAINE (Computer Aided Investigative Environment) is the Linux distro created for digital forensics. It offers an environment to integrate existing software tools as software modules in a user friendly manner. This tool is open source.
➢ X-Ways Forensics
✓ X-Ways Forensics is an advanced platform for digital forensics examiners. It runs on all available version of Windows. It claims to not be very resource hungry and to work efficiently. If we talk about the features, find the key features in the list below
1. Disk imaging and cloning 2. Ability to read file system structures inside various image files 3. It supports most of the file systems including FAT12, FAT16, FAT32, exFAT, TFAT, NTFS, Ext2, Ext3, Ext4, Next3®, CDFS/ISO9660/Joliet, UDF 4. Automatic detection of deleted or lost hard disk partition 5. Various data recovery techniques and powerful file carving 6. Bulk hash calculation 7. Viewing and editing binary data structures using templates 8. Easy detection of and access NTFS ADS
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 46
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
9. Well maintained file header 10. Automated activity logging 11. Data authenticity 12. Complete case management 13. Memory and RAM analysis 14. Gallery view for pictures 15. Internal viewer for Windows registry file ➢ SANS Investigative Forensics Toolkit – SIFT ✓ SANS Investigative Forensics Toolkit or SIFT is a multi-purpose forensic operating system which comes with all the necessary tools used in the digital forensic process. It is built on Ubuntu with many tools related to digital forensics. Earlier this year, SIFT 3.0 was released. It comes for free or charge and contains free open-source forensic tools.
✓ In a previous post at resource.infosecinstitute.com, we already covered SIFT in detail. You can read those posts about SIFT to know more about this digital forensics platform.
➢ EnCase
✓ EnCase is another popular multi-purpose forensic platform with many nice tools for several areas of the digital forensic process. This tool can rapidly gather data from various devices and unearth potential evidence. It also produces a report based on the evidence.
➢ Registry Recon
✓ Registry Recon is a popular registry analysis tool. It extracts the registry information from the evidence and then rebuilds the registry representation. It can rebuild registries from both current and previous Windows installations.
➢ The Sleuth Kit ✓ The Sleuth Kit is a Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 47
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
➢ Llibforensics ✓ Libforensics is a library for developing digital forensics applications. It was developed in Python and comes with various demo tools to extract information from various types of evidence. ➢ Volatility ✓ Volatility is the memory forensics framework. It used for incident response and malware analysis. With this tool, you can extract information from running processes, network sockets, network connection, DLLs and registry hives. It also has support for extracting information from Windows crash dump files and hibernation files. This tool is available for free under GPL license. ➢ WindowsSCOPE ✓ WindowsSCOPE is another memory forensics and reverse engineering tool used for analyzing volatile memory. It is basically used for reverse engineering of malwares. It provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and physical memory. ➢ The Coroner’s Toolkit ✓ The Coroner’s Toolkit or TCT is also a good digital forensic analysis tool. It runs under several Unix-related operating systems. It can be used to aid analysis of computer disasters and data recovery. ➢ Oxygen Forensic Suite ✓ Oxygen Forensic Suite is nice software to gather evidence from a mobile phone to support your case. This tool helps in gathering device information (including manufacturer, OS, IMEI number, serial number), contacts, messages (emails, SMS, MMS), and recover deleted messages, call logs and calendar information. ✓ It also lets you access and analyze mobile device data and documents. It generates easy to understand reports for better understanding. ➢ Bulk Extractor ✓ Bulk Extractor is also an important and popular digital forensics tool. It scans the disk images, file or directory of files to extract useful information. In this process, it ignores the file system structure, so it is faster than other available similar kinds of tools.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 48
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
✓ It is basically used by intelligence and law enforcement agencies in solving cyber crimes. ➢ Xplico ✓ Xplico is an open source network forensic analysis tool. It is basically used to extract useful data from applications which use Internet and network protocols. ✓ It supports most of the popular protocols including HTTP, IMAP, POP, SMTP, SIP, TCP, UDP, TCP and others. ✓ Output data of the tool is stored in SQLite database of MySQL database. It also supports IPv4 and IPv6 both. ➢ Mandiant RedLine ✓ Mandiant RedLine is a popular tool for memory and file analysis. It collects information about running processes on a host, drivers from memory and gathers other data like Meta data, registry data, tasks, services, network information and Internet history to build a proper report. ➢ Computer Online Forensic Evidence Extractor (COFEE) ✓ Computer Online Forensic Evidence Extractor or COFEE is a tool kit developed for computer forensic experts. This tool was developed by Microsoft to gather evidence from Windows systems. ✓ It can be installed on a USB pen drive or external hard disk. Just plug in the USB device in the target computer and it starts a live analysis. It comes with 150 different tools with a GUI based interface to command the tools. ✓ It is fast and can perform the whole analysis in as few as 20 minutes. To law enforcement agencies, Microsoft provides free technical support for the tool. ➢ P2 eXplorer ✓ P2 eXplorer is a forensic image mounting tool which aims to help investigating officers with examination of a case. With this image, you can mount forensic images as a read- only local and physical disc and then explore the contents of the image with file explorer. You can easily view deleted data and unallocated space of the image.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 49
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
✓ It can mount several images at a time. It supports most of the image formats including EnCasem, safeBack, PFR, FTK DD, WinImage, Raw images from Linux DD, and VMware images. It supports both logical and physical image types.
➢ Plain Sight
✓ Plain Sight is another useful digital forensics tool. It is a CD based Knoppix which is a Linux distribution. Some of its uses include viewing Internet histories, data carving, checking USB device usage, memory dumps extracting password hashes, information gathering, examining Windows firewall configuration, seeing recent documents, and other useful tasks. For using this too, you only need to boot from the CD and the follow the instructions.
➢ XRY
✓ XRY is the mobile forensics tool developed by Micro Systemation. It is used to analyze and recover crucial information from mobile devices. This tool comes with a hardware device and software. Hardware connects mobile phones to PC and software performs the analysis of the device and extracts data. It is designed to recover data for forensic analysis.
✓ The latest version of the tool can recover data from all kind of smart phones including Android, iPhone and BlackBerry. It gathers deleted data like call records, images, SMS and text messages.
➢ HELIX3
✓ HELIX3 is a live CD-based digital forensic suite created to be used in incident response. It comes with many open source digital forensics tools including hex editors, data carving and password cracking tools. If you want the free version, you can go for Helix3 2009R1. After this release, this project was overtaken by a commercial vendor. So, you need to pay for most recent version of the tool.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 50
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
✓ This tool can collect data from physical memory, network connections, user accounts, executing processes and services, scheduled jobs, Windows Fegistry, chat logs, screen captures, SAM files, applications, drivers, environment variables and Internet history. Then it analyzes and reviews the data to generate the complied results based on reports.
➢ Cellebrite UFED ✓ Cellebrite’s UFED solutions present a unified workflow to allow examiners, investigators and first responders to collect, protect and act decisively on mobile data with the speed and accuracy a situation demands – without ever compromising one for the other. ✓ The UFED Pro Series is designed for forensic examiners and investigators who require the most comprehensive, up-to-date mobile data extraction and decoding support available to handle the influx of new data sources. ✓ Platform agnostic, the UFED Field Series is designed to unify workflows between the field and lab, making it possible to view access and share mobile data via in-car workstations, laptops, tablets or a secure, self-service kiosk located at a station.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 51
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
UNIT IV EVIDENCE COLLECTION AND FORENSICS TOOLS
Processing Crime and Incident Scenes – Working with Windows and DOS Systems. Current Computer Forensics Tools: Software/ Hardware Tools.
Processing Crime and Incident Scenes
Identifying Digital Evidence
➢ Digital evidence Can be any information stored or transmitted in digital form ➢ U.S. courts accept digital evidence as physical evidence – Digital data is a tangible object ➢ Some require that all digital evidence be printed out to be presented in court ➢ General tasks investigators perform when working with digital evidence ✓ Identify digital information or artifacts that can be used as evidence ✓ Collect, preserve, and document evidence ✓ Analyze, identify, and organize evidence ✓ Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably ➢ Collecting computers and processing a criminal or incident scene must be done systematically
Understanding Rules of Evidence
➢ Consistent practices help verify your work and enhance your credibility ➢ Comply with your state’s rules of evidence or with the Federal Rules of Evidence ➢ Evidence admitted in a criminal case can be used in a civil suit, and vice versa ➢ Keep current on the latest rulings and directives on collecting, processing, storing, and admitting digital evidence ➢ Data you discover from a forensic examination falls under your state’s rules of evidence
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 52
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
✓ Or the Federal Rules of Evidence ➢ Digital evidence is unlike other physical evidence because it can be changed more easily ✓ The only way to detect these changes is to compare the original data with a duplicate ➢ Most federal courts have interpreted computer records as hearsay evidence ✓ Hearsay is secondhand or indirect evidence ➢ Computer records must be shown to be authentic and trustworthy ✓ To be admitted into court ➢ Computer-generated records are considered authentic ✓ If the program that created the output is functioning correctly ➢ Collecting evidence according to the proper steps of evidence control helps ensure that the computer evidence is authentic ➢ When attorneys challenge digital evidence ✓ Often they raise the issue of whether computer generated records were altered ➢ Or damaged after they were created ➢ One test to prove that computer-stored records are authentic is to demonstrate that a specific person created the records ✓ The author of a Microsoft Word document can be identified by using file metadata
Types of Evidence
✓ Direct evidence ✓ Circumstantial evidence ✓ Class evidence ✓ Individual evidence
Direct evidence
➢ It includes firsthand observations such as eyewitness accounts or police dashboard video cameras. ✓ Example: a witness states that she saw a defendant pointing a gun at a victim during a robbery. In court, direct evidence involves testimony by a witness about what that witness personally saw, heard, or did. Confessions are also considered direct evidence.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 53
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Circumstantial evidence
➢ It is indirect evidence that can be used to imply a fact but that does not directly prove it. No one, other than the suspect and victim, actually sees when circumstantial evidence is left at the crime scene. ➢ But circumstantial evidence found at a crime scene may provide a link between a crime scene and a suspect. ✓ Example: finding a suspect’s gun at the site of a shooting is circumstantial evidence of the suspect’s presence there. Circumstantial evidence can be either physical or biological in nature. Physical evidence includes impressions such as fingerprints, footprints, shoe prints, tire impressions, and tool marks.
Class evidence
➢ Narrows an identity to a group of persons or things. Knowing the ABO blood type of a sample of blood from a crime scene tells us that one of many persons with that blood type may have been there. It also allows us to exclude anyone with a different blood type.
Individual evidence
➢ Narrows an identity to a single person or thing. Individual evidence typically has such a unique combination of characteristics that it could only belong to one person or thing, such as a fingerprint.
Common examples of trace evidence.
✓ Animal or human hair ✓ Fingerprints ✓ Soil or plant material (pollen) ✓ Body fluids such as mucus, semen, saliva, or blood ✓ Fiber or debris from clothing ✓ Paint chips, broken glass, or chemicals such as drugs or explosives ✓ Evidence
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 54
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
✓ Direct Circumstantial ✓ Physical Biological ✓ It is relatively easy to recover DNA from cigarette ends found at the scene of a crime.
Working with Windows and DOS Systems.
➢ 3 types of file systems have been File Systems used by Windows: FAT, FAT32, NTFS
FAT x
➢ File Allocation Table – family of file systems for DOS/Windows operating systems ➢ FAT table – stores info. on status of all clusters on the disk = ‘table of content’ ➢ x = 12, 16, 32 – number of bits used for cluster identification/numbering bit-size of each FAT table entry
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 55
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 56
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
NTFS File System ➢ NTFS – New Technology File System – introduced for Windows NT and Vista ➢ file and folder permissions – folder and file access can be controlled individually ➢ file encryption – NTFS enables strong encryption of files and folders extremely resistant to attacks ➢ file compression – NTFS enables lossy compression on both files and folders ➢ disk efficiency – NTFS supports smaller cluster size than FAT32 ➢ greater reliability – NTFS writes a log of change being made to files and folders (NTFS journal), which helps the OS to recover from system failures
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 57
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Windows Registry
➢ critical part of any Windows OSs - hierarchical database containing configuration information about: ➢ system hardware; ✓ installed software (programs); ✓ property settings; ✓ Profile for each user, etc. ➢ OS uses instructions stored in the registry to determine how installed hardware and software should function ➢ e.g. typical software comes with a Windows installer that writes to the registry during installation ➢ system must be restarted for changes to take place
Current Computer Forensics Tools: Software/ Hardware Tools. ➢ computer forensics tools can also be classified into various categories:
✓ Disk and data capture tools ✓ File viewers ✓ File analysis tools ✓ Registry analysis tools ✓ Internet analysis tools ✓ Email analysis tools ✓ Mobile devices analysis tools ✓ Mac OS analysis tools ✓ Network forensics tools ✓ Database forensics tools
➢ Digital Forensics Framework ✓ Digital Forensics Framework is another popular platform dedicated to digital forensics. ✓ The tool is open source and comes under GPL License. It can be used either by professionals or non-experts without any trouble.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 58
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
✓ It can be used for digital chain of custody, to access the remote or local devices, forensics of Windows or Linux OS, recovery hidden of deleted files, quick search for files’ Meta data, and various other things.
➢ Open Computer Forensics Architecture ✓ Open Computer Forensics Architecture (OCFA) is another popular distributed open- source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data. ✓ It was built by the Dutch National Police Agency for automating digital forensics process. It is available to download under GPL license. ➢ CAINE ✓ CAINE (Computer Aided Investigative Environment) is the Linux distro created for digital forensics. It offers an environment to integrate existing software tools as software modules in a user friendly manner. This tool is open source.
➢ X-Ways Forensics
✓ X-Ways Forensics is an advanced platform for digital forensics examiners. It runs on all available version of Windows. It claims to not be very resource hungry and to work efficiently. If we talk about the features, find the key features in the list below
16. Disk imaging and cloning 17. Ability to read file system structures inside various image files 18. It supports most of the file systems including FAT12, FAT16, FAT32, exFAT, TFAT, NTFS, Ext2, Ext3, Ext4, Next3®, CDFS/ISO9660/Joliet, UDF 19. Automatic detection of deleted or lost hard disk partition 20. Various data recovery techniques and powerful file carving 21. Bulk hash calculation 22. Viewing and editing binary data structures using templates 23. Easy detection of and access NTFS ADS
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 59
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
24. Well maintained file header 25. Automated activity logging 26. Data authenticity 27. Complete case management 28. Memory and RAM analysis 29. Gallery view for pictures 30. Internal viewer for Windows registry file ➢ SANS Investigative Forensics Toolkit – SIFT ✓ SANS Investigative Forensics Toolkit or SIFT is a multi-purpose forensic operating system which comes with all the necessary tools used in the digital forensic process. It is built on Ubuntu with many tools related to digital forensics. Earlier this year, SIFT 3.0 was released. It comes for free or charge and contains free open-source forensic tools.
✓ In a previous post at resource.infosecinstitute.com, we already covered SIFT in detail. You can read those posts about SIFT to know more about this digital forensics platform.
➢ EnCase
✓ EnCase is another popular multi-purpose forensic platform with many nice tools for several areas of the digital forensic process. This tool can rapidly gather data from various devices and unearth potential evidence. It also produces a report based on the evidence.
➢ Registry Recon
✓ Registry Recon is a popular registry analysis tool. It extracts the registry information from the evidence and then rebuilds the registry representation. It can rebuild registries from both current and previous Windows installations.
➢ The Sleuth Kit ✓ The Sleuth Kit is a Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 60
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
➢ Llibforensics ✓ Libforensics is a library for developing digital forensics applications. It was developed in Python and comes with various demo tools to extract information from various types of evidence. ➢ Volatility ✓ Volatility is the memory forensics framework. It used for incident response and malware analysis. With this tool, you can extract information from running processes, network sockets, network connection, DLLs and registry hives. It also has support for extracting information from Windows crash dump files and hibernation files. This tool is available for free under GPL license. ➢ WindowsSCOPE ✓ WindowsSCOPE is another memory forensics and reverse engineering tool used for analyzing volatile memory. It is basically used for reverse engineering of malwares. It provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and physical memory. ➢ The Coroner’s Toolkit ✓ The Coroner’s Toolkit or TCT is also a good digital forensic analysis tool. It runs under several Unix-related operating systems. It can be used to aid analysis of computer disasters and data recovery. ➢ Oxygen Forensic Suite ✓ Oxygen Forensic Suite is nice software to gather evidence from a mobile phone to support your case. This tool helps in gathering device information (including manufacturer, OS, IMEI number, serial number), contacts, messages (emails, SMS, MMS), and recover deleted messages, call logs and calendar information. ✓ It also lets you access and analyze mobile device data and documents. It generates easy to understand reports for better understanding. ➢ Bulk Extractor ✓ Bulk Extractor is also an important and popular digital forensics tool. It scans the disk images, file or directory of files to extract useful information. In this process, it ignores the file system structure, so it is faster than other available similar kinds of tools.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 61
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
✓ It is basically used by intelligence and law enforcement agencies in solving cyber crimes. ➢ Xplico ✓ Xplico is an open source network forensic analysis tool. It is basically used to extract useful data from applications which use Internet and network protocols. ✓ It supports most of the popular protocols including HTTP, IMAP, POP, SMTP, SIP, TCP, UDP, TCP and others. ✓ Output data of the tool is stored in SQLite database of MySQL database. It also supports IPv4 and IPv6 both. ➢ Mandiant RedLine ✓ Mandiant RedLine is a popular tool for memory and file analysis. It collects information about running processes on a host, drivers from memory and gathers other data like Meta data, registry data, tasks, services, network information and Internet history to build a proper report. ➢ Computer Online Forensic Evidence Extractor (COFEE) ✓ Computer Online Forensic Evidence Extractor or COFEE is a tool kit developed for computer forensic experts. This tool was developed by Microsoft to gather evidence from Windows systems. ✓ It can be installed on a USB pen drive or external hard disk. Just plug in the USB device in the target computer and it starts a live analysis. It comes with 150 different tools with a GUI based interface to command the tools. ✓ It is fast and can perform the whole analysis in as few as 20 minutes. To law enforcement agencies, Microsoft provides free technical support for the tool. ➢ P2 eXplorer ✓ P2 eXplorer is a forensic image mounting tool which aims to help investigating officers with examination of a case. With this image, you can mount forensic images as a read- only local and physical disc and then explore the contents of the image with file explorer. You can easily view deleted data and unallocated space of the image.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 62
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
✓ It can mount several images at a time. It supports most of the image formats including EnCasem, safeBack, PFR, FTK DD, WinImage, Raw images from Linux DD, and VMware images. It supports both logical and physical image types.
➢ Plain Sight
✓ Plain Sight is another useful digital forensics tool. It is a CD based Knoppix which is a Linux distribution. Some of its uses include viewing Internet histories, data carving, checking USB device usage, memory dumps extracting password hashes, information gathering, examining Windows firewall configuration, seeing recent documents, and other useful tasks. For using this too, you only need to boot from the CD and the follow the instructions.
➢ XRY
✓ XRY is the mobile forensics tool developed by Micro Systemation. It is used to analyze and recover crucial information from mobile devices. This tool comes with a hardware device and software. Hardware connects mobile phones to PC and software performs the analysis of the device and extracts data. It is designed to recover data for forensic analysis.
✓ The latest version of the tool can recover data from all kind of smart phones including Android, iPhone and BlackBerry. It gathers deleted data like call records, images, SMS and text messages.
➢ HELIX3
✓ HELIX3 is a live CD-based digital forensic suite created to be used in incident response. It comes with many open source digital forensics tools including hex editors, data carving and password cracking tools. If you want the free version, you can go for Helix3 2009R1. After this release, this project was overtaken by a commercial vendor. So, you need to pay for most recent version of the tool.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 63
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
✓ This tool can collect data from physical memory, network connections, user accounts, executing processes and services, scheduled jobs, Windows Fegistry, chat logs, screen captures, SAM files, applications, drivers, environment variables and Internet history. Then it analyzes and reviews the data to generate the complied results based on reports.
➢ Cellebrite UFED ✓ Cellebrite’s UFED solutions present a unified workflow to allow examiners, investigators and first responders to collect, protect and act decisively on mobile data with the speed and accuracy a situation demands – without ever compromising one for the other. ✓ The UFED Pro Series is designed for forensic examiners and investigators who require the most comprehensive, up-to-date mobile data extraction and decoding support available to handle the influx of new data sources. ✓ Platform agnostic, the UFED Field Series is designed to unify workflows between the field and lab, making it possible to view access and share mobile data via in-car workstations, laptops, tablets or a secure, self-service kiosk located at a station.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 64
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
UNIT V ANALYSIS AND VALIDATION Validating Forensics Data – Data Hiding Techniques – Performing Remote Acquisition – Network Forensics – Email Investigations – Cell Phone and Mobile Devices Forensics
VALIDATING FORENSICS DATA
➢ Software validation is a part of the design validation for a finished device. Consider software validation to be confirmation by examination and provision of objective evidence that software specifications conform to user needs and intended uses, and that the particular requirements implemented through software can be consistently fulfilled. ➢ Impractical, software validation activities may occur both during, as well as at the end of the software development lifecycle to ensure that all requirements have been fulfilled. ➢ The validation of software typically includes evidence that all software requirements have been implemented correctly and completely a conclusion that software is validate dashingly dependent upon comprehensive software testing, inspections, analyses, and other verification tasks performed at each stage of the software development lifecycle. ➢ Data validation is the process of ensuring that a program operates on clean, correct and useful data. It uses routines, often called "validation rules" "validation constraints" or "check routines", that check for correctness, meaningfulness, and security of data that are input to the system.
➢ The rules may be implemented through the automated facilities of a data dictionary, or by the inclusion of explicit application program validation logic. Data validation (data vetting, data cleaning) the process of checking that data conforms to specification. It is usually the first process undertaken on raw data.
➢ The following are among the kinds of checks that may be carried out: number and type of characters in a data item; range of values of a data item; correctness of check character(s); consistency between one data item and others in the same record; correctness of check totals for individual records; correctness of batch controls.
Validation methods
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 65
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
➢ Allowed character checks only expected characters are present in a field. For example a numeric field may only allow the digits 0-9, the decimal point and perhaps a minus sign or commas. ➢ A text field such as a personal name might disallow characters such as < and >, as they could be evidence of a markup-based security attack. An e-mail address might require at least one @ sign and various other structural details. Regular expressions are effective ways of implementing such checks. (See also data type checks below)Batch totals Checks for missing records. ➢ Numerical fields may be added together for all records in a batch. The batch total is entered and the computer checks that the total is correct, e.g., add the 'Total Cost' field of a number of transactions together. ➢ Cardinality Checks that record has a valid number of related records. For example if Contact record classified as a Customer it must have at least one associated Order (Cardinality > 0). If order does not exist for a "customer" record then it must be either changed to "seed" or the order must be created. ➢ This type of rule can be complicated by additional conditions. For example if contact record in Payroll database is marked as "former employee", then this record must not have any associated salary payments after the date on which employee left organization (Cardinality = 0). ➢ Check digits Used for numerical data. An extra digit is added to a number which is calculated from the digits. The computer checks this calculation when data are entered. For example the last digit of an ISBN for a book is a check digit calculated modulus 10. ➢ Consistency checks Checks fields to ensure data in these fields corresponds, e.g., If Title = "Mr.", then Gender = "M". ➢ Control totals this is a total done on one or more numeric fields which appears in every record. This is a meaningful total, e.g., add the total payment for a number of Customers. ➢ Cross-system consistency checks Compares data in different systems to ensure it is consistent, e.g., the address for the customer with the same id is the same in both systems. ➢ The data may be represented differently in different systems and may need to be transformed to a common format to be compared, ➢ e.g., one system may store customer name in a single Name field as 'Doe, John Q', while another in three different fields: First_Name (John), Last_Name (Doe) and Middle_Name (Quality); to compare the two, the validation engine would have to transform data from the second system to match the data from the first, for example, using SQL: Last_Name || ', ' || First_Name ||
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 66
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
substr(Middle_Name, 1, 1) would convert the data from the second system to look like the data from the first 'Doe, John Q' ➢ Data type checks Checks the data type of the input and give an error message if the input data does not match with the chosen data type, e.g., In an input box accepting numeric data, if the letter 'O' was typed instead of the number zero, an error message would appear. ➢ File existence check Checks that a file with a specified name exists. This check is essential for programs that use file handling. ➢ Format or picture check Checks that the data is in a specified format (template), e.g., dates have to be in the format DD/MM/YYYY. Regular expressions should be considered for this type of validation. ➢ Hash totals this is just a batch total done on one or more numeric fields which appears in every record. This is a meaningless total, e.g., add the Telephone Numbers together for a number of Customers. ➢ Limit check Unlike range checks, data are checked for one limit only, upper OR lower, e.g., data should not be greater than 2 (<=2). ➢ Logic check Checks that an input does not yield a logical error, e.g., an input value should not be 0 when it will divide some other number somewhere in a program. ➢ Presence check Checks that important data is actually present and have not been missed out, e.g., customers may be required to have their telephone numbers listed. ➢ Range check Checks that the data is within a specified range of values, e.g., the month of a person's date of birth should lie between 1 and 12. ➢ Referential integrity In modern Relational database values in two tables can be linked through foreign key and primary key. If values in the primary key field are not constrained by database internal mechanism,[4] then they should be validated. Validation of the foreign key field checks that referencing table must always refer to a valid row in the referenced table.[5] ➢ Spelling and grammar check looks for spelling and grammatical errors. ➢ Uniqueness check Checks that each value is unique. This can be applied to several fields (i.e. Address, First Name, and Last Name). ➢ Table look up check A table look up check takes the entered data item and compares it to a valid list of entries that are stored in a database table.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 67
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
DATA HIDING
➢ Data hiding is the process of making data difficult to find while also keeping it accessible for future use. "Obfuscation and encryption of data give an adversary the ability to limit identification and collection of evidence by investigators while allowing access and use to themselves." ➢ Some of the more common forms of data hiding include encryption, steganography and other various forms of hardware/software based data concealment. Each of the different data hiding methods makes digital forensic examinations difficult. When the different data hiding methods are combined, they can make a successful forensic investigation nearly impossible.
Encryption
➢ One of the more commonly used techniques to defeat computer forensics is data encryption. In a presentation he gave on encryption and anti-forensic methodologies the Vice President of Secure Computing, Paul Henry, referred to encryption as a "forensic expert's nightmare". ➢ The majority of publicly available encryption programs allow the user to create virtual encrypted disks which can only be opened with a designated key. Through the use of modern encryption algorithms and various encryption techniques these programs make the data virtually impossible to read without the designated key. ➢ File level encryption encrypts only the file contents. This leaves important information such as file name, size and timestamps unencrypted. Parts of the content of the file can be reconstructed from other locations, such as temporary files, swap file and deleted, unencrypted copies. ➢ Most encryption programs have the ability to perform a number of additional functions that make digital forensic efforts increasingly difficult. Some of these functions include the use of a key file, full-volume encryption, and plausible deniability. The widespread availability of software containing these functions has put the field of digital forensics at a great disadvantage.
Steganography
➢ Steganography is a technique where information or files are hidden within another file in an attempt to hide data by leaving it in plain sight. "Steganography produces dark data that is typically buried within light data (e.g., a non-perceptible digital watermark buried within a digital photograph)."
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 68
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
➢ Some experts have argued that the use of steganography techniques are not very widespread and therefore shouldn't be given a lot of thought. Most experts will agree that steganography has the capability of disrupting the forensic process when used correctly. ➢ According to Jeffrey Carr, a 2007 edition of Technical Mujahid (a bi-monthly terrorist publication) outlined the importance of using a steganography program called Secrets of the Mujahedeen. According to Carr, the program was touted as giving the user the capability to avoid detection by current steganalysis programs. ➢ It did this through the use of steganography in conjunction with file compression. Other forms of data hiding other forms of data hiding involve the use of tools and techniques to hide data throughout various locations in a computer system. Some of these places can include "memory, slack space, hidden directories, bad blocks, alternate data streams, (and) hidden partitions." ➢ One of the more well known tools that is often used for data hiding is called Slacker (part of the Metasploit framework). Slacker breaks up a file and places each piece of that file into the slack space of other files, thereby hiding it from the forensic examination software. ➢ Another data hiding technique involves the use of bad sectors. To perform this technique, the user changes a particular sector from good to bad and then data is placed onto that particular cluster. The belief is that forensic examination tools will see these clusters as bad and continue on without any examination of their contents.
PERFORMING REMOTE ACQUISITION
➢ In addition to the steady acquisition and live acquisition, there is also another type of acquisition, which is remote acquisition. Remote acquisition is done through a network connection and involves a client server type of architecture. ➢ In many cases, you install a client on a machine from which you want to retrieve the data. Remote acquisition is a form of live acquisition, especially because it requires that the computing device in form of a host or a host computer is still up and running. ➢ So the acquisition is only done while the computer is on. The current trend is that live and remote acquisitions are becoming more important and popular due to the encryption problem. Static acquisitions are now becoming more difficult, especially because the data is often encrypted when a
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 69
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
computing device is turned off. So, what this means is. That by the time you're trying to do a static acquisition, it may be too late to retrieve the data out of a storage device.
NETWORK FORENSICS
➢ Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation. ➢ Network forensics generally has two uses. The first, relating to security, involves monitoring a network for anomalous traffic and identifying intrusions. An attacker might be able to erase all log files on a compromised host; network-based evidence might therefore be the only evidence available for forensic analysis. ➢ The second form relates to law enforcement. In this case analysis of captured network traffic can include tasks such as reassembling transferred files, searching for keywords and parsing human communication such as emails or chat sessions. ➢ Network forensics is the capture, recording and analysis of network events in order to discover the source of security attacks or other problem incidents. (The term, attributed to firewall expert Marcus Ranum, is borrowed from the legal and criminology fields where forensics pertains to the investigation of crimes.) According to SimsonGarfinkel, author of several books on security, network forensics systems can be one of two kinds: Catch-it-as-you-can" systems, in which all packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage, usually involving a RAID system. ➢ "Stop, look and listen" systems, in which each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires less storage but may require a faster processor to keep up with incoming traffic. ➢ Both approaches require significant storage and the need for occasional erasing of old data to make room for new. The open source programs tcpdump and windump as well as a number of commercial programs can be used for data capture and analysis.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 70
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
➢ One concern with the "catch-it-as-you-can" approach is one of privacy since all packet information (including user data) is captured. Internet service providers (ISPs) are expressly forbidden by the Electronic Communications Privacy Act (ECPA) from eavesdropping or disclosing intercepted contents except with user permission, for limited operations monitoring, or under a court order. The U.S. FBI's Carnivore is a controversial example of a network forensics tool.
EMAIL INVESTIGATION
➢ When investigating email, we usually start with the piece of email itself and analyze the headers of the email. Since each SMTP server that handles a message adds lines on top of the header, we start at the top and work our way backward in time. ➢ Inconsistencies between the data that subsequent SMTP servers supposedly created can prove that the email in question is faked. Another investigation is that of the header contents itself. If a message does not have these, then it is faked. If possible, one can obtain another email following supposedly the same path as the email under investigation and see whether these idiosyncratic lines have changed. While it is possible that the administrator of an SMTP node changed the behavior or even the routing, these changes tend to be far and in between. For example, in the following email that I sent to myself (with altered addresses), we find a large number of optional lines that the hotmail server added, in particular the X-fields. ➢ Without these fields, the message did not originate through the bay area hot mail server.The Message-ID field is also highly characteristic. Notice that hotmail also includes the originating IP address. A simple check for this IP address might also prove that the message is a fake. (Though in fact, it is not.)
Return-path:
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 71
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Message-ID:
Test
➢ In general, it is impossible to prove that an email is genuine, but one can build a good case that it is genuine. Usually, spoofers are simply not that good. ➢ In a case where someone maintains that email appearing to originate from that some-one is faked, the date and the originating IP address could create a presumption that the email is not faked. ➢ But even in this case, the only thing one can deduce for sure is that the email originated from someone who could put a packet with that return address on the network. ➢ As administrators get more concerned about fake mail, they put in access restrictions and also place warnings in headers, as the following example shows. (For Spam protection, I changed the email addresses used.)
De:
Received: from CPSJ-EXCHANGE-1.calprov.org ([65.116.151.145]) by bay0-mc10- f12.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 28 Dec 2005 15:19:15 -0800 Received: from endor.engr.scu.edu ([129.210.16.1]) by CPSJ-EXCHANGE-1.calprov.org with Microsoft SMTPSVC(5.0.2195.6713); Wed, 28 Dec 2005 15:19:14 -0800 Received: from bobadilla.engr.scu.edu (bobadilla.engr.scu.edu [129.210.18.34])by endor.engr.scu.edu (8.13.5/8.13.5) with SMTP id jBSNA9h7023258for [email protected]; Wed, 28 Dec 2005 15:19:47 -0800 X-Message-Info: JGTYoYF78jFYzNJ5n6DdPGvy0zsH8v3C7lhJalOirZc= X-Authentication-Warning: endor.engr.scu.edu: bobadilla.engr.scu.edu [129.210.18.34] didn't use HELO protocol
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 72
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Return-Path: [email protected] X-OriginalArrivalTime: 28 Dec 2005 23:19:14.0587 (UTC) FILETIME=[1E1796B0:01C60C05]
Analysis of source machine
➢ Besides analyzing the email message itself, analyzing the machine from which an email might have originated my yield some proof. We will see this when we come to discuss hard drive evidence.
Analysis of Logs
➢ Even more fundamental and important than these methods are the logs that SMTP servers (and some email programs) maintain. Law enforcement has here an advantage over private investigators because they can subpoena ISP records. ➢ Unfortunately, ISP servers tend to not store the log data for a long time. It therefore makes sense to warn an ISP about a coming subpoena so that they can safe-guard the log entry. A lucky investigator might be able to trace back a message through SMTP servers to the first one that handled the message. ➢ If this server belonged to an ISP, then information from RADIUS logs might give the name of the subscriber. Otherwise, the investigator might connect the IP of the originating machine to a suspect. In case of criminal enterprises such as spammers, fraudsters, phishers, etc. this investigation will be very difficult because the originating message is often from a hacked machine that is controlled by another hacked machine. ➢ The investigator needs to spend considerable resources and talents to follow such a trail through various jurisdictions. It is possible to even set up a website in a way that cannot be traced to a person, for example using untraceable or stolen credit cards. ➢ Here is an example of a typical smtp log from endor. Chris Tracy - a truly talented and helpful systems administrator - sent me fake mail:
Dec 31 18:26:15 endorsendmail[30597]: k012OV1i030597: [email protected], size=147, class=0, nrcpts=1, msgid=<[email protected]>, proto=SMTP, daemon=MTA, relay=c-24-12-227-211.hsd1.il.comcast.net [24.12.227.211] Dec 31 18:26:15 endorspamd[28512]: spamd: connection from localhost [127.0.0.1] at port 42865 Dec 31 18:26:15 endorspamd[28512]: spamd: setuid to tschwarz succeeded Dec 31 18:26:15 endorspamd[28512]: spamd: processing message <[email protected]> for tschwarz:1875 Dec 31 18:26:15 endorspamd[28512]: spamd: clean message (4.6/5.0) for tschwarz:1875 in 0.2 seconds, 525 bytes. Dec 31 18:26:15 endorspamd[28512]: spamd: result: . 4 - MSGID_FROM_MTA_ID,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL scantime=0.2,size=525,user=tschwarz,uid=1875,required_score=5.0,rhost=localhost,raddr=127.0.0 .1,rport=42865,mid=<[email protected]>,autolearn=no Dec 31 18:26:15 endorspamd[21352]: prefork: child states: II Dec 31 18:26:15 endorsendmail[30726]: k012OV1i030597: [email protected], delay=00:01:02, xdelay=00:00:00, mailer=local, pri=30464, dsn=2.0.0, stat=Sent
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 73
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Information Technology Email Investigation Guidelines
➢ This document describes the Information Technology policies and procedures related to handling of emails related to transgressions of law or of questionable content. ➢ Pursuant to the Computing Access Agreement, Information Technology does not monitor email content or email accounts. Minimal, short-lived logging is done on the system for performance and operational use showing messages queued for delivery or system load. Email account contents may be accessed for technical reasons (assisting users or system troubleshooting) without the knowledge of the owner. ➢ Information Technology does not officially investigate or trace emails unless directed or requested to do so from College authority offices like Campus Police, Human Resources, or Student Life. In general all issues with objectionable email of a harassing or illegal nature must be routed through one of these authorities, typically Campus Police. ➢ Members of the College community who contact Information Technology about this issue are directed to retain the message in its original form within their account and contact Campus Police. Campus Police then typically makes an incident report and determines whether the incident warrants action by Information Technology. ➢ The majority of information used for tracing email is extracted from the message header. The header format is a documented standard and is constructed as a product of message delivery by all involved delivery agents (from the initiating client through to the final accepting server). To some degree this information can be used to verify the legitimacy of a message. To a lesser degree this information can be used to trace the message origin. However, mail clients are easily reconfigured to obscure the identity of the sender, semi-anonymous email agents (like Yahoo! and Hotmail) are widely used, and determined individuals can certainly add enough invalid header information to make determinations very difficult. ➢ Emails originating from The College of New Jersey systems are typically easier to trace than messages originating from off-campus sites (this includes Yahoo! and Hotmail as well as emails from other personal or commercial systems). ➢ Information Technology NTS staff will review the message headers to determine origin, destination, or ownership of the message as required. College UNIX account contents may be reviewed to determine what roles investigation-specified users and potential suspects play in the investigation.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 74
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
➢ In the event that an email must be traced through an off-campus system, Information Technology must request the assistance of other agencies. For email originating from or destined to other sites, respective system administrators at those sites may be contacted for assistance. Information Technology staff often contact system administrators at these sites and may be able to acquire the necessary information. Certain commercial email systems require legal documents before they will release account information. For these services (like AOL, Yahoo! or Hotmail) a court order or subpoena may be required to obtain the user identity and/or message contents of the suspect account. Campus Police handles acquiring legally binding documents and may acquire those documents and possibly the related account information before contacting Information Technology. ➢ Information Technology NTS staff maintain close contact with Campus Police (or the appropriate investigating agency) throughout the division’s action in the investigation. Information retrieved by Information Technology is provided to the investigators with explanation as required. ➢ In most cases the action taken against an individual determined guilty of a violation of the Computing Access Agreement is determined by College authorities. The typical action is to lock the user account for a specified period of time.
CELL PHONE AND MOBILE DEVICE FORENSICS
➢ In the information age, every byte of data matters. Cell phones are capable of storing a wealth of personal information, often intentionally, and sometimes unintentionally. This holds true for almost all mobile devices, such as PDAs and iPhones as well. ➢ Cell phone forensic experts specialize in the forensic retrieval of data from cell phones and other mobile devices in a manner that preserves the evidence under forensically acceptable conditions, ensuring that it is court-admissible. ➢ A cell phone forensic investigation includes possible full data retrieval dependent upon the cell phone or PDA model. The cell phone and PDA forensic engineers at Kessler International will conduct a thorough examination of the data found on the cell phone’s SIM/USIM, the cell phone body itself, and any optional memory cards. Some of the kinds of data that may be retrieved and examined during a cell phone forensic investigation, even after being deleted, include:
✓ Call times; dialed and received calls, and call durations • Text messages recovery of SMS message recovery
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 75
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
• Contact names & phone numbers • Address book entries; residential addresses and email addresses • Photos & graphics • Videos ➢ Law enforcement officials and legal firms realize the importance of evidence contained on cell phones and other mobile devices, and how it can greatly affect the outcome of a trial. ➢ Whether working to document evidence of “white collar crime” or tasked by law enforcement to extract data for a criminal trial, the integrity of the firm selected for cell phone forensics is as important as the integrity of the data recovered. ➢ More and more court cases are being won with the proper submittal of electronic evidence, so it’s imperative that the cell phone forensic investigator understands the legal issues and imperatives surrounding electronic evidence gathering.
Why and when to call Kessler International
➢ Parents should contact us if they suspect that their child is misusing the device or being harassed by someone contacting or photographing them without their consent. Kessler will discreetly investigate and, if necessary, assist law enforcement by providing court-admissible data to corroborate legal claims. ➢ Kessler International can perform mobile phone forensics if an individual suspects his or her spouse of cheating. Data such as placed & received calls and phone call times, text messages, photos and other incriminating evidence can be retrieved from the spouse’s cell phone or mobile device. ➢ Companies and corporations should contact us to perform cell phone forensics if they suspect espionage by a competitor or disgruntled employee. ➢ Business owners who distribute cell phones to their executives and sales staff may contact us to perform cell phone forensics to determine if these devices are being inappropriately used to view and/or download porn, or defying restricted Internet usage company policies. ➢ Individuals may contact Kessler International if they suspect they have been the victim of e-stalking, the subject of inappropriate and non-consensual digital photography and other forms of digital harassment.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 76
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
➢ Kessler International’s forensic cell/mobile phone, PDA, and computer investigations are discreet, controlled, thorough and fully documented. Our professional staff is both certified and highly- experienced in their respective forensic disciplines. ➢ Forensic cell phone audits by Kessler International’s professionals yield superior results as our techniques and procedures far exceed those used in routine data recovery investigations. ➢ Our forensic examinations will document the evidence that the client needs and the respective circumstance requires. For all your cell phone forensic investigative needs, Kessler International is the company to call.
A Leader in the Field of Cell Phone Forensics
➢ For over 25 years, Kessler International has been a leader in the field of digital forensics. The cell phone forensic engineers at Kessler International are fully trained in proper evidence handling and litigation support services. Our broad knowledge of these complex electronic systems combined with extensive legal training demonstrates the high standards Kessler International maintains. ➢ These standards are critical to providing the data that support an accurate presentation of the facts. Kessler has built its rock-solid reputation on it. Remember, when the bar is set high, Kessler International is the company to call. ➢ The explosive growth in the availability and use of cell phones and other mobile devices ➢ Coupled with the expanded capabilities of these devices has made this area of digital forensics increasingly important. For many years now, cell phones have been a recorder of information, often related to criminal or other nefarious behaviors, not to mention often being the instrument and, occasionally, the target of that behavior. ➢ Mobile devices contain a plethora of data, including contact lists, phone and Internet browsing history, text and multimedia messages, e-mail, photographs and videos, geo location information, and much more. Indeed, smart phones are mobile Internet terminals and contain more probative information per byte examined than most computers. ➢ Examination and analysis of cell phones requires a very different forensic process than that applied to computers. ➢ Every step from seizure to preservation to transport to the exam itself requires processes and tools to ensure minimal alteration to the original evidence.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 77
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
➢ The complexity in performing a thorough exam of a mobile device and the analysis of the contents should not be underestimated; while computers today largely employ only two or three different operating systems (depending upon how you count), there are at least six major operating systems used on mobile phones that are still in circulation. ➢ Gary has been conducting mobile phone forensic examinations since 2006. Most of this work has been on behalf of the local, state, and federal law enforcement community in Vermont and Florida, including the U.S. Attorney's Office and Internet Crimes Against Children (ICAC) Task Force. ➢ Gary has also examined mobile devices on behalf of clients in civil litigations. Gary has acted as an expert witness in several federal criminal cases, as well as numerous civil matters. ➢ Gary is also a frequent speaker at conferences about the process of mobile device forensics. He has also conducted many training courses on mobile phone and Smartphone forensics. ➢ Gary Kessler Associates is capable of performing logical and physical analysis of most types of cell phones, tablets, GPS devices, and other mobile devices. In conjunction with partners, GKA is able to provide a broad range of services, including chip-off examinations and analysis of call detail records and cell tower information. ➢ Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers. ➢ The use of phones in crime was widely recognized for some years, but the forensic study of mobile devices is a relatively new field, dating from the early 2000s. A proliferation of phones (particularly smart phones) on the consumer market caused a demand for forensic examination of the devices, which could not be met by existing computer forensics techniques. ➢ Mobile devices can be used to save several types of personal information such as contacts, photos, calendars and notes, SMS and MMS messages. Smart phones may additionally contain video, email, web browsing information, location information, and social networking messages and contacts. ➢ There is growing need for mobile forensics due to several reasons and some of the prominent reasons are:
✓ Use of mobile phones to store and transmit personal and corporate information ✓ Use of mobile phones in online transactions
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 78
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
✓ Law enforcement, criminals and mobile phone devices
➢ Mobile device forensics can be particularly challenging on a number of levels:[3] ➢ Evidential and technical challenges exist. for example, cell site analysis following from the use of a mobile phone usage coverage, is not an exact science. ➢ Consequently, whilst it is possible to determine roughly the cell site zone from which a call was made or received, it is not yet possible to say with any degree of certainty, that a mobile phone call emanated from a specific location e.g. a residential address.
✓ To remain competitive, original equipment manufacturers frequently change mobile phone form factors, operating system file structures, data storage, services, peripherals, and even pin connectors and cables. As a result, forensic examiners must use a different forensic process compared to computer forensics. ✓ Storage capacity continues to grow thanks to demand for more powerful "mini computer" type devices. ✓ Not only the types of data but also the way mobile devices are used constantly evolve. ✓ Hibernation behavior in which processes are suspended when the device is powered off or idle but at the same time, remaining active.
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 79
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
VELTECH HIGHTECH Dr.RANGARAJAN Dr.SAKUNTHALA ENGINEERING COLLEGE Page 80