Investigation

Cyber Crime Investigation

• Cybercrime investigation is the process of analyzing, investigating, and recovering
critical forensic digital data/evidence from the networks or systems associated in
the cyber attack that could be the Internet/www or a local network in order to
identify the executor of the cyber/ digital crime and their main motive behind the
attack.
• Cybercrime investigators should be experts in computer science, understanding not
only computer software, file systems and operating systems, but also the working
of networks/software and hardware in a computer system.
• They should have enough knowledge to determine how the inter-linking
connection between all these components occur, in order to get a full description
of what has happened, why it was happened, when it was happened, who has
performed the cybercrime or cyber attack, and how can be victims will protect
themselves or there near ones in the future against these types of cyber attacks.
Investigation Tools
• SIFT Workstation
• SIFT is a forensic tool collection created to help incident response teams and
forensic researchers examine digital forensic data on several systems.
• When it comes to evidence image support, it works perfectly with single raw image
files, AFF (Advanced Forensic Format), EWF (Expert Witness Format, EnCase), AFM
(AFF with external metadata), and many others.
• The Sleuth Kit
• Written by Brian Carrier and known as TSK, The Sleuth Kit is an open source
collection of Unix- and Windows-based forensic tools that helps researchers analyze
disk images and recover files from those devices.
• Available from the command line or used as a library, The Sleuth Kit is the perfect
ally for any person interested in data recovery from file systems and raw-based disk
images.
• X-Ways Forensics
• This software is one of the most complete forensic suites for Windows-based operating
systems. It's widely supported for almost any version of Windows, making it one of the
best in this particular market and letting you easily work with versions such as Windows
XP/2003/Vista/2008/7/8/8.1/2012/10*, supporting both 32 Bit/64 Bit.
• Its main features include: ability to perform disk cloning and imaging, read partitions from
raw image files, HDDS, RAID arrays, LVM2 and much more.
• CAINE
• CAINE is not a simple cybercrime investigation application or a suite, it's a full Linux
distribution used for digital forensic analysis.
• It works from the live CD, and can help you extract data created on multiple operating
systems such as Linux, Unix and Windows.
• File system, memory or network data extraction, CAINE can do it all by combining the best
forensic software that runs on both command-line and GUI-based interfaces.
• PALADIN
• PALADIN is a bootable Linux distribution based on Ubuntu and developed by
SUMURI.
• The PALADIN Toolbox helps streamline numerous forensic tasks, truly offering
“forensic tools galore”—over 30+ categories with over 100 tools, including
The Sleuth Kit and Autopsy.
• This veritable forensic lab on a disk is available in both 64- and 32-bit versions,
making it one of the most popular suites of its kind.
• Used by law enforcement, military, federal, state and corporate agencies,
PALADIN is the perfect ally for any computer crime investigator.
E-discovery
• Electronic discovery -- also called e-discovery or eDiscovery -- is the process of
obtaining and exchanging evidence in a legal case or investigation.
• E-discovery is used in the initial phases of litigation when involved parties are
required to provide relevant records and evidence related to a case.
• E-discovery can be conducted offline on a specific computer, or it can be done on
a network.
• The data collected in the e-discovery process includes any information that is in an
electronic format, including emails, texts and social media posts.
• Advantages/Uses:
• Keyword queries and search conditions
• Search for content
• Place content locations on legal hold
• Search statistics.
• Advanced indexing.
EDRM(E-Discovery Reference Model)
• EDRM is a framework that outlines the standards for the recovery and
discovery of any digital data.
• This represents the conceptual view of the e-discovery process, not a
literal or waterfall model.
• This model is designed to serve as guidance for assimilating and
gathering electronic data during the legal process, including criminal
evidence discovery.
• It consists of 9 distinctive stages that outline what eDiscovery
activities should look like during an investigation.
• Information governance (IG): IG is an umbrella term used to describe the procedures, controls and
policies for data collection and preservation. Best practices are managed by the IGRM model, which
provides a framework for all e-discovery agencies to follow.
• Identification: When litigation is imminent, all parties must attempt to preserve evidence. But how do
you know what data to save? In the identification phase, a team determines what data must be
preserved by interviewing key stakeholders, reviewing case facts and analyzing the digital
environment.
• Preservation: After data is identified, data owners are formally instructed to preserve data (and to not
delete it).
• Collection: Several technologies exist to collect data, but the chosen application must follow a defined
legal process. The team responsible for collecting data must ensure that digital assets are preserved
without altering essential metadata such as file creation dates, size, and audit logs attached to each
file.
• Processing: Raw collected data is usually unorganized and ill-suited to present to attorneys or the
court. The processing phase of electronic discovery involves organizing data and finding the right
assets for analysis. This phase can also be automated using software to extract important information
from a sea of irrelevant data.
• Review: Reviewing documentation and digital assets can be done manually or by
using artificial intelligence. During the review stage, pertinent information is
separated from unnecessary data that is not relevant for the ongoing litigation. This
phase also identifies documents subject to client-attorney privilege.
• Analysis: At this stage in e-discovery, digital assets become more organized for
presentation. Reviewers identify patterns and key information critical for litigation and
design a presentation layout used during trial or deposition.
• Production: Digital assets must be turned into physical documentation. After key data
is identified, attorneys turn it into presentable evidence.
• Presentation: Evidence in litigation must be presented to other attorneys, judges,
juries, mediators, and deposition participants. During the final presentation phase,
data is organized in a way that makes it easy to parse and then convey to an audience.
Digital Evidence
• Digital evidence is defined as information and data of value to an investigation that is stored on, received or
transmitted by an electronic device.
• Text messages, emails, pictures and videos, and internet searches are some of the most common types of
digital evidence.
• This evidence can be acquired when electronic devices are seized and secured for examination
• Digital evidence
• Is latent (hidden), like fingerprints or DNA evidence
• Crosses jurisdictional borders quickly and easily
• Can be altered, damaged or destroyed with little effort
• Can be time sensitive
• There are many sources of digital evidence,some of them are:
• Internet-based
• stand-alone computers or devices,
• mobile devices.
• These areas tend to have different evidence-gathering processes, tools and concerns, and different types of
crimes tend to lend themselves to one device or the other.
The digital evidence should have some characteristics to be acceptable in a very court of law

• Admissible: Investigators ought to gift proof in admissible manner, which implies that it ought to be relevant to the case, act in

support of the shopper presenting it, and be communicated and non-prejudiced.

• Authentic: it’s terribly straightforward to govern digital proof, that raises queries of its possession. Therefore, investigators should

offer supporting documents concerning the genuineness of the proof.

• Complete: The proof should be complete, which implies it should either prove or contradict the accordant reality within the

proceeding.
• Reliable: forensic investigations should be conducted solely on the copies of the proof as a result of the court must have the first

proof for future reference.

• Believable: Investigators and prosecutors should gift the proof in a very clear and comprehensible manner to the members of

jury. they have to justify the facts clearly and acquire associate professional opinion on a similar to verify the investigation method.
Digital Evidence Collection
• Digital evidence can be collected from many sources.
• Obvious sources include computers, mobile phones, digital cameras, hard drives, CD-ROM, USB memory
sticks, cloud computers, servers and so on.
• Some Methods of collection are:
• Capturing Network Data Packet: This is often done to observe users that are connected to a local
network. By using existing tools such as netstat, cain ,Wireshark etc we can obtain valuable data. On
Cain and abel, we can see detailed information about the connected users such as IP addresses, mac
addresses, the site of what is being opened, the password and username that are entered for login, etc.
• Awakening Deleted Data: Criminals often take steps to conceal their crime, and deleted data can
often contain the most incriminating digital evidence. Therefore, one of the most useful process is
to generate the files and folders that have been deleted.
• Extracting Embedded Metadata: As explained previously, embedded metadata can answer a variety of
questions regarding a document, including the genuineness and authenticity of the source.
• Social Engineering: Sometimes collecting data with legal procedures is hard to do. Investigators usually
inhibited when will determine the status of a suspect or the accused due to lack of evidence
Digital Evidence Preservation
• Digital Evidence Preservation includes:
• Isolate the data files or devices for examination.
• Secure the files to inspect data.
• Preservation of data for investigation.
• Critical Steps in Preserving Digital Evidence:
• Do not change the current state of the device
• Power down the device
• Do not leave the device in an open area or unsecured place
• Do not plug any external storage media in the device
• Do not copy anything to or from the device
• Take a picture of the piece of the evidence
• Make sure you know the PIN/ Password Pattern of the device
• Do not open anything like pictures, applications, or files on the device
• Do not trust anyone without forensics training
• Make sure you do not Shut down the computer, If required Hibernate it
Three Methods to Preserve a Digital
Evidence
• Drive Imaging
• Before forensic investigators begin analyzing evidence from a
source, they need to create an image of the evidence. Imaging a
drive is a forensic process in which an analyst will create a bit-by-
bit duplicate of the drive. When analyzing an image forensic
experts need to keep in mind the following points:
• Even wiped drives can retain important and recoverable data to
identify.
• Forensic experts can recover all deleted files using forensic
techniques.
• Never perform forensic analysis on the original media. Always
Operate on the duplicate image.
• Hash Values:
• When a forensic investigator creates an image of the evidence for
analysis, the process generates cryptographic hash values like
MD5, SHA1, etc. Hash Values are critical as:
• They are used to verify the Authenticity and Integrity of the
image as an exact replica of the original media.
• When admitting evidence in the court, hash values are critical
as altering even the smallest bit of data will generate a
completely new hash value.
• When you perform any modifications like creating a new file or
editing an existing file on your computer, a new hash value is
generated for that file.
• Chain of Custody:
• As forensic investigators collect media from the client and transfer
it, they should document all the steps conducted during the
transfer of media and the evidence on the Chain of Custody (CoC)
forms and capture signatures, date, and time upon the media
handoff.
• It is essential to conduct CoC paperwork due to the following
reasons:
• CoC demonstrates that the image has been under known
possession since the time the image was created.
• Any lapse in the CoC nullifies the legal value of the image, and
thus the analysis.
Email Investigation/Forensics
• E-mail Investigation refers to the study of source and content of e-mail
as evidence to spot the actual sender and recipient of a message,
data/time of transmission, detailed record of e-mail transaction,
intention of the sender, etc.
• This study involves investigation of metadata, keyword searching, port
scanning, etc.
• Goals of Email Investigation:
• To identify the main criminal
• To collect necessary evidences
• To presenting the findings
• To build the case
Techniques used in email investigation
• Header Analysis: Metadata within the e-mail message is a sort of
control information i.e. envelope and headers including headers within
the message body contain information about the sender and/or the trail
along which the message has traversed. A number of these could also
be spoofed to hide the identity of the sender. An in depth analysis of
those headers and their correlation is performed in header analysis.
• Server Investigation: This involves investigating copies of delivered
emails and server logs. In some organizations they do provide separate
email boxes for their employees by having internal mail servers. In this
case, investigation involves the extraction of the entire email box
related to the case and the server logs.
• Network Device Investigation: In some investigations, the
investigator requires the logs maintained by the network devices
such as routers, firewalls and switches to investigate the source of an
email message. This is often a complex situation where the primary
evidence is not percent.
• Software Embedded Analysis: Some information about the sender of
the email, attached files or documents may be included with the
message by the email software used by the sender for composing
the email . This information may be included in the form of custom
headers or in the form of MIME content as a Transport Neutral
Encapsulation Format (TNEF).
• Sender Mail Fingerprints: The “Received” field includes tracking
information generated by mail servers that have previously handled
a message, in reverse order. The “X-Mailer” or “User-Agent” field
helps to identify email software. Analyzing these fields helps to
understand the software, and the version used by the sender.
Email Tracking
• Email tracking is a method for monitoring the delivery of email
messages to the intended recipient.
• In other words, email tracking is the process of tracking sent emails
and using that data to inform business decisions.
• Email tracking involves using software to monitor the emails you
send.
• Most tracking technologies use some form of digitally time-stamped
record to reveal the exact time and date that an email was received
or opened, as well the IP address of the recipient.
Advantages of Email Tracking
• Providing unique insight: With Email Tracking, we’re provided with
more than just valuable information about our contact’s engagement
with our emails.
• Saving time: if you notice a contact is clicking on the links you sent
and viewing a cover letter or a proposal that you attached, you know
that you’re currently at the top of their minds.
• Providing context: For example, if you included links or attachments
in an email prior to a meeting, you can see if your contact has viewed
them.
Email Tracking Process Consists of five main
steps
• Establish company guidelines on email tracking practices: Get
instructions for locating a header for your email provider.
• Installing an email tracking app.
• Compose an email: Open the email you want to trace and find its
header.
• Checking the “Track” box.
• Scroll down below the box for the Trace Email results
IP Tracking
• IP stands for internet protocol, which is the set of processes that
dictate how information is shared across the web.
• Each device has an IP address.
• In most cases, IP addresses are a string of numbers separated by
periods, and used for identification and location.
Reasons to Track an IP
• Legal Concerns
• IP addresses are how we as a society identify people who commit illegal activities
online in order to hold them accountable. This ranges from small offenses to large.
• Marketing
• In some legal cases, an IP address can be tracked back to a specific individual.
When it comes to marketing uses though, IP tracking is more anonymized than
that. Marketing and analytics software includes the capability to track the location
data of IP addresses and provide that data to website owners.
• Scam Detection
• Consumers aren’t the only ones who have to worry about online scammers. Many
credit card companies and eCommerce businesses now use security software to
help spot purchases that are likely fraudulent.
Working of IP Address Trackers
• IP Handshake
• Every time your device connects to a website or another network, you need to
exchange IP addresses to ensure data can be properly sent and received between the
two parties. Proper communication requires both IP addresses to be fully open,
revealing themselves to the other. This is IP Handshake.
• Recording IP addresses
• As IP addresses are automatically identified thanks to the handshake, IP address
trackers can easily collect the data they need and record any further movements. This
process of recording is usually done through a JavaScript code attached onto the
website tracking IP addresses.
• Extracting data
• Now the IP address has been identified and recorded, the IP address tracker is ready to
extract valuable data.
Email Recovery
• In digital forensics, to tackle certain kind of situations, there comes a need of investigators to recover lost or
deleted email data. Nowadays, emails play a significant role in everyone’s life as it is being used for business
or personal communication, sharing confidential documents which may be crucial, etc. It could be a
nightmare if such important data gets lost somehow.
• In most of the illegal cases, criminals usually delete such suspected emails intentionally to remove the
leads of evidence. Hence arises the need of email recovery.
• The following is a partial list of the types of data can be recovered from email:
● Written communications
● Photographs, diagrams, compressed attachments, etc.
● Send to / Received from data
● Date and location data
● Send path information
● Contact list data
• In addition, there can be email log information, email headers and other types of metadata that can be used
to establishing timelines of action, locations, and connections between subjects involved in investigations.
Recovering Data from Web-Based Email Clients
❖ Header Analysis: Metadata within the e-mail message is a sort of control information i.e. envelope and
headers including headers within the message body contain information about the sender and/or the trail
along which the message has traversed. A number of these could also be spoofed to hide the identity of
the sender. An in depth analysis of those headers and their correlation is performed in header analysis.
❖ Forensic Imaging: Provides imaging (bit-by-bit copying) of email client data, as well as data export into
various file formats, while always maintaining the original properties, attachments, metadata and folder
structure.

Recovering Data from Email Clients

❖ Device / Drive Imaging: Imaging is making a bit-by-bit copy of any data source, which helps to main the
integrity of the data and facilitate the speed and thoroughness of the investigation.
❖ Recover Deleted or Damaged Emails:Provides services to recover normal AND deleted emails in their
original form, with no data modification done at any time during the process so as to maintain admissibility.
Recovering Deleted Evidences
• Digital Evidence is any information that is stored or transmitted in the digital form that a party at court can use at the
time of trial
• Destroyed/ Deleted Evidence: In a criminal or cyber-criminal case, the attempts to destroy the evidence are very
common. Such attempts can be more or less successful depending upon the following conditions:

● Action is taken to destroy the evidence.

● Time Available to destroy the evidence.
● Type of storage device like magnetic hard drive, flash memory card, or SSD drive.

• Methods to destroy the evidence and ways to recover the destroyed evidence:
❖ Deleted Files:
• Deleting files is one of the easiest, convenient, and foremost way to destroy the evidence. Whether it is using the
“Delete” button or “Ctrl+Delete” button. The deleted file can be retrieved by analyzing the contents of the
recycle bin as they are temporarily stored there before being [Link] the deleted files have no trace in the
recycle bin like in case of the “Ctrl+Delete” command, then, in that case, you can use commercial recovery tools
to recover the deleted evidence. One such example commercial tool is DiskInternals Partition Recovery.
❖ Formatted Hard Drives
➢ Recovery of the data from the formatted hard drive depends upon a lot of parameters. Information from the formatted hard drive may be
recoverable either using data carving technology or by using commercial data recovery tools. There are two possible ways to format a hard
drive: Full Format – As the name suggests, this initializes the disk by creating the new file system on the partition being formatted and also
checks the disk for the bad [Link] Format – This is never destructive except for the case of SSD. Disk format simply initializes the disk
by creating the new file system on the partition being formatted.
❖ SSD Drives
➢ SSD means Solid-State Drives represent a new storage technology. They operate much faster than traditional [Link] employ a
completely different way of storing information internally, which makes it much easier to destroy information and much more difficult to
recover it. The culprit in SSD is TRIM Command. TRIM enables SSD completely wiped all the deleted information in less than 3 minutes.
Traditional Methods are not useful when we try to recover deleted data from the SSD or even any information from the SSD formatted with
either Full format or Quick format. This means the traditional methods can be used for data recovery in SSD only when the TRIM command
is not issued.
❖ Data Carving
➢ Carving means bit-precise and sequential examination of the entire content of the hard drive. Carving allows to Identify particular
signatures or patterns that may give a clue that some interesting data can be stored in a particular spot on the disk. It can Locate various
artifacts that would not be available otherwise. Data Carving is truly amazing when looking for destroyed [Link] Carving has the
following features when we are dealing with the text content:
■ Text information is easiest to recover.
■ Blocks containing text data are filled exclusively with numeric values belonging to a shallow range that represents letters, numbers, and
symbols.
■ Different encodings must be taken into account when looking for texts in each supported language
Password Cracking
In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that
has been stored in or transmitted by a computer system in scrambled form.
Common Password-Cracking Techniques
❖ Brute Force Attack: In a brute-force attack, the attacker tries to crack the password by submitting various
combinations until the correct one is found. The attacker uses software to make this process automated and
run exhaustive combinations of passwords in significantly less amount of time
❖ Dictionary Attack: This password-cracking technique ‘dictionary attack’ gets its name for a reason. In this
method, the hacker systematically enters every word in the dictionary to crack the password. This is a type of
brute force attack but instead of submitting various combinations of symbols, numbers and words, this
method only uses words that could be found in a dictionary.
❖ Rainbow Table Attack: When your passwords are stored on the server they are encrypted into meaningless
strings of characters instead of storing as a plain text. This process is called hashing. Now, since the passwords
are converted into hashes, the hackers try to gain authentication by cracking the password hash. And they do
it by using a Rainbow table — a list of pre-computed hashes of possible password combinations. The hackers
can look up to the rainbow table to crack the hash resulting in cracking your password.
❖ Social Engineering: While the above password-cracking techniques use
technical vulnerabilities, social engineering takes advantage of human
errors and psychology. To put it simply social engineering is an act of
manipulating the victim to gain confidential information such as bank
information or passwords
❖ Phishing: Phishing is a type of social engineering used by cybercriminals to
trick the users and acquire their sensitive information which is then used
for cybercrimes such as financial breaches and data theft. There are varied
types of phishing — email spoofing, URL spoofing, website spoofing,
smishing, vishing and more. The most common ones are done through
email, phone and SMS.