DIGITAL FORENSICS

DR. NILAKSHI JAIN

Email ID: [email protected]
4.1 Introduction
4.2 Facts in Criminal
Case CHAPTER FOUR
4.3 People Involved in
Data Collection
Techniques
4.4 Live Data
Collection Live Data Collection
4.5 Live Data
collection from UniX
system
 Introduction
4.1 Introduction
4.2 Facts in Criminal
Case The term “computer forensic” involves identification, sunder out,
4.3 People Involved in preparation of documents, and storing information that is kept or
Data Collection sent over in electronic or magnetic form basically considered as
Techniques digital evidence
4.4 Live Data Different standards have been created which are used to find out
Collection and preserve digital evidences There are a number of the
4.5 Live Data procedures accepted by law. Those are:
1. If evidence is not collected and handled according to the proper
collection from UniX
standards, the judge may deem the evidence inadmissible when
system
it is presented and the jury members will never get a chance to
evaluate it or consider it in making their decision.
2. If the proof is admitted, the opposing lawyer can attack its
quality by questioning the witnesses.
4.1 Introduction The Facts in a Criminal Case
4.2 Facts in Criminal
Case
4.3 People Involved in Legal process of searching, examining, preserving, and
Data Collection exhibiting facts or evidence is generally governed by the law of
Techniques authority of the court. This process will introduce an evidence
4.4 Live Data
Collection 1.Definition of Evidence:
4.5 Live Data Evidence can generally be defined as the means by which an
alleged fact, the truth of which is subjected to scrutiny, is
collection from UniX
established or disproved. The legal significance of any given
system
piece of evidence lies in its influence on the judge or jury at
trial. —Debra Little John Shinder
 The Facts in a Criminal Case
4.1 Introduction 2.Evidence Admissibility
4.2 Facts in Criminal There are certain requirements for evidence to be admissible or acceptable by
Case court:
• 1. Evidence should be competent.
4.3 People Involved in • 2. Evidence should be relevant.
Data Collection • 3. Evidence should be material.
Techniques • 4. Evidence should be obtained legally.

4.4 Live Data Standards of Forensic Examination

Collection Standards regarding some digital evidence handling are:
4.5 Live Data • 1. The originality of the evidence should be preserved.
• 2. There should be an exact copy of the original, if possible, in order to
collection from UniX maintain integrity of the evidence.
system • 3. The copies should be preserved on a disk with no other documents
available on the disk. That is, disk should be cleaned before placing copies in
it.

3.Collection of Digital Evidences

The first person to become aware of a cybercrime is always a network
administrator. Integrity in investigation team members is also an essential part in
order to collect evidences successfully.
4.1 Introduction People Involved in Data Collection Techniques
4.2 Facts in Criminal
Case
4.3 People Involved There are several people involved in evidence collection techniques
in Data Collection —first respondent (usually an officer or a security person),
Techniques investigators (usually a senior investigator), and the crime scene
4.4 Live Data technicians (usually a person who is an expert in computer
Collection forensic). These people have been assigned with specific roles.
4.5 Live Data • Role of First Respondent
collection from UniX The first respondent is the one who appears in crime locations,
system usually an officer or a security person.
He/she should follow the following process:
1. Identifying the crime location
2. Protecting the crime scene
3. Preserving temporary and tampered evidences
4.1 Introduction People Involved in Data Collection Techniques
4.2 Facts in Criminal
Case • Role of Investigators
4.3 People Involved IT incident response team has authority of collecting evidences before any law
enforcement team arrives.
in Data Collection
He/she will be responsible for:
Techniques 1. A Chain of order:
4.4 Live Data An investigator should make sure that everyone at the crime scene is
aware of the chain of order. Chain of order refers to the flow
Collection
investigation process.
4.5 Live Data 2. Conducting the crime scene search:
collection from UniX Officers should seek all the systems, written documents and notes,
manuals, and log files related to the crime.
system
3. Preserving integrity of the facts or evidences:
Criminals always remove all the evidences. This is the reason to preserve
all the evidences in order to take actions against the offender. Investigation
should make exact copy of all the evidences, if possible and should be
able to analyze the footprints of attacker/criminal.
4.1 Introduction People Involved in Data Collection Techniques
4.2 Facts in Criminal
Case
4.3 People Involved
in Data Collection • Role of Crime Scene Technicians:
Techniques 1. Preserving temporal evidences to replicating disks
4.4 Live Data 2. Shutting down the computer system for transport
Collection 3. Marking and recording the evidence
4.5 Live Data 4. Packaging of the evidence
collection from UniX 5. Transporting evidence
6. Processing the evidence
system
 Live Data Collection
4.1 Introduction
4.2 Facts in Criminal • Live Data Collection from Windows System
Case The first step is to determine whether the system was used by the
4.3 People Involved in victim or the attacker.
• Creating a Response Toolkit
Data Collection
Techniques
1. Collecting the tools
4.4 Live Data There are two types of applications available in windows:
Collection 1. Based on GUI (Graphical User Interface)
4.5 Live Data collection 2. Based on CUI (Control User Interface)
from UniX system
2. Preparing the response toolkit:
There are several stages to prepare toolkit for initial response:
1. Tag a response toolkit media
2. Check the dependencies
3. Creating checksum for the response toolkit
 Live Data Collection
4.1 Introduction
4.2 Facts in Criminal
Case
4.3 People Involved in 3. Preparing the
Data Collection response toolkit
Techniques There are several stages
to prepare toolkit for
4.4 Live Data
initial response:
Collection • Tag a response toolkit
4.5 Live Data collection media
from UniX system • Check the
dependencies
• Creating checksum for
the response toolkit
4.1 Introduction Live Data Collection
4.2 Facts in Criminal
Case • Saving Information Collected During Initial Response
4.3 People Involved in There are four options available when the information has been
Data Collection retrieved from the live system:
Techniques 1. . The information obtained from the hard drive of the target
4.4 Live Data system should be saved.
Collection 2. The obtained data should be noted by hand.
4.5 Live Data collection 3. The data obtained from the floppy disks or other external devices
from UniX system should be saved.
4. The obtained data should be stored from forensic system by using
cryptcat or netcat.

Netcat is a widely used tool to transfer the data from target system to
remote forensic workstations.
 Live Data Collection
4.1 Introduction
4.2 Facts in Criminal Moving of Data Using Netcat
Case Netcat is a freely available tool that can
4.3 People Involved in be used to establish a communication
Data Collection channel between hosts.
Techniques There are two practices promoted by
4.4 Live Data this technique:
Collection 1. It helps to quickly get on and off the
target system.
4.5 Live Data collection 2. It also provides offline feature of
from UniX system reviewing the information which
was previously attained.

We need to initialize a Netcat listener on the forensic work station. We also need
to redirect all the incoming data. Figure 4.2 shows the incoming connection on
port 2222. The file called pslist will contain all the information received on the
port 2222. The output to the response command is provided to the forensic
workstations by using Netcat on the target system. Figure 4.3 runs the command
for pslist, by sending the output to the forensic workstation with the IP address
192.168.0.20.
4.1 Introduction Live Data Collection
4.2 Facts in Criminal
Case
4.3 People Involved in • Obtaining Volatile Data
Data Collection
Techniques We collect the following temporal/volatile data before forensic
4.4 Live Data duplication:
Collection 1. The date and the time of the system.
2. List of users that are currently logged on.
4.5 Live Data collection
3. Entire file system’s time and date stamp.
from UniX system 4. List of processes that are currently running.
5. List of sockets that are open currently.
6. Applications that are listening on the open sockets.
7. List of systems that have current or had recent connections to the
system.
4.1 Introduction Live Data Collection
4.2 Facts in Criminal
• Documenting and Managing the Investigation
Case
4.3 People Involved in For accurate incident response, it is necessary to have technical skills.
Data Collection Practices that are documented and organized are important.
Techniques There are two main reasons for documenting the actions while responding
to the victim system:
4.4 Live Data
1. To protect an organization to which you belong.
Collection 2. . To collect the data that may become evidence against the offender or
4.5 Live Data collection criminal.
from UniX system
An example of this form is illustrated in the following table:
 Live Data Collection
4.1 Introduction
4.2 Facts in Criminal
Case • Collecting Temporal Data
4.3 People Involved in Following are the steps used for collecting the data:
Data Collection 1. Run a Trusted cmd.exe
Techniques 2. Recording the system time and date
4.4 Live Data 3. Identify who has logged on to the system and who are the remote
Collection access users.
4.5 Live Data collection 4. Record creation, access time, and all the modifications made to
from UniX system the files
5. Identifying open ports.
6. List of applications that are associated with those ports.
7. List of all running processes.
8. List of current and recent connections.
9. Record date and time of target system.
10. Commands accessed at the time of initial response.
4.1 Introduction Live Data collection from UniX system
4.2 Facts in Criminal
Case
4.3 People Involved in
Collecting the data
Data Collection The following information should be collected:
Techniques 1. Date and time of the system.
4.4 Live Data 2. A list of users who are currently logged on.
Collection 3. Entire file system’s time and date stamps.
4.5 Live Data 4. List of processes that are currently in running state.
collection from UNIX 5. List of currently open socket.
system 6. List of application that is listening to those open ports.
7. List of systems that have current or recent connections to the
system.
4.1 Introduction Live Data collection from UniX system
4.2 Facts in Criminal
Case
4.3 People Involved in For obtaining live data, following steps should be followed:
Data Collection 1. Run a trusted shell.
Techniques 2. Record the time and date of the system.
4.4 Live Data 3. Identify who is currently logged on to the system.
Collection 4. Record creation, alteration, and access time of each file.
4.5 Live Data 5. Identify open ports
collection from UNIX 6. Enlist applications associated with open ports.
system 7. Identify the running processes
8. List the current and recent connections.
9. Record the time of the system.
10.Record the steps taken
11.Record cryptographic checksum.
4.1 Introduction Live Data collection from UniX system
4.2 Facts in Criminal
Case Storing Information Obtained During Initial Response
4.3 People Involved in Most of the UNIX variants place their log files in /var/adm. To know
Data Collection where the logs are stored, you need to be familiar with each variants
Techniques of the UNIX system.
4.4 Live Data
Collection Following shows the binary log files of particular interest:
1. Utmp file accessed with w command.
4.5 Live Data
2. Wtmp file accessed with last utility.
collection from UNIX
3. Last log file accessed with last log utility.
system 4. Process accounting logs accessed with lastcomm utility.

Some ASCII text log files are as follows:

5. Xferlog
6. Web access logs
7. History files
4.1 Introduction Live Data collection from UniX system
4.2 Facts in Criminal
Case Obtaining Important Configuration Files
4.3 People Involved in
Data Collection Here is the list about which file should be obtained during initial response:
Techniques 1. To look for unauthorized user accounts: /etc/passwd.
2. To ensure about password authentication of every account: /etc/shadow.
4.4 Live Data 3. To look for escalation in scope of access and privileges: /etc/groups.
Collection 4. To list the DNS (Domain Name System) entries: /etc/hosts.
4.5 Live Data 5. To review trusted relationships: /etc/hosts.equiv.
collection from UNIX 6. To look in the start-up files: /etc/rc.
system 7. To list scheduled events: crontab files.

Dumping System RAM

There is no proper way to dump the system RAM on the UNIX system. We
normally transfer /proc/kmem or /proc/kcore file from the target system.
These files contain the files of system RAM in discontinuous manner. Core
dump type of analysis can be done by very few people.
 DR. NILAKSHI JAIN
Email ID : • Thank you
[email protected]