lOMoARcPSD|31208718

Introduction to Digital Forensics

 Digital forensics is a branch of forensic science that focuses on the

identification, preservation, extraction and analysis of electronic data.
 It is the process of using special tools and techniques to examine and
analyse electronic devices such as computer, smartphones and tablets,
in order to find evidence that can be used in a criminal or civil case.
 Digital forensics is often used to investigate cybercrimes, such as
hacking, identity theft and child pornography, but it can also be used in
other types of cases, such as financial fraud or civil disputes.
 The goal of digital forensics is to provide reliable and accurate
information that can be used to help solve crimes or resolve disputes.

Process of Digital forensics

Digital forensics entails the following steps:

• Identification

• Preservation

• Extraction

• Analysis

• Documentation

• Presentation

Identification: The first step in a digital forensic investigation is to identify

the devices and data that may be relevant to the case. This may include
computers, smartphones, tablets, servers, and other types of electronic
devices.

Preservation: Once the relevant devices and data have been identified, it is
important to preserve them in order to maintain the integrity of the evidence.
This may involve making copies of the data, or taking steps to prevent any
changes from being made to the original data.

Extraction: The next step is to extract the data from the devices and prepare
it for analysis. This may involve using specialized software or hardware tools to
access the data and make copies of it.

Analysis: Once the data has been extracted, it must be analyzed in order to
identify any relevant information or evidence. This may involve using
specialized software to search for keywords, examine patterns of activity, or
reconstruct deleted files.

Presentation: The final step in the process is to present the results of the
analysis in a clear and concise manner. This may involve creating reports,
charts, or other types of documentation to explain the findings of the
investigation.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

Types of digital forensics

Computer forensics: This type of digital forensics involves the investigation

of computers and other types of electronic devices in order to identify and
analyse evidence. This may include examining hard drives, analysing
network trafÏc, and reconstructing deleted files.

Mobile device forensics: This type of digital forensics involves the investigation of
smartphones, tablets, and other types of portable devices in order to identify and analyse
evidence. This may include examining call logs, text messages, and other types of data stored
on the device.

Network forensics: This type of digital forensics involves the investigation of networks and
communication systems in order to identify and analyse evidence. This may include examining
network traffic, analysing log files, and reconstructing packets of data.

Cloud forensics: This type of digital forensics involves the investigation of cloud-based systems
and services in order to identify and analyse evidence. This may include examining logs and
other types of data stored in the cloud.

There are several different types of evidence that can be found during a digital
forensic investigation, including:

 Text files: These can include documents, emails, and other types of
written communication that may be relevant to the case.
 Images: This can include photographs, graphics, and other types of
visual media that may be relevant to the case.
 Audio files: This can include recordings of conversations, lectures, or
other types of audio that may be relevant to the case.
 Video files: This can include footage from security cameras, video
recordings, or other types of videos that may be relevant to the case.
 Internet history: This can include information about websites that
have been visited, as well as search terms that have been used, and
may be relevant to the case.
 System files: These can include operating system files, application
files, and other types of data that may be relevant to the case.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

There are several different types of electronic devices that may be

examined during a digital forensic investigation, including:

1. Computers: This can include desktop computers, laptops, and servers, and
may be used to examine hard drives, network traffic, and other types of data.
2. Mobile devices: This can include smartphones, tablets, and other types of
portable devices, and may be used to examine call logs, text messages, and other
types of data stored on the device.
3. Network devices: This can include routers, switches, and other types of
network equipment, and may be used to examine network traffic and logs.
4. Cloud-based systems: This can include cloud-based storage and other types of
cloud-based services, and may be used to examine data stored in the cloud.

Challenges faced by Digital Forensics

 The increase of PC’s and extensive use of internet access
 Easy availability of hacking tools
 Lack of physical evidence makes prosecution difficult.
 The large amount of storage space into Terabytes that makes this
investigation job difficult.
 Any technological changes require an upgrade or changes to solutions.

Uses of Digital Forensics

In recent time, commercial organizations have used digital forensics in following
a type of cases:
• Intellectual Property theft
• Industrial espionage
• Employment disputes
• Fraud investigations
• Inappropriate use of the Internet and email in the workplace
• Forgeries related matters
• Bankruptcy investigations
• Issues concern with the regulatory compliance

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

Overall, the goal of digital forensics is to provide reliable and accurate

information that can be used to help solve crimes or resolve disputes. It is an
important tool in today's digital world, and is used by law enforcement agencies,
businesses, and other organizations to understand and prevent digital
wrongdoing.

Forensic Software and Hardware

Forensic software and hardware are tools that are used to extract
and analyse electronic data in a digital forensic investigation.
These tools can include software programs such as EnCase, FTK,
and X-Ways, as well as hardware devices such as write blockers
and forensic workstations.

Forensic software and hardware are tools that are used to extract
and analyse electronic data in a digital forensic investigation.
These tools can include:
1. Forensic software: This type of software is designed specifically
for use in digital forensic investigations and can include programs
such as EnCase, FTK, and X-Ways. These programs can be used to
extract data from electronic devices, analyse the data, and create
reports or other documentation of the findings.
2. Write blockers: A write blocker is a device that is used to prevent
any changes from being made to the data on an electronic device.
This is important in order to maintain the integrity of the evidence and prevent
any contamination of the data.
3. Forensic workstations: A forensic workstation is a specialized computer that is
used for digital forensic investigations. These workstations often have multiple
hard drives and other specialized hardware and software tools that are used to
extract and analyse data from electronic devices.

In addition to the forensic software and hardware tools that are

commonly used in digital forensic investigations, there are also a
number of other tools and techniques that may be employed,
depending on the specific needs of the case. Some of these tools
and techniques include:

1. Data carving: Data carving is a technique that is used to extract

data from a storage Downloaded
device,by even if it has been deleted or partially
sai kumar ([email protected])
 lOMoARcPSD|31208718

overwritten. This can be useful in cases where the data may have
been intentionally or accidentally deleted.
2. Keyword searches: Keyword searches are used to search for
specific words or phrases within a large amount of data. This can be
useful in cases where there may be a specific piece of information
that is relevant to the investigation.
3. Hash analysis: Hash analysis is a technique that is used to verify
the integrity of the data on an electronic device. It involves
calculating a unique numerical value, or "hash," for each piece of
data and comparing it to a known value in order to ensure that the
data has not been altered.
4. Network forensics: Network forensics involves the examination
of network traffic and other data in order to identify patterns of
activity or identify specific individuals or devices.
5. Cloud forensics: Cloud forensics involves the examination of
data stored in cloud-based systems and services in order to identify
and analyse evidence.
Overall, forensic software and hardware are an important part
of the digital forensic process and are used to extract and analyse
electronic data in a reliable and accurate manner.

Computer Forensics and Law Enforcement

Computer forensics is often used by law enforcement agencies to
investigate and prosecute cybercrimes, such as hacking, identity
theft, and child pornography. In these cases, computer forensics
plays a critical role in identifying and analysing the electronic
devices and data that may be relevant to the case.
The process of computer forensics in a law enforcement context
typically involves the following steps:
1. Seizure: The first step in a computer forensic investigation is to
seize the electronic devices and data that may be relevant to the
case. This may involve obtaining a search warrant and collecting
the devices from the location where the crime was committed.
2. Preservation: Once the devices and data have been seized, it is
important to preserve them in order to maintain the integrity of the
evidence. This may involve making copies of the data, or taking
steps to prevent any Downloaded
changes from being made to the original data.
by sai kumar ([email protected])
 lOMoARcPSD|31208718

3. Extraction: The next step is to extract the data from the devices
and prepare it for analysis. This may involve using specialized
software or hardware tools to access the data and make copies of
it.

4. Analysis: Once the data has been extracted, it must be analyzed

in order to identify any relevant information or evidence. This may
involve using specialized software to search for keywords, examine
patterns of activity, or reconstruct deleted files.

5. Presentation: The final step in the process is to present the

results of the analysis in a clear and concise manner. This may
involve creating reports, charts, or other types of documentation to
explain the findings of the investigation.

Computer forensics is an important tool for law enforcement

agencies in investigating and prosecuting cybercrimes. It involves
the use of specialized techniques and tools to extract, analyse, and
present digital evidence that may be relevant to a criminal case.

In a law enforcement context, computer forensics may be used to:

 Investigate cybercrimes: Computer forensics can be used to identify and
track the activities of individuals or groups who are suspected of
committing cybercrimes, such as hacking, identity theft, or child
pornography.
 Collect and preserve digital evidence: Computer forensics can be used to
collect and preserve digital evidence that may be relevant to a criminal
case, such as emails, text messages, and other types of electronic
communication.
 Analyse electronic devices and data: Computer forensics can be used to
analyse the data on electronic devices, such as computers, smartphones,
and tablets, in order to identify patterns of activity or extract relevant
information.
 Present evidence in court: Computer forensics experts may be called upon
to present the results of their analysis in court in order to help prosecute
cybercrimes and bring perpetrators to justice.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

Computer forensics is an important tool for law enforcement

agencies in investigating and prosecuting cybercrimes. It involves
the use of specialized techniques and tools to extract, analyse, and
present digital evidence that may be relevant to a criminal case.
In a law enforcement context, computer forensics may be used to:

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

 Identify suspects: Computer forensics can be used to identify the

individuals or groups who are suspected of commitÝng cybercrimes, such
as hacking or identity theft. This may involve analysing electronic devices,
such as computers and smartphones, in order to identify patterns of
activity or extract relevant information.

 Track cyber-criminal activity: Computer forensics can be used to track the

activities of individuals or groups who are suspected of committing
cybercrimes. This may involve examining log files, analysing network traffic,
or reconstructing packets of data in order to understand how the crimes
were committed and identify the perpetrators.

 Collect and preserve digital evidence: Computer forensics can be used to

collect and preserve digital evidence that may be relevant to a criminal
case, such as emails, text messages, and other types of electronic
communication. This may involve making copies of the data or taking steps
to prevent any changes from being made to the original data.

 Present evidence in court: Computer forensics experts may be called upon

to present the results of their analysis in court in order to help prosecute
cybercrimes and bring perpetrators to justice. This may involve creating
reports, charts, or other types of documentation to explain the findings of
the investigation.

There are a number of challenges that law enforcement agencies may face when
using computer forensics to investigate and prosecute cybercrimes. Some of
these challenges include:

1. Keeping up with technology: The field of computer forensics is constantly

evolving as new technologies are developed and new cyber-crimes are
committed. This can make it difficult for law enforcement agencies to keep
up with the latest techniques and tools and to effectively investigate and
prosecute cybercrimes

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

2. Maintaining the integrity of the evidence: It is important to

maintain the integrity of the evidence in a computer forensic
investigation in order to ensure that it is admissible in court.
This can be challenging, as it is easy to alter or delete digital
evidence, and there may be multiple copies of the data that
need to be tracked.
3. Dealing with large amounts of data: Computer forensic investigations
often involve analysing large amounts of data, which can be time-
consuming and resource-intensive. This can make it difficult for law
enforcement agencies to efficiently investigate and prosecute
cybercrimes.
4. Limited resources: Law enforcement agencies often have limited
resources, including staff and funding, which can make it difficult to
effectively investigate and prosecute cybercrimes.

Overall, law enforcement agencies face a number of challenges when using

computer forensics to investigate and prosecute cybercrimes. These
challenges can include keeping up with technology, maintaining the integrity
of the evidence, dealing with large amounts of data, and limited resources.

Overall, computer forensics is an important tool for law enforcement

agencies in investigating and prosecuting cyber crimes. It involves the use
of specialized techniques and tools to extract, analyze, and present digital
evidence in a reliable and accurate manner.

Indian Cyber Forensic

Indian cyber forensics is the branch of digital forensics that specifically

focuses on the investigation of cyber crimes in India. It involves the use of
specialized techniques and tools to extract, analyze, and present digital
evidence that may be relevant to a criminal case in India.

In India, cyber forensics is used by law enforcement agencies and other

organizations to investigate and prosecute cyber crimes, such as hacking,
identity theft, and child pornography. It is also used by businesses and
individuals to resolve disputes and protect against cyber threats.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

The process of Indian cyber forensics typically involves the following steps:

1. Identification: The first step in a cyber forensic investigation is to identify

the devices and data that may be relevant to the case. This may include
computers, servers, and other types of electronic devices.

2. Preservation: Once the relevant devices and data have been identified, it
is important to preserve them in order to maintain the integrity of the
evidence. This may involve making copies of the data, or taking steps to
prevent any changes from being made to the original data.

3. Extraction: The next step is to extract the data from the devices and
prepare it for analysis. This may involve using specialized software or
hardware tools to access the data and make copies of it.

4. Analysis: Once the data has been extracted, it must be analyzed in order
to identify any relevant information or evidence. This may involve using
specialized software to search for keywords, examine patterns of activity, or
reconstruct deleted files.

5. Presentation: The final step in the process is to present the results of the
analysis in a clear and concise manner. This may involve creating reports,
charts, or other types of documentation to explain the findings of the
investigation.

Indian cyber forensics is an important tool for law enforcement

agencies and other organizations in India in investigating and
prosecuting cyber crimes. It involves the use of specialized
techniques and tools to extract, analyze, and present digital
evidence that may be relevant to a criminal case in India.

In India, cyber forensics may be used to:

• Investigate cyber crimes: Indian cyber forensics can be used to identify

and track the activities of individuals or groups who are suspected of
committing cyber crimes, such as hacking, identity theft, or child
pornography.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

• Collect and preserve digital evidence: Indian cyber forensics can be used
to collect and preserve digital evidence that may be relevant to a
criminal case, such as emails, text messages, and other types of
electronic communication.

• Analyze electronic devices and data: Indian cyber forensics can be used
to analyze the data on electronic devices, such as computers,
smartphones, and tablets, in order to identify patterns of activity or
extract relevant information.

• Present evidence in court: Indian cyber forensics experts may be

called upon to present the results of their analysis in court in order
to help prosecute cyber crimes and bring perpetrators to justice.

There are a number of challenges that law enforcement agencies and other
organizations in India may face when using cyber forensics to investigate and
prosecute cyber crimes. Some of these challenges include:

1. Limited resources: Like many other countries, India faces challenges in

terms of limited resources, including staff and funding, which can make it
difficult to effectively investigate and prosecute cybercrimes.

2. Lack of trained personnel: There is often a shortage of trained personnel in

India who are skilled in cyber forensics and other areas of digital forensics.
This can make it difficult for law enforcement agencies and other organizations
to effectively investigate and prosecute cybercrimes.

3. Technological challenges: Cyber forensic investigations can be complex and

time-consuming, and may involve dealing with a large amount of data and a
wide range of technologies. This can present challenges for law enforcement
agencies and other organizations in India.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

4. Legal challenges: There may be legal challenges associated with the use of
cyber forensics in India, including issues related to admissibility of digital
evidence in court and privacy concerns.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

There are a number of best practices that law enforcement agencies and

other organizations in India can follow in order to effectively use cyber

forensics to investigate and prosecute cyber crimes. Some of these best
practices include:

 Training: It is important for law enforcement agencies and other

organizations in India to ensure that their staff are trained in the latest
cyber forensic techniques and tools. This can help them to effectively
extract, analyze, and present digital evidence in a reliable and accurate
manner.

 Maintaining the chain of custody: It is important to maintain the chain of

custody of digital evidence in order to ensure that it is admissible in
court. This involves documenting the handling of the evidence at every
stage of the investigation and keeping track of who has had access to it.

 Using forensic-grade tools: It is important to use forensic-grade tools

when extracting and analyzing digital evidence in order to ensure the
integrity of the evidence. These tools are designed specifically for use in
forensic investigations and can help to prevent any contamination of the
data.

 Following established protocols: It is important to follow established

protocols when conducting a cyber forensic investigation in order to
ensure that the evidence is collected, preserved, and analyzed in a
reliable and accurate manner.

 Documenting the process: It is important to carefully document the

process of the investigation in order to be able to present the results in
court. This may involve creating reports, charts, or other types of
documentation to explain the findings of the investigation.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

Forensic technology and practices refer to the tools, techniques,

and processes that are used in forensic science to investigate and
analyse evidence in criminal cases. These tools and techniques
can be used to identify, preserve, extract, and analyze physical,
chemical, or digital evidence in order to help solve crimes and
bring perpetrators to justice.
Some common types of forensic technology and practices include:
1. Forensic ballistics: This involves the use of tools and techniques
to analyse the characteristics of bullets and other types of ballistic
evidence in order to determine the type of firearm that was used in
a crime.
2. Forensic photography: This involves the use of specialized
cameras and techniques to document crime scenes and other
types of evidence in a way that is suitable for presentation in
court.
3. Face, iris, and fingerprint recognition: These technologies
involve the use of algorithms and specialized software to identify
and analyse facial features, iris patterns, and fingerprints in order
to identify individuals or determine their involvement in a crime.
4. Audio and video analysis: This involves the use of specialized
software and techniques to analyse audio and video evidence,
such as recordings of conversations or surveillance footage, in
order to extract relevant information or identify individuals.
5. Forensics of handheld devices: This involves the use of
specialized tools and techniques to extract and analyse data from
handheld devices, such as smartphones and tablets, in order to
identify relevant evidence or track patterns of activity.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

Forensic ballistics
Forensic ballistics involves the use of tools and techniques to
analyse the characteristics of bullets and other types of ballistic
evidence in order to determine the type of firearm that was used in
a crime. This may involve examining the rifling patterns on bullets,
analysing the markings on cartridge cases, or comparing the
characteristics of bullets and cartridge cases to those of known
firearms.
The goal of forensic ballistics is to provide reliable and accurate
information about the type of firearm that was used in a crime, as
well as any other relevant information about the firearm, such as
its caliber or manufacturer. This information can be used to help
solve crimes and bring perpetrators to justice.
There are a number of tools and techniques that are used in
forensic ballistics,
including:
1. Microscopes: Microscopes are used to examine the rifling
patterns on bullets and cartridge cases in order to determine the
type of firearm that was used.
2. Comparison microscopes: Forensic ballistics experts may use
comparison microscopes or other specialized tools to compare the
characteristics of bullets and cartridge cases to those of known
firearms in order to determine the type of firearm that was used.
3. Database searches: Forensic ballistics experts may use
databases, such as the National Integrated Ballistics Information
Network (NIBIN), to search for matches between bullets and
cartridge cases found at crime scenes and those recovered from
known firearms.

There are a number of steps that are typically followed in a forensic

ballistics investigation:
 Collection of evidence: The first step in a forensic ballistics
investigation is to collect the ballistic evidence from the crime
scene. This may include bullets, cartridge cases, and any
other related evidence, such as bullet fragments or damaged
objects.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

 Examination and analysis: The next step is to examine and

analyse the ballistic evidence in order to determine the type
of firearm that was used. This may involve using microscopes
or other specialized tools to examine the rifling patterns on
bullets and cartridge cases, or comparing the characteristics
of the evidence to those of known firearms. Comparison to
database: Forensic ballistics experts may use databases, such
as the National Integrated Ballistics Information Network
(NIBIN), to search for matches between bullets and cartridge
cases found at crime scenes and those recovered from known
firearms.

 Presentation of findings: The final step in the process is to

present the findings of the investigation in a clear and concise
manner. This may involve creating reports, charts, or other
types of documentation to explain the results of the analysis.

Forensic photography
Forensic photography is a specialized field of photography that involves the
use of specialized cameras and techniques to document crime scenes and
other types of evidence in a way that is suitable for presentation in court. It is
an important tool in the field of forensic science, as it provides a visual record
of the crime scene and any relevant evidence that may be used to help solve a
crime or bring perpetrators to justice.

There are a number of steps that are typically followed in forensic

photography:

1. Planning: The first step in forensic photography is to plan the

documentation of the crime scene or other evidence. This may involve

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

determining the type of camera and lighting equipment that will be used, as
well as the angles and perspectives that will be captured.

2. Documentation: The next step is to document the crime scene or other

evidence using specialized cameras and techniques. This may involve using
specialized lighting or filters to capture detailed images of evidence, such as
fingerprints or tire tracks.

3. Analysis: Once the images have been captured, they may be analysed in
order to identify any relevant information or evidence. This may involve using
specialized software to enhance the images or identify specific features or
patterns.

4. Presentation: The final step in the process is to present the results of the
analysis in a clear and concise manner. This may involve creating reports,
charts, or other types of documentation to explain the findings of the
investigation.

There are a number of considerations that forensic photographers must take

into account when documenting crime scenes or other evidence, including:

1. Lighting: Proper lighting is crucial in forensic photography in order to

capture clear and detailed images of evidence. This may involve using
specialized lighting equipment, such as floodlights or lasers, or taking
photographs at different times of day in order to capture the best
lighting conditions.
2. Angle and perspective: It is important for forensic photographers to
capture images from a variety of angles and perspectives in order to
document the crime scene or other evidence as accurately as possible.
This may involve using tripods, ladders, or other specialized equipment
to capture images from different heights or angles.
3. Camera and lens selection: The choice of camera and lens can have a
significant impact on the quality of the images captured in forensic
photography. Forensic photographers often use high-quality digital
cameras and lenses that are specifically designed for capturing detailed
images in a variety of lighting conditions.
4. Image enhancement: Forensic photographers may use specialized
software to enhance the images they have captured in order to make
them clearer or to highlight specific features or patterns.
Downloaded by sai kumar ([email protected])
 lOMoARcPSD|31208718

Face, iris, and fingerprint recognition:

Face, iris, and fingerprint recognition are technologies that involve the use of
algorithms and specialized software to identify and analyse facial features, iris
patterns, and fingerprints in order to identify individuals or determine their
involvement in a crime. These technologies are often used to help identify
suspects or to confirm the identity of individuals in cases where traditional
methods, such as eyewitness testimony, may be unreliable.

 Face recognition: Face recognition is a technology that involves the use

of algorithms and specialized software to analyse the unique
characteristics of an individual's face in order to identify them. This may
involve analyzing the shape, size, and placement of facial features, such
as the eyes, nose, and mouth. Face recognition technology is often used
to identify individuals in security or surveillance applications, such as
border control or access control.

 Iris recognition: Iris recognition is a technology that involves the use of

algorithms and specialized software to analyze the unique patterns in an
individual's iris, the coloured part of the eye, in order to identify them.
This technology is often used in security applications, such as border
control or access control, as the iris is relatively stable and does not
change over time.

 Fingerprint recognition: Fingerprint recognition is a technology that

involves the use of algorithms and specialized software to analyze the
unique patterns in an individual's fingerprints in order to identify them.
Fingerprint recognition technology is often used in law enforcement and
security applications to help identify individuals or confirm their identity.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

There are a number of factors that can impact the accuracy and reliability
of face, iris, and fingerprint recognition technologies, including:

• Quality of the image: The quality of the image is an important factor in

the accuracy and reliability of these technologies. Poor quality images
may contain noise, blur, or other distortions that can make it difficult for
the algorithms to accurately analyze the facial features, iris patterns, or
fingerprints.

• Environmental conditions: Environmental conditions, such as lighting and

weather, can also impact the accuracy and reliability of these
technologies. For example, low light conditions or rain may make it
difficult to capture clear images of facial features, iris patterns, or
fingerprints.

• Age of the image: The age of the image can also impact the accuracy
and reliability of these technologies. As an individual's facial features, iris
patterns, or fingerprints may change over time, older images may be less
reliable for identification purposes.

• Diversity of the population: The diversity of the population can also

impact the accuracy and reliability of these technologies. Systems that
have been trained on a diverse population may be more accurate and
reliable at identifying individuals from a wide range of backgrounds and
ethnicities.

Audio Video Analysis

Downloaded by sai kumar ([email protected])
 lOMoARcPSD|31208718

Audio and video analysis is a field of forensic science that involves

the use of specialized software and techniques to analyze audio
and video evidence, such as recordings of conversations or
surveillance footage, in order to extract relevant information or
identify individuals. This may involve enhancing the audio or video
to make it clearer, or using software to analyze the content of the
recording in order to identify voices or other relevant information.

Authentication of recordings- In many criminal cases, the

authenticity of the recording and the content of the recording may
be called in to question. Forensic audio and video experts can
examine a variety of characteristics of the audio or video recording
to determine whether the evidence has been altered. This includes
confirming the integrity (verification) of the recording, as well as
authenticating that the content of the image or audio is what it
purports to be.

If the ambient sound present on an audio recording changes

abruptly, this could indicate that the environment where the
recording took place suddenly changed.

The volume and tone of a voice on the recording can provide clues
as to distance and spatial relationships within a scene.

Lighting conditions can be examined to estimate the time of day

or environmental conditions at the time of the recording.

Technical details may also confirm information about a recording.

For instance, an unnatural waveform present in the audio or video
signal may indicate that an edit has been made.

A physical identifier may be present in the signal on magnetic

tape that can identify it as a copy or indicate that it was recorded
on a particular device. Sometimes a perpetrator will try to destroy

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

audio or video evidence; however, using these methods, the

recording can be analyzed to determine what occurred.

There are a number of tools and techniques that are used in

audio and video analysis, including:

1. Audio enhancement: Audio enhancement involves the use

of specialized software to improve the clarity and quality
of audio recordings. This may involve removing
background noise, increasing the volume, or enhancing
the clarity of the audio in order to make it easier to
understand.

Audio Enhancement Techniques -- For audio recordings. a

variety of filters can be applied to enhance the material,
bringing out specific aspects or events contained in the
recording.

Frequency Equalization - Highly precise equalizers can be

used to boost or cut specific bands of frequencies. To help
make speech more intelligible, the frequency band containing
most speech content, 200Hz-5000Hz, can be amplified or
isolated If amplification is applied to a frequency range, other
information residing in this frequency range will be boosted
as well. If noise resides in this same range, this noise will also
be increased, limiting the ability to clarify voices.

Loud background noises may be analyzed by a spectrum

analyser and the corresponding frequencies reduced so that
these noises are less noticeable.

Compression -Faint sounds in the recording can be boosted

by compressing or levelling the signal so that the dynamic
range of the material is reduced, making soft sounds more
apparent

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

2. Voice identification: Voice identification involves the use

of specialized software to analyze the unique
characteristics of an individual's voice in order to identify
them. This may involve analyzing the pitch, tone, and
other characteristics of the voice in order to create a
unique voiceprint that can be used for identification
purposes.

3. Video enhancement: Video enhancement involves the use

of specialized software to improve the clarity and quality of
video footage. This may involve increasing the resolution,
removing noise or blur, or enhancing the contrast in order to
make the footage easier to see and analyze.

Video Enhancement Techniques-A variety of enhancement

techniques can be employed on video evidence. It is important
that the best video recording be submitted to obtain the best
enhancement results. Limitations on the enhancement process
may exist if an analog copy or digital file that has undergone
additional compression is submitted for analysis.
Techniques can include:
Sharpening: Makes edges of images in the recording become
clearer and more distinct.
Video stabilization: Reduces the amount of movement in the video,
producing the smoothest possible playback.
Masking: Covers the face or areas of the video that may protect a
witness, victim or law enforcement ofÏcer.
Interlacing: In an analog system, interlaced scanning is used to
record images (a technique of combining two television fields in
order to produce a full frame of video). A process called de-
interlacing may be used to retrieve the information in both fields of
video.
Demultiplexing-Allows for isolation of each camera. In CCTV
systems, a device called a multiplexer is used to combine multiple
video signals into a single signal or separate a combined signal.
These devices are frequently used in security and law enforcement
Downloaded by sai kumar ([email protected])
 lOMoARcPSD|31208718

applications for recording and/or displaying multiple camera

images simultaneously or in succession.

4. Facial recognition: Facial recognition technology may be

used in conjunction with video analysis in order to identify
individuals in the footage. This involves the use of algorithms
and specialized software to analyze the unique
characteristics of an individual's face in order to identify
them.

There are a number of steps that are typically followed in an audio

and video analysis investigation:

1. Collection of evidence: The first step in an audio and video

analysis investigation is to collect the audio or video evidence
that is relevant to the case. This may involve collecting audio
or video recordings from a variety of sources, such as
surveillance cameras, smartphones, or other devices.
2. Analysis: The next step is to analyze the audio or video
evidence in order to extract relevant information or identify
individuals. This may involve using specialized software to
enhance the audio or video, or using algorithms and software
to analyze the content of the recording in order to identify
voices or other relevant information.
3. Comparison to databases: In some cases, audio and video
analysis experts may use databases, such as the National
Crime Information Center (NCIC), to search for matches
between individuals identified in the audio or video evidence
and known individuals in order to confirm their identity.
4. Presentation of findings: The final step in the process is to
present the findings of the analysis in a clear and concise
manner. This may involve creating reports, charts, or other
types of documentation to explain the results of the analysis.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

Forensics of Handheld devices

Forensics of handheld devices involves the use of specialized tools and

techniques
to extract, preserve, and analyze digital evidence from handheld devices, such
as smartphones, tablets, and wearable devices. This type of forensic
investigation may be used to help solve crimes or to gather evidence in civil or
criminal cases. There are a number of steps that are typically followed in a
forensic investigation of handheld devices:
1. Collection of evidence: The first step in a forensic investigation of
handheld devices is to collect the device and any relevant evidence, such
as SIM cards or memory cards. It is important to handle the device
carefully to avoid damaging it or altering any evidence that may be
present.
2. Preservation of evidence: The next step is to preserve the evidence on
the device in order to ensure that it is not altered or damaged during
the investigation. This may involve making a copy of the device's
memory or creating a forensic image of the device.
3. Analysis: The next step is to analyze the device in order to extract
relevant evidence. This may involve using specialized software to search
for specific types of data, such as text messages, emails, or photos, or
analyzing the device's logs or other system data in order to identify any
relevant activity.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

4. Presentation of findings: The final step in the process is to present the

findings of the investigation in a clear and concise manner. This may
involve creating reports, charts, or other types of documentation to
explain the results of the analysis.

Forensics of Handheld devices

Forensic investigations of handheld devices involve the use of

specialized tools and techniques to extract, preserve, and analyze
digital evidence from handheld devices, such as smartphones,
tablets, and wearable devices. This type of forensic investigation
may be used to help solve crimes or to gather evidence in civil or
criminal cases.

There are a number of considerations that forensic experts must

take into account when conducting a forensic investigation of
handheld devices, including:

1. Device type: Different types of handheld devices may have

different operating systems and hardware configurations, which
can impact the tools and techniques that are used in the
forensic investigation. It is important for forensic experts to be
familiar with the specific characteristics of the device they are
analyzing in order to ensure that they are using the appropriate
tools and techniques.
Downloaded by sai kumar ([email protected])
 lOMoARcPSD|31208718

2. Data types: Handheld devices may contain a wide range

of data types, including text messages, emails, photos,
videos, and social media posts. It is important for forensic
experts to be aware of the types of data that may be
present on the device and to use the appropriate tools and
techniques to extract and analyze this data.

3. Data storage: Handheld devices may store data in a variety

of locations, including internal memory, removable storage
devices, and cloud storage. It is important

for forensic experts to be familiar with the different storage

locations and to use the appropriate tools and techniques
to extract and analyze data from each location.

4. Encryption: Some handheld devices may be encrypted,

which can make it difficult to extract and analyze data from
the device. Forensic experts must be familiar with the
various encryption technologies that may be used on
handheld devices and use the appropriate tools and
techniques to bypass or decrypt the data.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

Linux Forensics:
Linux is a big target as almost every server is running some sort of
Linux.
Linux Directory Layout

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

There is no stander specification forced to follow for every folder and what should be stored there so
every distribution document it’s file structure in hier man page, but always top directories remain
the same.

/boot/ and efi

These directories contain files related to boot process configurations like kernel parameters and
previous Linux kernels and initial ramfs.

/etc/

System wide configurations are stored here and most of them are stored in plaintext format, looking
at modification and creation timestamp here is good in any forensics investigation.

/srv/

this folder contains servers’ data like FTP, HTTP…

/tmp/

This folder stores temporary data and based on the distribution configuration it may be deleted
periodically or on boot.

/run/

On a running system, this directory contains runtime information like PID and lock files, system
runtime configuration, and more. In a forensic image it will likely be empty.

/home/ and /root/

This is home folder for any user in the system and the root user folder also.

/bin/, /sbin/, /usr/bin/, and /usr/sbin/

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

These are the folders storing executables in the system

/lib/ and /usr/lib/

this directory contains libraries needed by applications to run.

/usr/

The /usr/ directory contains the bulk of the system’s static read-only data. This includes binaries,
libraries, documentation, and more.

/var/

The /var/ directory contains system data that is changing (variable) and usually persistent across
reboots. The subdirectories below /var/ are especially interesting from a forensics perspective
because they contain logs, cache, historical data, persistent temporary files, the mail and printing
subsystems, and much more.

/dev/, /sys/, and /proc/

These directories provide representations of devices or kernel data structures but the contents don’t
actually exist on a normal filesystem. When examining a forensic image, these directories will likely
be empty.

/media/

The /media/ directory is intended to hold dynamically created mount points for mounting external
removable storage, such as CDROMs or USB drives. When examining a forensic image, this
directory will likely be empty. References to /media/ in logs, filesystem metadata, or other persistent
data may provide information about user attached (mounted) external storage devices.

/opt/

The /opt/ directory contains add-on packages, which typically are grouped by vendor name or
package name. These packages may create a self-contained directory tree to organize their own files
(for example, bin/, etc/, and other common subdirectories).

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

/lost+found/

A /lost+found/ directory may exist on the root of every filesystem. If a filesystem repair is run (using
the fsck command) and a file is found without a parent directory, that file (sometimes called an
orphan) is placed in the /lost+found/ directory where it can be recovered. Such files don’t have their
original names because the directory that contained the filename is unknown or missing.

The “.” files

Applications saves It’s cashed and history and whatever the developer decided
to store in hidden files or directories in the system, these hidden contents start
with “.”, there is no specifications for forcing the developer to store it in a
specific place.

Interesting hidden folder is “.ssh” folder where you can look for hashed names
on “known_hosts”, you can’t unhash them but you can find the deviations by
hashing the known ones and comparing.

Although there is no standard place to store this kind of files, there is a

specification for best practice recommended, The specification defines
environment variables and default locations that operating systems and
applications may use instead of creating their own proprietary files and
directories in the user’s home directory. These location environment variables
and associated default locations are:

Data files: $XDG_DATA_HOME or default ~/. local/share/*

Configuration files: $XDG_CONFIG_HOME or default ~/.config/*

Non-essential cache data: $XDG_CACHE_HOME or default ~/. cache

Runtime files: $XDG_RUNTIME_DIR or typically /run/user/UID (where UID is the

numeric ID of the user)

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

These Data, Configuration and Cache directories will contain amount of useful
information for forensics investigation.

one small example of data that can be found there is in “~/.local/share/”

is *.xbel file which contains recently used files, Trash which is like a recycle
bin.

Crashes & Dumps

Crash Dumps can provide a significant amount of evidence in forensics
investigation as it saves the content of the memory in the time of a crash that
can give us a lot of information if a process was under attack or someone was
trying to exploit it, we can get a list of crashes and their time stamp using the
following command.

/coredumpctl.

where logs and crash files is saved is different from distribution to another so
You need to conduct a small search of where this files resides in your
distribution.

Linux Logs
/var/log/ is not the only place where logs are stored but definetly it’s the most
important one, the logs file stored there varies between different distriputions
but here some geberal ones.

auth.log or /var/log/secure: Logs related to authentication and security,

including login attempts, authentication failures, and security-related events.

syslog or /var/log/messages: General system logs that capture a wide range of

system events, including kernel messages and system daemon messages.

kern.log: Kernel-specific logs that contain messages related to the Linux kernel.

dmesg: Kernel boot messages and hardware-related messages.

boot.log: Logs related to the system boot process.

cron: Logs for the cron scheduling daemon, which records scheduled job
executions.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

mail.log or /var/log/maillog: Logs for mail-related services, such as Sendmail or

Postfix.

httpd/ or /var/log/apache2/: Logs for the Apache web server.

nginx/: Logs for the Nginx web server.

mysql/ or /var/log/mariadb/: Logs for the MySQL or MariaDB database server.

audit/: Audit logs that record security events and access control-related
information.

auth.log: SSH login logs.

wtmp and btmp: Logs that track login and logout events. wtmp records
successful logins, while btmp records failed login attempts.

lastlog: Records the last login information for each user.

ufw.log: Logs for the Uncomplicated Firewall (UFW) on Ubuntu systems.

secure: Additional security-related logs, often found on CentOS and Red Hat-
based systems.

auth.log: Authentication logs on Debian and Ubuntu systems.

alternatives.log: Logs related to the alternatives system, which manages

symbolic links for system commands and libraries.

Logs in Linux have the following severities.

0 emergency (emerg or panic): system is unusable

1 alert (alert): action must be taken immediately

2 critical (crit): critical conditions

3 error (err): error conditions

4 warning (warn): warning conditions

5 notice (notice): normal but significant condition

6 informational (info): informational messages

7 debug (debug): debug-level messages

you can find rsyslog configuration in

/etc/rsyslog.conf

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

/etc/rsyslog.d/*.conf

where you can see in the first one where the logs are stored locally the “@”
means stored in another place over network.

Programs can generate messages with any facility and severity they
want.

Syslog messages sent over a network are stateless, unencrypted, and based on
UDP, which means they can be spoofed or modified in transit.

Syslog does not detect or manage dropped packets. If too many messages are
sent or the network is unstable, some messages may go missing, and logs can
be incomplete.

Text-based logfiles can be maliciously manipulated or deleted.

the Journal system is well documented in man page systemd-journald.

you can view a .journal file content using “journalctl –file filename”

There is also non stander logs that applications and servers can create its own
log files to store it’s logs, these also can provide a huge amount of foresically
important data that depends on the nature of the case.

Software Installation

The initial state of the distribution after installation can be found

in /var/log/installer here you can see different logs about installed drivers and
packages and a lot of others.

*.deb files which are package installers this is actually a compressed file
containing three components

debian-binary A file containing the package format version string

control A compressed archive with scripts/metadata about the package

data A compressed archive containing the files to be installed

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

From a forensics perspective, we can ask many questions related to

package management, such as the following:

 What packages are currently installed, and which versions?

 Who installed them, when, and how?
 Which packages were upgraded and when?
 Which packages were removed and when?
 Which repositories were used?
 Can we confirm the integrity of the packages?
 What logs, databases, and cached data can be analyzed?
 Given a particular file on the filesystem, to which package does it belong?
 What other timestamps are relevant?

package manager apt

we can get a list of installed packages in /var/lib/dpkg/status file

here are some files to look for artifacts in:

/var/log/dpkg.log dpkg activity, including changes to package status (install,

remove, upgrade, and so on)

/var/log/apt/history.log Start/end times of apt commands and which user ran

them

/var/log/apt/term.log Start/end times of apt command output (stdout)

/var/log/apt/eipp.log.* Logs the current state of the External Installation Planner
Protocol (EIPP), a system that manages dependency ordering

/var/log/aptitude Aptitude actions that were run

/var/log/unattended-upgrades/* Logs from automated/unattended upgrades

/etc/dpkg/ Configuration information for dpkg is stored here

/etc/apt/ Configuration information for apt and the sources.list and

sources.list.d/* files. These files are interesting because they define the
configured external repositories for a particular release is stored here

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

/var/lib/dpkg/info/ directory contains several files for each installed package

(this is the metadata from the DEB files). This information includes the file list
(*.list), cryptographic hashes (*.md5sums), preinstall/postinstall and remove
scripts, and more.

/var/cache/apt/archives/ directory contains *.deb files that have been

downloaded in the past.

/var/cache/debconf/ directory is a central location for package configuration

information and templates.

/var/lib/snapd/snaps/ Contains downloaded snaps

~/.local/lib/python/ site-packages and ~/usr/lib/python/ site-packages are where

pip installed packeges saved.

Login & User Interaction Forensics

/var/log/wtmp History of successful logins and logouts(can be parsed using “last
-f filename”)

/var/log/btmp History of failed login attempts(can be parsed using “lastb -f

filename”)

/var/log/lastlog Most recent user logins

/var/run/utmp Current users logged in (only on running systems)

An Interesting place to look at a forensics investigation is initialization scripts

/etc/profile

/etc/profile.d/*

~/.bash_profile

/etc/bash.bashrc

~/.bashrc

the profile file runs once at the first shell and “*rc” files runs every time you
open a shell.

/etc/bash.bash_logout

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

~/.bash_logout

these files also run one on exit and logout.

Environment variables

Environment variables are also a good place to look where you can find more
about the user’s default editor which may tell you where to look for more
evidence and customized environment variables which can give you good hints.

here are some places to look at default environment variables at login.

/etc/security/pam_env.conf

/etc/environment

/etc/environment.d/*.conf

/usr/lib/environment.d/*.conf

~/.config/environment.d/*.conf

“HIST*” environment variables where the shell history is configured that will tell
you about where the shell history stored and how it’s configured.

Another note here is that command history of a shell is written only after the
shell exits.

Also, note that the newly written bash history dropped to the disk is written to a
new inode and the old one is still there in the disk unallocated so you can find
old bash history files using carving.

Windows managers also have some start-up “*.desktop” files have the
applications to start at start-up.

/etc/xdg/autostart/*

~/.config/autostart/*

For the Desktop setting, there is a database called dconf which is much like the
Windows registry where the data is stored in hierarchy key-value pairs.

“GNOME” desktop manager

tool to parse this database content:

the “dconf” files can be found in “~/.config/dconf/” and “/etc/dconf/db/” as

example you can look at “user” database where user setting can be found.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

There is alot of Clipboard managers out there that stores from 5-20 history
copied data but as there is alot out there you will need to search for where your
manager stores this data.

Recent Documents and favourites in linux are kept track of for every user in
linux in different places like…

.local/share/recently-used.xbel

.local/user-places.xbel

.local/share/Recent Documents/

Search history also is kept track of for every user each desktop manger has it’s
own way, for example in GNOME search is saved to

“~/.cache/tracker3/files” as sqlite databases.

3.5 Network Forensics Overview

Network forensics is the process of collecting and analyzing raw network data and tracking
network traffic systematically to ascertain how an attack was carried out or how an event
occurred on a network. Because network attacks are on the rise, there’s more focus on this
field and an increasing demand for skilled technicians. Labour forecasts predict a shortfall
of

50,000 network forensics specialists in law enforcement, legal firms, corporations, and
universities.

Network forensics can also help you determine whether a network is truly under attack or a user
has inadvertently installed an untested patch or custom program, for example. A lot of time and
resources can be wasted determining that a bug in a custom program or an untested open-source
program caused the ―attack.‖

Network forensics examiners must establish standard procedures for how to acquire data after
an attack or intrusion incident. Typically, network administrators want to find compromised.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

3.5.1 Securing a Network

Network forensics is used to determine how a security breach occurred; however, steps must be
taken to harden networks before a security breach happens, particularly with recent increases in
network attacks, viruses, and other security incidents. Hardening includes a range of tasks, from
applying the latest patches to using a layered network defense strategy, which sets up layers of
protection to hide the most valuable data at the innermost part of the network. It also ensures
that the deeper into the network an attacker gets, the more difficult access becomes and the
more safeguards are in place. The National Security Agency (NSA) developed a similar
approach, called the defense in depth (DiD) strategy. DiD have three modes of protection:

• People
• Technology
• Operations

If one mode of protection fails, the others can be used to thwart the attack.

Listing people as a mode of protection means organizations must hire well-qualified people and
treat them well so that they have no reason to seek revenge. In addition, organizations should
make sure employees are trained adequately in security procedures and are familiar with the
organize- tion’s security policy. Physical and personnel security measures are included in this
mode of protection.

The technology mode includes choosing strong network architecture and using tested tools, such
as intrusion detection systems (IDSs) and firewalls. Regular penetration testing coupled with risk
assessment can help improve network security, too. Having systems in place that allow quick and

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

thorough analysis when a security breach occurs is also part of the technology mode of
protection.

Operation mode addresses day to day operations. Updating security patches, antivirus software
and operating systems falls into this category. Assessment and monitoring procedures and disaster
recovery plans.

3.6 Performing Live Acquisitions

The problem investigators face is the order of volatility (OOV), meaning how long a piece of
information lasts on a system. Data such as RAM and running processes might exist for only
milliseconds; other data, such as files stored on the hard drive, might last for years. The fol-
lowing steps show the general procedure for a live acquisition, although investigators differ on
exact steps:

• Create or download a bootable forensic CD, and test it before using it on a suspect
drive. If the suspect system is on your network and you can access it remotely, add
the appropriate network forensics tools to your workstation. If not, insert the
bootable forensics CD in the suspect system.

• Make sure you keep a log of all your actions; documenting your actions and
reasons for these actions is critical.

• A network drive is ideal as a place to send the information you collect.If you don’t
have one available, connect a USB thumb drive to the suspect system for collecting data.
Be sure to note this step in your log.
• Next, copy the physical memory (RAM). Microsoft has built-in tools for this task,
or you can use available freeware tools, such as mem fetch
(www.freshports.org/sysutils/ memfetch) and Back Track

• The next step varies, depending on the incident you’re investigating. With an
intrusion, for example, you might want to see whether a rootkit is present by using a tool
such as Root Kit Revealer (www.microsoft.com/technet/sysinternals/Utilities/
RootkitRevealer.mspx). You can also access the system’s firmware to see whether it has

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

changed, create an image of the drive over the network, or shut the system down and make
a static acquisition later.
• Be sure to get a forensically sound digital hash value of all files you recover
during the live acquisition to make sure they aren’t altered later.

Performing a Live Acquisition in Windows

Live acquisitions are becoming more necessary, and several tools are available for capturing
RAM. ManTech Memory DD (www.mantech.com/msma/MDD.asp) can access up to 4 GB
RAM in standard did format. Another freeware tool, Win32dd (http://win32dd.msuiche.net),
runs from the command line to perform a memory dump in Windows. In addition, comer- coal
tools, such as Guidance Software Winen.exe, can be used.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

Another popular tool is Backtrack (www.remote-exploit.org/backtrack.html), which combines

tools from the White Hat Hackers CD and The Auditor CD (see Figure 11-3). More than 300
tools are available, including password crackers, network sniffers, and freeware forentices tools.
Backtrack has become popular with penetration testers and is used at the annual
Collegiate Cyber Defense Competitions.

Fig:Some of the tools available in BackTrack

3.7 Developing Standard Procedures for Network Forensics

Network forensics is a long, tedious process, and unfortunately, the trail can go cold
quickly. A standard procedure often used in network forensics is as follows:

• Always use a standard installation image for systems on a network. This

image isn’t a bit-stream image but an image containing all the standard applications
used. You should also have the MD5 and SHA-1 hash values of all application and
OS files.

• When an intrusion incident happens, make sure the vulnerability

has been fixed to prevent other attacks from taking advantage of the opening.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

• Attempt to retrieve all volatile data, such as RAM and running processes, by
doing a live acquisition before turning the system off.

• Acquire the compromised drive and make a forensic image of it.

• Compare files on the forensic image to the original installation image. Compare
hash values of common files, such as Win.exe and standard DLLs, and ascertain
whether they have changed.

In computer forensics, you can work from the image to find most of the deleted or hidden files
and partitions. Sometimes you restore the image to a physical drive so that you can run
programs on the drive. In network forensics, you have to restore the drive to see how malware
attackers have installed on the system works. For example, intruders might have transmitted a
Trojan program that gives them access to the system and then installed a root kit, which is a
collection of tools that can perform network reconnaissance tasks (using the ls or net stat
command to collect information, for instance), key logging, and other actions.

3.8Using Network Tools

A variety of tools are available for network administrators to perform remote shutdowns,
monitor device use, and more. The tools covered in this chapter are freeware and work in
Windows and UNIX. Sysinternals (www.microsoft.com/technet/sysinternals/) is a collection of
free tools for examining Windows products. They were created by Mark Russinovich and Bryce
Cogs well and acquired by Microsoft.

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

Fig: Opening page of Sysinternals

Downloaded by sai kumar ([email protected])

 lOMoARcPSD|31208718

The following list describes a few examples of the powerful Windows tools
available at Sysinternals:

• RegMon shows all Registry data in real time.

• Process Explorer shows what files, Registry keys, and dynamic
link libraries (DLLs) are loaded at a specific time.

• Handle shows what files are open and which processes are using these files.

• Filemon shows file system activity.

Far too many tools are available to list here, but you should take some time to explore
the site and see what’s available. One in particular that’s worth investigating is PsTools,
a suite created by Sysinternals that includes the following tools:

• PsExec—Runs processes remotely

• PsGetSid—Displays the security identifier (SID) of a computer or

user

• PsKill—Kills processes by name or process ID

• PsList—Lists detailed information about processes

• PsLoggedOn—Displays who’s logged on locally

• PsPasswd—Allows you to change account passwords

• PsService—Enables you to view and control services

• PsShutdown—Shuts down and optionally restarts a computer

Downloaded by sai kumar ([email protected])