MCA 302: CYBER FORENSICS

24-04-2023 MCA 302 CYBER FORENSICS 1

Module: 03 |Session: 17

Conducting Digital Investigation-Digital investigation process models

24-04-2023 MCA 302 CYBER FORENSICS 2

 Conducting Digital Investigation

24-04-2023 MCA 302 CYBER FORENSICS 3

Computer Security Incident
❑ Unauthorized /Unlawful Intrusions into computing systems

❑ Scanning a system - Systematic probing of ports to see which ones are open ( test IPs)

❑ Denial–of–Service (DoS) attack - any attack designed to disrupt the ability of authorized
users to access data

❑ Malicious Code – any program or procedure that makes unauthorized modifications or

triggers unauthorized actions

❑ virus, worm, Trojan horse

24-04-2023 MCA 302 CYBER FORENSICS 4

Conducting Digital Investigation

1. Digital investigation process models,

2. Scaffolding for digital investigations,

3. Applying scientific method in Digital Investigations-

24-04-2023 MCA 302 CYBER FORENSICS 5

 The goal of any investigation is to uncover and present the truth

24-04-2023 MCA 302 CYBER FORENSICS 6

Digital investigations
Digital investigations inevitably vary depending on technical factors such as the type of
computing or communications device, whether the investigation is in a criminal, civil,
commercial, military, or other context, and case-based factors such as the specific claims to
be investigated

24-04-2023 MCA 302 CYBER FORENSICS 7

Digital investigation process
Despite this variation, there exists a sufficient amount of similarity between the ways
digital investigations are undertaken that commonalities may be observed. These
commonalities tend to be observed from a number of perspectives, with the primary ways
being process, principles, and methodology

24-04-2023 MCA 302 CYBER FORENSICS 8

Methodology
■ Treat every case as if it will end up in the court .

■ Forensics Methodology
■ Acquire the evidence without altering or damaging the origin.

■ Authenticate that your recovered evidence is the same as the originally

seized data.
■ Analyze the data without modifying it

24-04-2023 MCA 302 CYBER FORENSICS 9

Compute Forensic
The process of identifying, preserving, analyzing and presenting digital evidence in a
manner that is legally acceptable. -(McKemmish, 1999)

24-04-2023 MCA 302 CYBER FORENSICS 10

 Digital Investigation Process Models

24-04-2023 MCA 302 CYBER FORENSICS 11

The most common steps for conducting a complete and competent digital

investigation are:

24-04-2023 MCA 302 CYBER FORENSICS 12

Preparation:

Generating a plan of action to conduct an effective digital investigation and obtaining

supporting resources and materials.

24-04-2023 MCA 302 CYBER FORENSICS 13

Survey/Identification:
Finding potential sources of digital evidence (e.g., at a crime scene, within an
organization, or on the Internet). Because the term identification has a more precise
meaning in forensic science relating to the analysis of an item of evidence, this process
can be more clearly described as survey of evidence. Survey is used throughout this
chapter when referring to this step

24-04-2023 MCA 302 CYBER FORENSICS 14

Preservation:

Preventing changes of in situ digital evidence, including isolating the system on the

network, securing relevant log files, and collecting volatile data that would be lost when

the system is turned off. This step includes subsequent collection or acquisition

24-04-2023 MCA 302 CYBER FORENSICS 15

Examination and Analysis:

Searching for and interpreting trace evidence. Some process models use the terms

examination and analysis interchangeably

24-04-2023 MCA 302 CYBER FORENSICS 16

 Examination and Analysis of Evidence

24-04-2023 MCA 302 CYBER FORENSICS 17

Examination and Analysis of Evidence

❑ Forensic examination is the process of extracting and viewing information from the

evidence and making it available for analysis.

❑ In contrast, forensic analysis is the application of the scientific method and critical

thinking to address the fundamental questions in an investigation: who, what, where,

when, how, and why

24-04-2023 MCA 302 CYBER FORENSICS 18

Presentation:

Reporting of findings in a manner which satisfies the context of the investigation,

whether it be legal, corporate, military, or any other

24-04-2023 MCA 302 CYBER FORENSICS 19

Process models
When attempting to conceive of a general approach to describe the investigation process
within digital forensics, one should make such a process generalizable. This led to the
proposal of a number of models for describing investigations, which have come to be
known as “process models

24-04-2023 MCA 302 CYBER FORENSICS 20

Why Process models
Using a formalized methodology encourages a complete, rigorous investigation, ensures
proper evidence handling, and reduces the chance of mistakes created by preconceived
theories, time pressures, and other potential pitfalls.

24-04-2023 MCA 302 CYBER FORENSICS 21

Digital Investigation Process Models
❖Physical Model

❖Staircase Model

❖Evidence Flow Model

❖Subphase Model

❖Roles and Responsibilities Model

24-04-2023 MCA 302 CYBER FORENSICS 22

 Physical Model

24-04-2023 MCA 302 CYBER FORENSICS 23

Physical Model
❑ A computer being investigated can be considered a digital crime scene and

investigations as a subset of the physical crime scene where it is located.

❑ Physical evidence may exist around a server that was attached by an employee and

usage evidence may exist around a home computer that contains contraband.

❑ Furthermore, the end goal of most digital investigation is to identify a person who is

responsible and therefore the digital investigation needs to be tied to a physical

investigation.

24-04-2023 MCA 302 CYBER FORENSICS 24

24-04-2023 MCA 302 CYBER FORENSICS 25
 Staircase Model

24-04-2023 MCA 302 CYBER FORENSICS 26

Staircase Model

24-04-2023 MCA 302 CYBER FORENSICS 27

24-04-2023 MCA 302 CYBER FORENSICS 28
 Evidence Flow Model

24-04-2023 MCA 302 CYBER FORENSICS 29

Evidence Flow Model

24-04-2023 MCA 302 CYBER FORENSICS 30

24-04-2023 MCA 302 CYBER FORENSICS 31
Evidence Flow Model

24-04-2023 MCA 302 CYBER FORENSICS 32

 Subphase Model

24-04-2023 MCA 302 CYBER FORENSICS 33

Subphase Model

24-04-2023 MCA 302 CYBER FORENSICS 34

Subphase Model

24-04-2023 MCA 302 CYBER FORENSICS 35

 Roles and Responsibilities Model

24-04-2023 MCA 302 CYBER FORENSICS 36

Roles and Responsibilities Model

24-04-2023 MCA 302 CYBER FORENSICS 37

24-04-2023 MCA 302 CYBER FORENSICS 38
 MCA 302: CYBER FORENSICS

24-04-2023 MCA 302 CYBER FORENSICS 39

Module: 03 |Session: 18

Scaffolding for digital investigations, applying scientific method in Digital

Investigations

24-04-2023 MCA 302 CYBER FORENSICS 40

 Scaffolding for digital investigations

24-04-2023 MCA 302 CYBER FORENSICS 41

Scaffolding for digital

investigations

24-04-2023 MCA 302 CYBER FORENSICS 42

 Scaffolding focuses on 6 Aspects

24-04-2023 MCA 302 CYBER FORENSICS 43

24-04-2023 MCA 302 CYBER FORENSICS 44
24-04-2023 MCA 302 CYBER FORENSICS 45
24-04-2023 MCA 302 CYBER FORENSICS 46
24-04-2023 MCA 302 CYBER FORENSICS 47
Threshold Considerations
❑ Factors that contribute to the severity of an offense include threats of physical injury,

potential for significant losses, and risk of wider system compromise or disruption.

❑ Within an organization, if a security breach or policy violation can be contained

quickly, if there is little or no damage, and if there are no exacerbating factors, a full

investigation may not be warranted.

❑ The output of this step in the investigative process is a decision that will fit into two

basic categories:

24-04-2023 MCA 302 CYBER FORENSICS 48

Threshold considerations are not met—No further action is required. For example,

available data and information are sufficient to indicate that there has been no

wrongdoing. Document decisions with detailed justification, report, and reassign

resources.

Threshold considerations are met—Continue to apply investigative resources

based on the merits of evidence examined to this point with priority based on initial

available information. This step aims to inform about discernment based on practical as

well as legal precedent coupled with the informed experience of the investigative team.

24-04-2023 MCA 302 CYBER FORENSICS 49

24-04-2023 MCA 302 CYBER FORENSICS 50
24-04-2023 MCA 302 CYBER FORENSICS 51
24-04-2023 MCA 302 CYBER FORENSICS 52
 Applying scientific method in Digital Investigations

24-04-2023 MCA 302 CYBER FORENSICS 53

24-04-2023 MCA 302 CYBER FORENSICS 54
24-04-2023 MCA 302 CYBER FORENSICS 55
 MCA 302: CYBER FORENSICS

24-04-2023 MCA 302 CYBER FORENSICS 56

Module: 03 |Session: 19

Applying scientific method in Digital Investigations-Formation and Evaluation of Hypotheses,

Preparation, Survey,

24-04-2023 MCA 302 CYBER FORENSICS 57

Introduction
Although process models that define each step of an investigation can be useful for certain
purposes, such as developing procedures, they are too complex and rigid to be followed in
every investigation.
In practice, most digital investigations do not proceed in a linear manner and the common
steps of preparation, survey, preservation, examination, and analysis are not neatly
separated

24-04-2023 MCA 302 CYBER FORENSICS 58

❑ The scientific method provides the necessary structure to help digital investigators
complete each step of an investigation in a repeatable manner to achieve reliable
results.
❑ In practice, digital investigators are better served by simpler methodologies that guide
them in the right direction, while allowing them to maintain the flexibility to handle
diverse situations. The scientific method provides such a simple, flexible methodology

24-04-2023 MCA 302 CYBER FORENSICS 59

The scientific method begins with fact gathering and validation, and proceeds to
hypothesis formation and experimentation/ testing, actively seeking evidence that
disproves the hypothesis, and revising conclusions as new evidence emerges

24-04-2023 MCA 302 CYBER FORENSICS 60

 Formation and Evaluation of Hypotheses

24-04-2023 MCA 302 CYBER FORENSICS 61

❑ From a practical viewpoint, at each stage of the investigative process a digital
investigator is trying to address specific questions and accomplish certain goals relating
to the case.
❑ These questions and goals will drive the overall digital investigation process and will
influence specific tasks within each step.

24-04-2023 MCA 302 CYBER FORENSICS 62

❑ Therefore, it is important for digital investigators to have a robust and repeatable
methodology within each step to help them accomplish the goals and address the
questions that are necessary to solve the case
❑ Digital investigators are generally instructed to focus on specific issues in a case,
sometimes with time constraints or other restrictions.
❑ For example, in order to find a missing person as quickly as possible, digital
investigators may be compelled to progress rapidly through the preparation, survey,
preservation, examination, and analysis steps at the expense of completeness and
accuracy

24-04-2023 MCA 302 CYBER FORENSICS 63

Carrier’s Hypothesis
Carrier’s Hypothesis Based Approach to digital forensic investigations (Carrier, 2006)
provides an initial model which bridges digital investigation practices and computer
science theory, demonstrating the role of the scientific method within a digital
investigation.

24-04-2023 MCA 302 CYBER FORENSICS 64

Now let's see how the scientific method is applied to each step of a digital investigation
(preparation, survey, preservation, examination, and analysis), which can guide a digital
investigator through almost any investigative situation, whether it involves a single
compromised host, a single network link, or an entire enterprise

24-04-2023 MCA 302 CYBER FORENSICS 65

 The general methodology for Investigation

24-04-2023 MCA 302 CYBER FORENSICS 66

Observation:
One or more events will occur that will initiate your investigation. These events will
include several observations that will represent the initial facts of the incident. Digital
investigators will proceed from these facts to form their investigation. For example, a user
might have observed that his or her web browser crashed when he or she surfed to a
specific Web site, and that an antivirus alert was triggered shortly afterward.

24-04-2023 MCA 302 CYBER FORENSICS 67

Hypothesis:
Based on the current facts of the incident, digital investigators will form a theory of
what may have occurred. For example, in the initial observation described earlier, a
digital investigator may hypothesize that the web site that crashed the user’s web
browser used a browser exploit to load a malicious executable onto the system.

24-04-2023 MCA 302 CYBER FORENSICS 68

Prediction:
Based on the hypothesis, digital investigators will then predict where the artifacts
related to that event may be located. Using the hypothesis, and knowledge of the general
operation of web browsers, operating systems, a digital investigator may predict that
there will be evidence of an executable download in the history of the web browser, and
potentially, files related to the malware were created around the time of the incident.

24-04-2023 MCA 302 CYBER FORENSICS 69

Experimentation/Testing:
Digital investigators will then analyze the available evidence to test the hypothesis,
looking for the presence of the predicted artifacts. In the previous example, a digital
investigator might create a forensic duplicate of the target system, and from that image
extract the web browser history to check for executable downloads in the known
timeframe. Part of the scientific method is also to test possible alternative explanations—if
the original hypothesis is correct a digital investigator will be able to eliminate alternative
explanations on the basis of available evidence (this process is called falsification).

24-04-2023 MCA 302 CYBER FORENSICS 70

Conclusion:
Digital investigators will then form a conclusion based upon the results of their
findings. A digital investigator may have found that the evidence supports the
hypothesis, falsifies the hypothesis, or that there were not enough findings to generate a
conclusion

24-04-2023 MCA 302 CYBER FORENSICS 71

This general methodology can be repeated as many times as necessary to
reach conclusions at any stage of a digital investigation.

24-04-2023 MCA 302 CYBER FORENSICS 72

Preparation
The general aim of preparing for a digital investigation is to create a plan of action to
perform an effective digital investigation, and to obtain the necessary personnel and
equipment. Preparation for the preservation step ensures that the best evidence can be
preserved when the opportunity arises

24-04-2023 MCA 302 CYBER FORENSICS 73

An example of applying the scientific method to preparation for the preservation step
of a digital investigation is provided here:

24-04-2023 MCA 302 CYBER FORENSICS 74

Observation:
gathering information about the crime scene to anticipate what number and type of
computer systems to expect, and whether full disk encryption is in use. This stage can
involve interviewing people familiar with the location to be searched, and reviewing
documentation such as IT network diagrams, asset inventory, and purchase orders for
computers. When no inside knowledge is readily available, this observation process may
require covert surveillance.

24-04-2023 MCA 302 CYBER FORENSICS 75

Hypothesis/Predication:
Based on the information gathered about the crime scene, digital investigators will
form theories about the types of computer systems and internal components such as
hard drive capacity and interface (e.g., ATA, SATA, serial attached SCSI).

24-04-2023 MCA 302 CYBER FORENSICS 76

Experimentation/Testing:
It may be possible to test some predictions about what will or will not be
encountered at the crime scene. For instance, it may be possible to glean details about
internal and public servers by examining e-mail headers and connecting to them over
the Internet

24-04-2023 MCA 302 CYBER FORENSICS 77

Conclusions:
The outcome of this process should be a robust plan for preserving evidence at the
crime scene. In some instances, digital investigators also need to prepare for some on-
scene processing of digital evidence. For instance, when digital investigators are not
authorized to collect every computer system, some on-scene keyword searching of many
computers must be performed to identify which are relevant to the investigation

24-04-2023 MCA 302 CYBER FORENSICS 78

Survey
With a plan in hand from the preparation step, digital investigators should be well
prepared to recognize sources of digital evidence at the crime scene. The aim of the
process is for digital investigators to find all potential sources of digital evidence and to
make informed, reasoned decisions about what digital evidence to preserve at the crime
scene

24-04-2023 MCA 302 CYBER FORENSICS 79

Observation:
A methodical inspection of the crime scene should be performed in an effort to locate
the expected items and to find unanticipated items. Carrier’s Integrated Digital
Investigation Process model encourages use of traditional approaches to searching the
physical crime scene in a methodical manner. A comparable methodical approach to
searching a digital crime scene should be used to find and assess potential sources of
digital evidence.

24-04-2023 MCA 302 CYBER FORENSICS 80

Hypothesis:
Theories should be developed about why certain expected items are not present, and
why certain unexpected items were found

24-04-2023 MCA 302 CYBER FORENSICS 81

Prediction:
Ideas should be considered for where missing items may be found, and which items
may contain potentially relevant data. When large quantities of computers or removable
media are involved, it may be necessary to develop theories about which ones do and do
not contain potentially relevant digital evidence

24-04-2023 MCA 302 CYBER FORENSICS 82

Experimentation/Testing:
When digital investigators believe that certain items are not relevant to the case, some
experimentation and testing is needed to confirm this belief. For example, it may be
necessary to perform a triage search of these seemingly irrelevant systems or storage
media for responsive evidence to ensure that they, in fact, do not contain anything of
interest.

24-04-2023 MCA 302 CYBER FORENSICS 83

Conclusions:
Based on the methodical assessment of available information, there is a high degree
of confidence that an inventory has been made of all potentially relevant sources of
digital evidence at the crime scene that need to be preserved

24-04-2023 MCA 302 CYBER FORENSICS 84

In an organization, documentation relating to the survey phase may take the form of a

map indicating where evidence is located on a network—a digital evidence map. Such a

map may include e-mail, log files, and backup tapes, may specify for how long each

source of digital evidence is retained, and may reference procedures for collecting the

evidence to help digital investigators handle the data properly

24-04-2023 MCA 302 CYBER FORENSICS 85

24-04-2023 MCA 302 CYBER FORENSICS 86
 MCA 302: CYBER FORENSICS

24-04-2023 MCA 302 CYBER FORENSICS 87

Module: 03 |Session: 20
Preservation, Examination, Analysis, Reporting and Testimony

24-04-2023 MCA 302 CYBER FORENSICS 88

❑ Working from the known inventory of identified components, investigators must act to
make sure that potentially volatile items are collected or acquired in such a way that
captures their current state.
❑ Another way to put it is that proper actions must be taken to ensure the integrity of
potential evidence, physical and digital. The methods and tools employed to ensure
integrity are key here. Their accuracy and reliability as well as professional acceptance
may be subject to question by opposing counsel if the case is prosecuted

24-04-2023 MCA 302 CYBER FORENSICS 89

❑ To many practitioners in digital forensics, the preservation step is where digital
forensics begins. It is generally the first stage in the process that employs commonly
used tools of a particular type. The output of this stage is usually a set of duplicate
copies of all sources of digital data

24-04-2023 MCA 302 CYBER FORENSICS 90

This output provides investigators with two categories of exhibits.

First, the original material is cataloged and stored in a proper environmentally

controlled location, in an unmodified state.

Second, an exact duplicate of the original material is created that will be scrutinized as

the investigation continues

24-04-2023 MCA 302 CYBER FORENSICS 91

Consider examples of the scientific process applied to the preservation of common
forms of digital evidence

24-04-2023 MCA 302 CYBER FORENSICS 92

Hard Drives

Observation: A hard drive has a SATA interface with a certain number of sectors

documented on the label.

Hypothesis: A complete and accurate duplicate of the hard drive can be obtained

without altering the original.

Prediction: The resulting forensic duplicate will have the same hash value as the

original hard drive.

24-04-2023 MCA 302 CYBER FORENSICS 93

Experimentation/Testing:

Comparing the hash value of the forensic duplicate with that of the original hard drive

confirms that they are the same. However, comparing the size of the forensic duplicate

with the capacity of the hard drive reveals a discrepancy. Further experimentation is

needed to determine that this discrepancy is caused by an incorrect number of sectors

being detected by the acquisition method used. Using an alternative method to acquire

data from the hard drive gives a complete and accurate duplicate of the digital evidence.24

24-04-2023 MCA 302 CYBER FORENSICS 94

Conclusions:
There is a high degree of confidence that an accurate duplicate of all data on the hard
drive was acquired in a forensically sound manner

24-04-2023 MCA 302 CYBER FORENSICS 95

Assignment
Write a short note on scientific method of data preservation form

1. Email on a server

2. Mobile device

24-04-2023 MCA 302 CYBER FORENSICS 96

❑ Prior to attempting to preserve digital evidence, it is most effective to prepare the

necessary forensic preservation tools and techniques to handle various forms of

evidence.

❑ During the preparation step of a digital investigation, activities such as testing tools

and sanitizing and/or encrypting storage media can be performed to make

preservation processes go more smoothly.

24-04-2023 MCA 302 CYBER FORENSICS 97

Examination
Forensic examination is the process of extracting and viewing information from the
evidence, and making it available for analysis

24-04-2023 MCA 302 CYBER FORENSICS 98

Forensic examination of digital evidence is generally one of the most resource intensive

and time-consuming steps in a digital investigation.

To produce useful results in a timely manner at different phases of an investigation, it is

useful to employ three levels of forensic examination

24-04-2023 MCA 302 CYBER FORENSICS 99

1. Survey/Triage Forensic Inspection: Targeted review of all available media to
determine which items contain the most useful evidence and require additional
processing.
2. Preliminary Forensic Examination: Forensic examination of items identified during
survey/triage as containing the most useful evidence, with the goal of quickly
providing investigators with information that will aid them in conducting interviews
and developing leads.
3. In-Depth Forensic Examination: Comprehensive forensic examination of items that
require more extensive investigation to gain a more complete understanding of the
offense and address specific questions.

24-04-2023 MCA 302 CYBER FORENSICS 100

When conducting a forensic examination, it is useful to consider Carrier’s Integrated

Digital Investigation Process model, which treats sources of digital evidence as

individual crime scenes. By conceptually treating each source of digital evidence as a

crime scene, digital investigators are encouraged to apply each step of the investigative

process to each source of evidence and thereby develop a more comprehensive and

methodical approach to a forensic examination

24-04-2023 MCA 302 CYBER FORENSICS 101

Preparation for Forensic Examinations:
Prior to performing a forensic examination of digital evidence, it is advisable to
prepare a plan of action that outlines what steps will be taken and what processes will be
performed on each item of digital evidence.

24-04-2023 MCA 302 CYBER FORENSICS 102

Survey in Forensic Examinations:
Digital investigators will generally survey each source of digital evidence, including
the contents of hard drives, mobile devices, log files, and other data to develop an overall
familiarity with the corpus delicti (a.k.a. totality of the evidence) to find items of
potential relevance to the investigation

24-04-2023 MCA 302 CYBER FORENSICS 103

Forensic Examinations:
Certain items within a source of digital evidence may require special processing so
that they can be examined more easily. Such special items can include mailboxes,
password-protected files, encrypted volumes, and unallocated space

24-04-2023 MCA 302 CYBER FORENSICS 104

Forensic examination of digital evidence,
whether it is an entire hard drive or an individual’s mailbox, generally
involves some level of recovery, harvesting, organization, search, and
reduction to produce a reduced dataset for forensic analysis

24-04-2023 MCA 302 CYBER FORENSICS 105

Recovery:
Data should be extracted from available sources, including items that have been
deleted, hidden, camouflaged, or that are otherwise unavailable for viewing using the
native operating system and resident file system. The objective is to recover all
unavailable data whether or not they may be germane to the case or incident. In some
instances, it may also be necessary to reconstitute data fragments to recover an item. The
output provides the maximum available content for the investigators, like a complete
data timeline and information that may provide insight into the motives of an offender if
concrete proof of purposeful obfuscation is found and recorded

24-04-2023 MCA 302 CYBER FORENSICS 106

Harvesting:
Data and metadata (data about data) should be gathered about all recovered objects
of interest. This gathering will typically proceed with little, or no discretion related to the
data content, its context, or interpretation. Rather, the investigator will look for categories
of data that can be harvested for later analysis—groupings of data with certain class
characteristics that, from experience or training, seem or are known to be related to the
major facts of the case or incident known to this point in the investigation

24-04-2023 MCA 302 CYBER FORENSICS 107

Organization and Search:
A thorough analysis should be facilitated by organizing the reduced set of materials
from the previous step, grouping, tagging, or otherwise placing them into meaningful
units. At this stage, it may be advantageous to actually group certain files physically to
accelerate the analysis stage. They may be placed in groups using folders or separate
media storage, or in some instances a database system may be employed to simply point
to the cataloged file system objects for easy, accurate reference without having to use
rudimentary search capability offered by most host operating systems

24-04-2023 MCA 302 CYBER FORENSICS 108

Organization and Search:
A thorough analysis should be facilitated by organizing the reduced set of materials
from the previous step, grouping, tagging, or otherwise placing them into meaningful
units. At this stage, it may be advantageous to actually group certain files physically to
accelerate the analysis stage. They may be placed in groups using folders or separate
media storage, or in some instances a database system may be employed to simply point
to the cataloged file system objects for easy, accurate reference without having to use
rudimentary search capability offered by most host operating system

24-04-2023 MCA 302 CYBER FORENSICS 109

Reduction:
Irrelevant items should be eliminated, or specific items targeted in the collected data as
potentially germane to an investigation. This process is analogous to separating the wheat
from the chaff. The decision to eliminate or retain is made on the basis of external data
attributes such as hashing or checksums, type of data (after type is verified), etc. In
addition, material facts associated with the case or incidents are also brought to bear to
help eliminate data as potential evidence

24-04-2023 MCA 302 CYBER FORENSICS 110

Applying the scientific method to the forensic examination process can be a time-
consuming and repetitive process, but the effort is generally well spent, giving digital
investigators the information, they need to resolve a case. A less methodical or
scientifically rigorous forensic examination may miss important information or may
give erroneous results.

24-04-2023 MCA 302 CYBER FORENSICS 111

Illustrative with an example of how the scientific method is applied during the forensic
examination process

24-04-2023 MCA 302 CYBER FORENSICS 112

Analysis
The forensic analysis process is inseparable from the scientific method. By definition,
forensic analysis is the application of the scientific method and critical thinking to
address the fundamental questions in an investigation: who, what, where, when, how,
and why

24-04-2023 MCA 302 CYBER FORENSICS 113

❑ This step involves the detailed scrutiny of data identified, preserved, and examined
throughout the digital investigation.
❑ The techniques employed here will tend to involve review and study of specific,
internal attributes of the data such as text and narrative meaning of readable data, or
the specific format of binary audio and video data items.
❑ Additionally, class and individual characteristics found in this step are used to
establish links, determine the source of items, and ultimately locate the offender.
❑ Ultimately, the information that has been accumulated during the digital investigation
is combined to reconstruct a comprehensive understanding of events relating to the
crime or incident

24-04-2023 MCA 302 CYBER FORENSICS 114

Observation:
Human readable (or viewable) digital data objects have substance that can be
perceived as well as context that can be reconstructed. That content and context of digital
evidence may contain information that is used to reconstruct events relating to the
offense and to determine factors such as means, motivation, and opportunity.

24-04-2023 MCA 302 CYBER FORENSICS 115

Hypothesis:

Develop a theory to explain digital evidence.

Prediction:

Based upon the hypothesis, digital investigators will then predict where they believe

the artifacts of that event will be located.

24-04-2023 MCA 302 CYBER FORENSICS 116

Experimentation/Testing:
A very general term but applied here to mean any activity used to determine whether
or not digital evidence is compatible with the working theory. These activities can
include running experiments using a specific operating system or application to learn
about their behavior and associated artifacts or loading the subject system into a
virtualized environment to observe it as the user would.

24-04-2023 MCA 302 CYBER FORENSICS 117

Conclusions:
The result of a thorough forensic analysis generally includes an investigative
reconstruction based on fusion and correlation of information

24-04-2023 MCA 302 CYBER FORENSICS 118

During the investigation, data (information) have been collected from many

sources (digital and nondigital). The likelihood is that digital evidence alone

will not tell the full tale. The converse is also true. The data must be fused or

brought together to populate structures needed to tell the full story

24-04-2023 MCA 302 CYBER FORENSICS 119

Reporting and Testimony
To provide a transparent view of the investigative process, final reports should
contain important details from each step, including reference to protocols followed and
methods used to seize, document, collect, preserve, recover, reconstruct, organize, and
search key evidence. The majority of the report generally deals with the analysis leading
to each conclusion and descriptions of the supporting evidence. No conclusion should be
written without a thorough description of the supporting evidence and analysis. Also, a
report can exhibit the investigator or examiner’s objectivity by describing any alternative
theories that were eliminated because they were contradicted or unsupported by evidence

24-04-2023 MCA 302 CYBER FORENSICS 120

A significant amount of effort is required to prepare for questioning and to convey

technical issues in a clear manner. Therefore, this step in the process includes techniques

and methods used to help the analyst and/or domain expert translate technological and

engineering details into understandable narrative for discussion with decision makers

24-04-2023 MCA 302 CYBER FORENSICS 121

24-04-2023 MCA 302 CYBER FORENSICS 122
 MCA 302: CYBER FORENSICS

24-04-2023 MCA 302 CYBER FORENSICS 123

Module: 03 |Session: 21
Computer Basics for Digital Investigators-Basic Operation of Computers

24-04-2023 MCA 302 CYBER FORENSICS 124

 Write a note on History of Computers

24-04-2023 MCA 302 CYBER FORENSICS 125

 Write a note on Basic Operation of Computers

24-04-2023 MCA 302 CYBER FORENSICS 126

24-04-2023 MCA 302 CYBER FORENSICS 127
 MCA 302: CYBER FORENSICS

24-04-2023 MCA 302 CYBER FORENSICS 128

Module: 03 |Session: 22

Representation of Data, Storage Media and Data Hiding File Systems and

Location of Data

24-04-2023 MCA 302 CYBER FORENSICS 129

24-04-2023 MCA 302 CYBER FORENSICS 130
All digital data are basically combinations of ones and zeros, commonly called bits. It is

often necessary for digital investigators to deal with data at the bit level, requiring an

understanding of how different systems represent data.

24-04-2023 MCA 302 CYBER FORENSICS 131

24-04-2023 MCA 302 CYBER FORENSICS 132
 Write a note on Representation of Data

24-04-2023 MCA 302 CYBER FORENSICS 133

 Storage Media and Data Hiding

24-04-2023 Module 1: Computer

MCA System
302 CYBER Architecture
FORENSICS 134
[On binary systems] each data element is implemented using some physical device that
can be in one of two stable states: in a memory chip, for example, a transistor switch may
be on or off; in a communications line, a pulse may be present or absent at a particular
place and at a particular time; on a magnetic disk, a magnetic domain may be
magnetized to one polarity or to the other; and, on a compact disk, a pit may be present
or not at a particular place

24-04-2023 MCA 302 CYBER FORENSICS 135

24-04-2023 MCA 302 CYBER FORENSICS 135
Although storage media come in many forms, hard disks are the richest sources of
digital evidence on computers. Understanding how hard drives function, how data are
stored on them, and where data can be hidden can help digital investigators deal with
hard drives as a source of evidence.

24-04-2023
24-04-2023 MCA302
MCA 302CYBER
CYBERFORENSICS
FORENSICS 136
136
 Understanding disk drives

24-04-2023 MCA 302 CYBER FORENSICS 137

The architecture of a hard disk consists of several physical components that include:
❑ Platters
❑ Spindle
❑ Read/write heads
❑ Tracks
❑ Sectors

24-04-2023 MCA 302 CYBER FORENSICS 138

Platters
Hard disks are organized as a concentric stack of disks. An individual disk is referred to
as a platter.
Each platter consists of two surfaces: a lower and an upper surface.

24-04-2023 MCA 302 CYBER FORENSICS 139

Spindle
❑ The platters within the hard disk are connected by
a spindle that runs through the middle of the
platters.
❑ The spindle moves in a unidirectional manner
along its axis (either clockwise or
counterclockwise).
❑ The movement of the spindle causes the platters to
rotate as well.

24-04-2023 MCA 302 CYBER FORENSICS 140

Read/write head

❑ Each surface on a platter contains

a read/write head that is used to read or

write data onto the disk.

❑ The read/write heads can move back and

forth along the surface of a platter.

Read/write heads are in turn connected to

a single actuator arm.

24-04-2023 MCA 302 CYBER FORENSICS 141

Tracks
Each surface of a platter consists of a fixed number of tracks. These are circular areas on
the surface of a platter that decrease in circumference as we move towards the center of
the platter.
Data is first written to the outermost track.

24-04-2023 MCA 302 CYBER FORENSICS 142

Sectors
Each track is divided into a fixed number of sectors. Sectors divide track sections and store
data.

24-04-2023 MCA 302 CYBER FORENSICS 143

When data are stored in hard disk, they make cluster as a unit. So no matter the file is

large or small, there will be some unused space in the last cluster (unless the size is

integer times as large as the cluster size).

Furthermore, the left space can not be used by other files (even if the file is only 0 byte. It

does not allow 2 or more files to share a cluster, because it may cause data corruption.)

24-04-2023 MCA 302 CYBER FORENSICS 144

24-04-2023 MCA 302 CYBER FORENSICS 145
 What happens when you delete a file?

24-04-2023 MCA 302 CYBER FORENSICS 146

❑When you a delete a file, it isn’t really erased – it continues existing on

your hard drive, even after you empty it from the Recycle Bin.

❑This allows to recover files you’ve deleted.

24-04-2023 MCA 302 CYBER FORENSICS 147

❑ Every file is made from many bits of information.

❑ When you delete a file, all those bits that form it are not physically erased, and they

continue to hold the information that makes the file.

❑ Instead of physically deleting files, which can take a significant amount of time,

especially if those files are large, the operating system only marks the deleted files as

free space.

24-04-2023 MCA 302 CYBER FORENSICS 148

Recovering deleted files
■ What happens when a file is deleted?

■ In many operating systems, the file's data is moved to a temporary holding area
(recycle bin) where it can be recovered or cleared and the disk space it was taking
up can be reclaimed.

■ When emptying the recycle bin, In many cases, only the pointer record to where the
file's data was located on the physical disk is removed.

■ When you delete a file, Windows marks it as free space by removing only its pointer,
nothing else. The content of the file is still there, physically.

24-04-2023 MCA 302 CYBER FORENSICS 149

❑ Slack - The leftover storage on a computer’s hard disk drive when a

computer file does not need all the space it has been allocated by the

operating system.

24-04-2023 MCA 302 CYBER FORENSICS 150

Slack space
❑ In typical hard drives, the computer stores files on the drive-in clusters of a certain file

size.

❑ For example, the file system on the hard drive may store data in clusters of four

kilobytes.

❑ If the computer stores a file that is only two kilobytes in a four-kilobyte cluster, there

will be two kilobytes of slack space.

24-04-2023 MCA 302 CYBER FORENSICS 151

❑ Slack space is an important form of evidence in the field of forensic investigation.

Often, slack space can contain relevant information about a suspect that a prosecutor

can use in a trial.

❑ For example, if a user deleted files that filled an entire hard drive cluster, and then

saved new files that only filled half of the cluster, the latter half would not necessarily

be empty.

❑ It may include leftover information from the deleted files. This information could be

extracted by forensic investigators using special computer forensic tools.

24-04-2023 MCA 302 CYBER FORENSICS 152

Slack space
■ Computers with hard disk drives store data in a sealed unit

■ Unit contains a stack of circular, spinning disks called platters.

■ Each platter is composed of logically defined spaces called sectors

■ OS sectors are configured to hold no more than 512 bytes of data.

■ If a text file that is 400 bytes is saved to disk, the sector will have 112 bytes of extra
space left over.

■ When the computer’s hard drive is brand new, the space in a sector that is not used (the
slack space)is blank, but it changes as the computer gets used.

24-04-2023 MCA 302 CYBER FORENSICS 153

Slack space
■ When a file is deleted, the operating system doesn't erase the file,

■ OS makes the sector the file occupied available for reallocation.

■ If a new file that is only 200 bytes be allocated to the original sector, the sector’s slack
space will now contain 200 bytes of leftover data from the first file in addition to the
original 112 bytes of extra space.

■ That leftover data, which is called latent data or ambient data, can provide
investigators with clues as to prior uses of the computer in question as well as leads for
further inquiries.

24-04-2023 MCA 302 CYBER FORENSICS 154

Uses of data recovery
■ Average User:
■ Recover important lost files

■ Keep your private information private

■ Law enforcement:
■ Locate illegal data

■ Restore deleted/overwritten information.

■ Prosecute criminals based on discovered data

24-04-2023 MCA 302 CYBER FORENSICS 155

Why some deleted files cannot be recovered, even if you are using an

excellent file recovery tool ?

❑ Recovering lost files is not always possible!

❑ If Windows overwrites the space that a deleted file was occupying, the original file can

no longer be restored.

❑ That is because the content of that original file is just not there anymore.

❑ New information was stored over its content, so the old information was destroyed.

24-04-2023 MCA 302 CYBER FORENSICS 156

24-04-2023 MCA 302 CYBER FORENSICS 157
 What is Data Obfuscation?

24-04-2023 MCA 302 CYBER FORENSICS 158

Data obfuscation is a process to obscure the meaning of data as an added layer of data
protection. In the event of a data breach, sensitive data will be useless to attackers. The
organization — and any individuals in the data — will remain uncompromised.
Organizations should prioritize obfuscating sensitive information in their data.1

24-04-2023 MCA 302 CYBER FORENSICS 159

Top data obfuscation methods
❖ If you ask ten people the definition of data obfuscation, you'll get 12 different answers.
That's because there are many different methods, each designed for specific purposes.
❖ Obfuscation is an umbrella term for a variety of processes that transform data into
another form in order to protect sensitive information or personal data.
❖ Three of the most common techniques used to obfuscate data are encryption,
tokenization, and data masking.

24-04-2023 MCA 302 CYBER FORENSICS 160

Encryption
is very secure, but you lose the ability to work with or analyze the data while it’s
encrypted. The more complex the data encryption algorithm, the safer the data will be
from unauthorized access. Encryption is a good obfuscation method if you need to store
or transfer sensitive data securely.

24-04-2023 MCA 302 CYBER FORENSICS 161

Tokenization

substitutes sensitive data with a value that is meaningless. This process can't be

reversed. However, you can map the token back to the original data. Tokenized data

supports operations like running a credit card payment without revealing the credit card

number. The real data never leaves the organization and can't be seen or decrypted by a

third-party processor.

24-04-2023 MCA 302 CYBER FORENSICS 162

Data masking
substitutes realistic but false data for original data to ensure privacy. Using masked
out data, testing, training, development, or support teams can work with a dataset
without putting real data at risk. Data masking goes by many names. You may have
heard of it as data scrambling, data blinding, or data shuffling. The process of
permanently stripping personally identifiable information (PII) from sensitive data is
also known as data anonymization or data sanitization. Whatever you call it, fake data
replaces real data. There is no algorithm to recover the original values of masked data.

24-04-2023 MCA 302 CYBER FORENSICS 163

Masking out
is a way to create different versions of the data with a similar structure. The data type
does not change, only the value change. Data can be modified in several ways, for
example shifting numbers or letters, replacing words, and switching partial data between
records.

24-04-2023 MCA 302 CYBER FORENSICS 164

24-04-2023 MCA 302 CYBER FORENSICS 165
A storage device without a file system would be in the same situation - and it would be a useless electronic device.

24-04-2023 MCA 302 CYBER FORENSICS 166

However, a file system changes everything:

24-04-2023 MCA 302 CYBER FORENSICS 167

 Understanding file systems

24-04-2023 MCA 302 CYBER FORENSICS 168

A file system isn't just a bookkeeping feature, though.
❑ Space management, metadata, data encryption, file access control, and data integrity
are the responsibilities of file system too.

Everything begins with partitioning

24-04-2023 MCA 302 CYBER FORENSICS 169

When partitioning is done, the partitions should be formatted.
Most operating systems allow you to format a partition based on a set of file systems.

❑ For instance, if you are formatting a partition on Windows, you can choose
between FAT32, NTFS, and exFAT file systems.
❑ Formatting involves the creation of various data structures and metadata used to
manage files within a partition.
❑ These data structures are one aspect of a file system.

24-04-2023 MCA 302 CYBER FORENSICS 170

Windows File Systems

❑ File Allocation Table or FAT

❑ New Technology File System or NTFS.

24-04-2023 MCA 302 CYBER FORENSICS 171

Difference In File Structure Database

❑ File Allocation Table or FAT

❑ File Allocation Table

❑ New Technology File System or NTFS.

❑ Master File Table (MFT)

24-04-2023 MCA 302 CYBER FORENSICS 172

Terminology

❑ Metadata

❑ File Name

❑ Time Stamp

❑ Other Attributes

❑ File Data

24-04-2023 MCA 302 CYBER FORENSICS 173

Terminology
❑ Sectors
❑ 512 MB of data
❑ Clusters
❑ Smallest Logical Unit of File Storage
❑ One or more sectors

24-04-2023 MCA 302 CYBER FORENSICS 174

Logical and Physical Storage Units
❑ Logical
❑ Recognized by OS
❑ E.g., Clusters
❑ Physical
❑ Recognized by a Device
❑ E.g., sectors

24-04-2023 MCA 302 CYBER FORENSICS 175

 OS Stores Files in Clusters
Wasted Space Problem

24-04-2023 MCA 302 CYBER FORENSICS 176

 Example
❑ File Size 2050 bytes

❑ One Cluster = two sectors

❑ Slack

24-04-2023 MCA 302 CYBER FORENSICS 177

Efficiency
❑ NTFS

❑ Smaller Cluster Size

❑ Less Slack Space -> Less Wasted Space

24-04-2023 MCA 302 CYBER FORENSICS 178

Resilient File System (ReFS)

❑ Compatibility

❑ Availability

❑ Scalability

24-04-2023 MCA 302 CYBER FORENSICS 179

24-04-2023 MCA 302 CYBER FORENSICS 180
24-04-2023 MCA 302 CYBER FORENSICS 181
 MCA 302: CYBER FORENSICS

24-04-2023 MCA 302 CYBER FORENSICS 182

Module: 03 |Session: 23

Dealing with Password Protection and Encryption

24-04-2023 MCA 302 CYBER FORENSICS 183

Passwords
When data is password protected, it’s as if you’ve gathered all your data, in its original,
readable form, put it into a lock box, and locked the box with a password or passcode. The
box is protected by the passcode, but if the lock box is not particularly strong and someone
is able to break into it, then getting at all your valuable data is simple.

24-04-2023 MCA 302 CYBER FORENSICS 184

Windows and Mac Operating Systems: Password Protected
The most obvious, and perhaps most dangerous, example of simple, password protected
data is right in front of you: your Windows or Mac desktop or laptop. Even a novice
hacker knows there are several very easy ways to get around the OS passwords and get
directly at your data: First, there are CD-based tools readily available on the Internet that
someone can use to boot your PC, read your supposedly super secret password, and then
have unfettered access to everything – including Outlook email. Second, there’s the brute
force method: someone can simply pull the hard drive out of your PC, hook it up to
another PC via an external hard drive enclosure, and voila, have access to everything on
the hard drive. Scary to think about, isn’t it?

24-04-2023 MCA 302 CYBER FORENSICS 185

What is encryption?
Encryption is a way of scrambling data so that only authorized parties can understand
the information. In technical terms, it is the process of converting human-readable
plaintext to incomprehensible text, also known as ciphertext. In simpler terms, encryption
takes readable data and alters it so that it appears random. Encryption requires the use of
a cryptographic key: a set of mathematical values that both the sender and the recipient
of an encrypted message agree on.

24-04-2023 MCA 302 CYBER FORENSICS 186

24-04-2023 MCA 302 CYBER FORENSICS 187
What is a key in cryptography?
A cryptographic key is a string of characters used within an encryption algorithm for
altering data so that it appears random. Like a physical key, it locks (encrypts) data so
that only someone with the right key can unlock (decrypt) it.

24-04-2023 MCA 302 CYBER FORENSICS 188

What are the different types of encryption?
The two main kinds of encryption are symmetric encryption and asymmetric
encryption. Asymmetric encryption is also known as public key encryption.

24-04-2023 MCA 302 CYBER FORENSICS 189

What is Symmetric Encryption?

24-04-2023 MCA 302 CYBER FORENSICS 190

What is Asymmetric Encryption?

24-04-2023 MCA 302 CYBER FORENSICS 191

 What is the impact of encryption on forensic
investigation?

24-04-2023 MCA 302 CYBER FORENSICS 192

As investigators, we are limited to the information on the device that we can access. If a hard drive
is fully encrypted, we have no easy access to the stored data and our investigative options become
limited. The first thing an investigator must do is to determine the level and extent of the
encryption. Weak passwords can be cracked, but if the user has implemented a strong password, it
becomes almost impossible to access via brute force methods. It could be that just a few files are
encrypted and there could be unencrypted copies elsewhere on the device. The user could also be a
creature of habit and use the same set of passwords. These passwords can be quickly located in
easily decipherable formats throughout the system. In all cases, though, I tell investigators that
digital evidence is just one piece of the body of evidence in a case. Don’t fall into a trap where you
spend too much time trying to decrypt a potentially probative item, when valuable unencrypted
data may be found by simply continuing your examination.

24-04-2023 MCA 302 CYBER FORENSICS 193

What new techniques do investigators need to consider when they come across an
encrypted drive?

24-04-2023 MCA 302 CYBER FORENSICS 194

24-04-2023 MCA 302 CYBER FORENSICS 195
 MCA 302: CYBER FORENSICS

24-04-2023 MCA 302 CYBER FORENSICS 196

Module: 03 |Session: 24

Log files, Registry, Internet traces

24-04-2023 MCA 302 CYBER FORENSICS 197

 What is a Log File?

24-04-2023 MCA 302 CYBER FORENSICS 198

❑ A log file is an event that took place at a certain time and might have metadata that
contextualizes it.
❑ Logs files are a historical record of everything and anything that happens within a
system, including events such as transactions, errors and intrusions. That data can be
transmitted in different ways and can be in both structured, semi-structured and
unstructured format.

24-04-2023 MCA 302 CYBER FORENSICS 199

The basic anatomy of a log file includes:

❖ The timestamp – the exact time at which the event logged occurred

❖ User information

❖ Event information – what was the action taken

24-04-2023 MCA 302 CYBER FORENSICS 200

However, depending on the type of log source, the file will also contain a wealth of relevant
data. For example, server logs will also include the referred webpage, http status code,
bytes served, user agents, and more.

24-04-2023 MCA 302 CYBER FORENSICS 201

Where do Log Files Come From?

24-04-2023 MCA 302 CYBER FORENSICS 202

Types of Logs
Nearly every component in a network generates a different type of data and each
component collects that data in its own log. Because of that, many types of logs exist,
including:

24-04-2023 MCA 302 CYBER FORENSICS 203

Event logs

An event log is a high-level log that records information about network traffic and

usage, such as login attempts, failed password attempts, and application events.

Server logs

A server log is a text document containing a record of activities related to a specific

server in a specific period of time.

24-04-2023 MCA 302 CYBER FORENSICS 204

System logs

A system log, or syslog, is a record of operating system events. It includes startup

messages, system changes, unexpected shutdowns, errors and warnings, and other

important processes. Windows, Linux, and macOS all generate syslogs.

Authorization logs and access logs

Authorization logs and access logs include a list of people or bots accessing certain

applications or files.

24-04-2023 MCA 302 CYBER FORENSICS 205

Change logs

Change logs include a chronological list of changes made to an application or file.

Availability logs

Availability logs track system performance, uptime, and availability.

24-04-2023 MCA 302 CYBER FORENSICS 206

Resource logs

Resource logs provide information about connectivity issues and capacity limits.

Threat logs

Threat logs contain information about system, file, or application traffic that matches

a predefined security profile within a firewall.

24-04-2023 MCA 302 CYBER FORENSICS 207

Log files are an important source of digital forensic evidence because they usually

connect events to points in time Indeed, log file data can be used to investigate network

anomalies due to insider threats, data leaks and misuse of IT assets Log files can help

identify network intruders

24-04-2023 MCA 302 CYBER FORENSICS 208

 Registry

24-04-2023 MCA 302 CYBER FORENSICS 209

❑ Inside every operating system there must be some place to keep settings.

❑ What is my current internet address? What are all the users on my system and what are

their passwords?

❑ What color desktop am I using? What applications are installed? If I double click on a file

with a docx extension, what application needs to fire up to associate with that?

❑ There are hundreds of thousands of questions like this that even the simplest individual

machine must answer, and we've got to store that somewhere

24-04-2023 MCA 302 CYBER FORENSICS 210

❑ Windows uses a single storage area called the registry.

❑ This is not a text file. It is a binary file that can only be read by a particular program

called Regedit

24-04-2023 MCA 302 CYBER FORENSICS 211

Windows registry
❑ The registry or Windows registry is a database of information, settings, options, and
other values for software and hardware installed on all versions of Microsoft
Windows operating systems. When a program is installed, a new subkey is created in
the registry. This subkey contains settings specific to that program, such as its location,
version, and primary executable.

24-04-2023 MCA 302 CYBER FORENSICS 212

The Windows Registry is a database where Windows and many programs store their

configuration settings.

24-04-2023 MCA 302 CYBER FORENSICS 213

The Windows registry is a collection of several databases. There are system-wide registry
settings that apply to all users, and each Windows user account also has its own user-
specific settings.

24-04-2023 MCA 302 CYBER FORENSICS 214

There are two ways to open Registry Editor in Windows 10:

1.In the search box on the taskbar, type regedit, then select Registry Editor (Desktop app)

from the results.

2.Right-click Start , then select Run. Type regedit in the Open: box, and then select OK.

24-04-2023 MCA 302 CYBER FORENSICS 215

What Is a Registry Hive?

❑ A hive in the Windows Registry is the name given to a major section of the registry

that contains registry keys, registry subkeys, and registry values.

❑ All keys that are considered hives begin with "HKEY" and are at the root, or the top of

the hierarchy in the registry, which is why they're also sometimes called root

keys or core system hives.

24-04-2023 MCA 302 CYBER FORENSICS 216

Here is a list of the common registry hives in Windows:

❑ HKEY_CLASSES_ROOT

❑ HKEY_CURRENT_USER

❑ HKEY_LOCAL_MACHINE

❑ HKEY_USERS

❑ HKEY_CURRENT_CONFIG

24-04-2023 MCA 302 CYBER FORENSICS 217

HKEY_CURRENT_USER

❑ Holds the user settings for the currently logged in user and is usually abbreviated

HKCU This is actually just a link to HKEY_USERS\<SID-FOR-CURRENT-USER>.

The most important sub-key in here is HKCU\Software, which contains user-level

settings for most of your software.

24-04-2023 MCA 302 CYBER FORENSICS 218

HKEY_LOCAL_MACHINE

❑ All of the system-wide settings are stored here, and it is usually abbreviated as HKLM.

You’ll mostly use the HKLM\Software key to check machine-wide settings.

24-04-2023 MCA 302 CYBER FORENSICS 219

HKEY_USERS
Stores all of the settings for all users on the system. You’ll typically use HKCU instead,
but if you need to check settings for another user on your computer, you can use this
one.

24-04-2023 MCA 302 CYBER FORENSICS 220

HKEY_CURRENT_CONFIG

❑ Stores all of the information about the current hardware configuration. This one isn’t

used very often, and it just a link to HKLM\SYSTEM\CurrentControlSet\Hardware

Profiles\Current

24-04-2023 MCA 302 CYBER FORENSICS 221

 Internet traces

24-04-2023 MCA 302 CYBER FORENSICS 222

Accessing the Internet leaves a wide variety of information on a computer including
Web sites, contents viewed, and newsgroups accessed. For instance, some Windows
systems maintain a record of accounts that are used to connect to the Internet as shown
in Figure

24-04-2023 MCA 302 CYBER FORENSICS 223

Web Browsing
When an individual first views a Web page, the browser caches the page and
associated elements such as images on disk—the creation and modification times are the
same time as the page was viewed. When the same site is accessed in the future, the
cached file is accessed. The number of times that a given page was visited is recorded in
some Web browser history databases

24-04-2023 MCA 302 CYBER FORENSICS 224

What is a web browser?
❑ A web browser takes you anywhere on the internet, letting you see text, images and

video from anywhere in the world.

24-04-2023 MCA 302 CYBER FORENSICS 225

The web is a vast and powerful tool

❑ Over the course of a few decades, the internet has changed the way we work, the way

we play and the way we interact with one another.

❑ Depending on how it’s used, it bridges nations, drives commerce, nurtures

relationships, drives the innovation engine of the future and is responsible for more

memes than we know what to do with.

24-04-2023 MCA 302 CYBER FORENSICS 226

24-04-2023 MCA 302 CYBER FORENSICS 227
What Are Cookies?
❑ Cookies are text files with small pieces of data — like a username and password — that
are used to identify your computer as you use a computer network. Specific cookies
known as HTTP cookies are used to identify specific users and improve your web
browsing experience.
❑ Data stored in a cookie is created by the server upon your connection. This data is
labeled with an ID unique to you and your computer.

24-04-2023 MCA 302 CYBER FORENSICS 228

 Session

24-04-2023 MCA 302 CYBER FORENSICS 229

Overview

❑ A session is a group of user interactions with your website that take place within a

given time frame.

❑ For example, a single session can contain multiple page views, events, social

interactions, and ecommerce transactions.

24-04-2023 MCA 302 CYBER FORENSICS 230

You can think of a session as the container for the actions a user takes on
your site.

24-04-2023 MCA 302 CYBER FORENSICS 231

A single user can open multiple sessions. Those sessions can occur on the same day, or over

several days, weeks, or months. As soon as one session ends, there is then an opportunity to

start a new session. There are two methods by which a session ends:

•Time-based expiration:

❑ After 30 minutes of inactivity

❑ At midnight

•Campaign change:

❑ If a user arrives via one campaign, leaves, and then comes back via a different

campaign.
24-04-2023 MCA 302 CYBER FORENSICS 232
 What is a web session?

24-04-2023 MCA 302 CYBER FORENSICS 233

24-04-2023 MCA 302 CYBER FORENSICS 234
 Session Cookie

They are stored on server side. They are stored as a text file in browser.

Session can store any value or object. Cookie can only store string values.

Cookies are not destroyed when the browser is

Sessions get destroyed as browser is closed.
closed.

They are more secure. They are less secure.

Stores unlimited data. Limit to store data.

Session is a group of information that is associated

Cookies are used to identify sessions.
with the cookie information.

24-04-2023 MCA 302 CYBER FORENSICS 235

 Email

24-04-2023 MCA 302 CYBER FORENSICS 236

❑ Short for electronic mail, e-mail or email is information stored on a computer that is

exchanged between two users over telecommunications. More plainly, e-mail is a

message that may contain text, files, images, or other attachments sent through a

network to a specified individual or group of individuals.

24-04-2023 MCA 302 CYBER FORENSICS 237

 What is an Email Protocol: Definition and Types

24-04-2023 MCA 302 CYBER FORENSICS 238

❑Email protocol is a standard method for exchanging information between email

clients like Thunderbird, Apple Mail, or Mailbird and email provider’s servers like

Gmail, Outlook, Yahoo, and vice versa.

24-04-2023 MCA 302 CYBER FORENSICS 239

❑ Email protocols differ by function: some receive emails and send and transport

emails.

❑ Post Office Protocol 3 (POP3) and Internet Message Access Protocol (IMAP), for

example, allow receiving and sending emails, while Simple Message Transfer Protocol

(SMTP) is responsible only for sending emails.

24-04-2023 MCA 302 CYBER FORENSICS 240

Email protocol

❑ Email protocol is a method by which a communication channel is established between

two computers and email is transferred between them.

❑ When an email is transferred, a mail server and two computers are involved. One

computer sends the mail and the other one receives it.

❑ The mail server stores the mail and lets the receiving device access it and download it if

needed

24-04-2023 MCA 302 CYBER FORENSICS 241

POP3 stands for Post Office Protocol.

❑ As the name suggests, it allows you to use your email inbox like a post office – emails

are downloaded onto your computer and removed from the mail server.

❑ When accessing your emails using the POP3 protocol, a copy of the emails is created

and stored locally on your computer.

❑ The originals are usually, but not always, removed from the mail server. In other words,

emails are tied to the specific device. Once the email is downloaded onto one device

(and removed from the mail server), it cannot be accessed by another email client or

device.
24-04-2023 MCA 302 CYBER FORENSICS 242
IMAP

❑ IMAP stands for Internet message access protocol.

❑ Unlike POP3, IMAP lets you log into different email clients or webmail interfaces

and view the same emails because in the IMAP setup, emails are kept on the mail

server, rather on your computer.

24-04-2023 MCA 302 CYBER FORENSICS 243

IMAP
❑ When you access your emails using the IMAP protocol, you are essentially using the
email client to connect to your mail server and managing your emails directly on your
mail server.
❑ In this setup, your mail server rather than your local computer is the main storage
source of your emails.
❑ Because of this, IMAP makes it possible to access your emails from different devices
and all changes are synchronized with the mail server and any email client(s) you are
using.
❑ In other words, if you delete an email from one email client, it is deleted from the mail
server and the action is reflected across all devices and email clients.

24-04-2023 MCA 302 CYBER FORENSICS 244

Example of how POP3 and IMAP works

When you wake up and access your mail from your phone,

❑ POP3 will download all the emails to your phone for you to view, and by doing so, all

emails are removed from the mail server

❑ IMAP will send a copy of the emails to your phone, but leaving the originals on your

mail server

24-04-2023 MCA 302 CYBER FORENSICS 245

SMTP
❑ SMTP stands for Simple Mail Transfer Protocol.

❑ SMTP is a set of communication guidelines that allow software to transmit an electronic mail over the

internet is called Simple Mail Transfer Protocol.

❑ It is a program used for sending messages to other computer users based on e-mail addresses.

❑ It provides a mail exchange between users on the same or different computers, and it also supports:

❑ It can send a single message to one or more recipients.

❑ Sending message can include text, voice, video or graphics.

❑ It can also send the messages on networks outside the internet

24-04-2023 MCA 302 CYBER FORENSICS 246

❑ The main purpose of SMTP is used to set up communication rules between servers.

❑ The servers have a way of identifying themselves and announcing what kind of

communication they are trying to perform.

❑ They also have a way of handling the errors such as incorrect email address.

❑ For example, if the recipient address is wrong, then receiving server reply with an error

message of some kind.

24-04-2023 MCA 302 CYBER FORENSICS 247

Components of SMTP

24-04-2023 MCA 302 CYBER FORENSICS 248

 What is an Email Header?

24-04-2023 MCA 302 CYBER FORENSICS 249

The email header is a code snippet in an HTML email, that contains information about the

sender, recipient, email’s route to get to the inbox and various authentication details.

The email header always precedes the email body.

24-04-2023 MCA 302 CYBER FORENSICS 250

What purpose do email headers serve
❑ Providing information about the sender and recipient. An email header tells who sent the email and
where it arrived. Some markers indicate this information, like “From:” — sender’s name and email
address, “To:” — the recipient’s name and email address, and “Date:” — the time and date of when the
email was sent. All of these are mandatory indicators. Other parts of the email header are optional and
differ among email service providers.
❑ Preventing spam. The information displayed in the email header helps email service providers
troubleshoot potential spam issues. ESPs analyzes the email header, the “Received:” tag, in particular, to
decide whether to deliver an email or not.
❑ Identifying the email route. When an email is sent from one computer to another, it transfers through
the Mail Transfer Agent which automatically “stamps” the email with information about the recipient,
time and date in the email header.

24-04-2023 MCA 302 CYBER FORENSICS 251

 Viewing an email header in Gmail

24-04-2023 MCA 302 CYBER FORENSICS 252

24-04-2023 MCA 302 CYBER FORENSICS 253
 Analyzing an Email Header

24-04-2023 MCA 302 CYBER FORENSICS 254

https://www.whatismyip.com/email-header-analyzer/

24-04-2023 MCA 302 CYBER FORENSICS 255

24-04-2023 MCA 302 CYBER FORENSICS 256