Study Notes on Advanced Cyber Forensics – Cyber Forensics | Core Paper- X SEM 3

Unit 1: Windows Forensics

• Volatile Data Collection
  • Memory Dump
  • System Time
  • Logged On Users
  • Open Files
  • Network Information (Cached NetBIOS Name Table)
  • Network Connections
  • Process Information
  • Process-to-Port Mapping
  • Process Memory
  • Network Status
  • Clipboard Contents
  • Service/Driver Information
  • Command History
  • Mapped Drives
  • Shares
• Non-Volatile Data Collection
  • Disk Imaging (External Storage such as USB and Native Hard Disk)
  • Registry Dump
  • Event Logs
  • Devices and Other Information
  • Files Extraction
  • Write-Blocking Port
• Registry Analysis
• Browser Usage
• Hibernation File Analysis
• Crash Dump Analysis
• File System Analysis
• File Metadata and Timestamp Analysis
• Event Viewer Log Analysis
• Timeline Creation
• Evidence Collection in Linux and Mac Operating System

---

Volatile Data Collection

• Memory Dump
  • Collection: Capturing the contents of system memory for analysis.
  • Example: Using tools like DumpIt to create a memory dump for forensic investigation.
• System Time
  • Collection: Recording the system timestamp for correlation with events.
  • Example: Documenting the system time to establish a timeline of activities.
• Logged On Users
  • Collection: Identifying users currently logged into the system.
  • Example: Extracting a list of logged-on users using forensic tools.
• Open Files
  • Collection: Listing files currently open or in use by processes.
  • Example: Examining open file handles to understand active processes.
• Network Information (Cached NetBIOS Name Table)
  • Collection: Retrieving cached NetBIOS name table information.
  • Example: Analyzing NetBIOS name resolution data for network reconnaissance.
• Network Connections
  • Collection: Identifying active network connections and their details.
  • Example: Examining established network connections for potential threats.
• Process Information
  • Collection: Gathering information about running processes.
  • Example: Listing active processes and their associated details.
• Process-to-Port Mapping
  • Collection: Mapping processes to the network ports they are using.
  • Example: Correlating processes with open network ports for potential security incidents.
• Process Memory
  • Collection: Capturing the memory space of specific processes.
  • Example: Extracting the memory content of a suspicious process for analysis.
• Network Status
  • Collection: Retrieving information about the system’s network configuration.
  • Example: Analyzing network status to detect changes or anomalies.
• Clipboard Contents
  • Collection: Extracting data stored in the clipboard.
  • Example: Reviewing clipboard contents for sensitive information.
• Service/Driver Information
  • Collection: Gathering details about installed services and drivers.
  • Example: Documenting services and drivers to identify potential security issues.
• Command History
  • Collection: Logging command-line history for forensic examination.
  • Example: Analyzing command history to reconstruct user activities.
• Mapped Drives
  • Collection: Identifying mapped network drives.
  • Example: Listing mapped drives to understand data access patterns.
• Shares
  • Collection: Discovering shared resources on the system.
  • Example: Investigating shared folders and permissions.

Non-Volatile Data Collection

• Disk Imaging (External Storage such as USB and Native Hard Disk)
  • Collection: Creating a bit-by-bit copy of the entire disk for preservation.
  • Example: Using forensic tools to image a suspect’s hard drive for analysis.
• Registry Dump
  • Collection: Extracting the Windows Registry for forensic examination.
  • Example: Dumping the registry to identify changes made to system settings.
• Event Logs
  • Collection: Retrieving Windows event logs for analysis.
  • Example: Analyzing security, system, and application event logs for security incidents.
• Devices and Other Information
  • Collection: Documenting information about connected devices.
  • Example: Listing connected USB devices and their properties.
• Files Extraction
  • Collection: Extracting specific files for detailed examination.
  • Example: Recovering files related to a specific incident from the disk image.
• Write-Blocking Port
  • Collection: Using write-blocking devices to prevent accidental writes during forensic acquisition.
  • Example: Connecting an external drive with a write-blocking port for secure data acquisition.
• Registry Analysis
  • Analysis: Investigating the Windows Registry for forensic insights.
  • Example: Identifying artifacts in the registry related to user activities.
• Browser Usage
  • Analysis: Examining web browser artifacts for user behavior.
  • Example: Analyzing browser history and cache for evidence of online activities.
• Hibernation File Analysis
  • Analysis: Studying the hibernation file for potential forensic evidence.
  • Example: Extracting information from the hibernation file to reconstruct system state.
• Crash Dump Analysis
  • Analysis: Investigating crash dumps for insights into system failures.
  • Example: Analyzing a crash dump to identify the cause of a system crash.
• File System Analysis
  • Analysis: Examining the file system structure and content.
  • Example: Analyzing file system metadata to reconstruct file access patterns.
• File Metadata and Timestamp Analysis
  • Analysis: Studying file metadata and timestamps for forensic purposes.
  • Example: Analyzing file creation, modification, and access times for timeline creation.
• Event Viewer Log Analysis
  • Analysis: Examining logs recorded in the Windows Event Viewer.
  • Example: Analyzing security event logs for evidence of unauthorized access.
• Timeline Creation
  • Timeline: Constructing a chronological timeline of events for forensic analysis.
  • Example: Creating a timeline based on file access, network connections, and system events.
• Evidence Collection in Linux and Mac Operating System
  • Collection: Extending forensic practices to include evidence collection from Linux and Mac systems.
  • Example: Collecting and preserving digital evidence from a Linux machine for cross-platform investigations.

---

Unit 2: Network Forensics

• Understanding Protocols with Wireshark
  • TCP
  • UDP
  • HTTP(S)
  • SSH
  • Telnet
  • SMTP
  • POP/POP3
  • IMAP
  • FTP
  • SFTP
  • ARP
• Packet Capture using Wireshark, tshark and tcpdump
• Packet Filtering
• Extraction of Data from PCAP file
• Netflow vs Wireshark
• Analysis of logs
  • CISCO logs
  • Apache Logs
  • IIS Logs
  • Other System Logs

---

Understanding Protocols with Wireshark

• Protocol Analysis: Using Wireshark to inspect and analyze network protocols.
• Example: Identifying HTTP traffic and analyzing the content of web requests using Wireshark.

TCP (Transmission Control Protocol)

• TCP Communication: Examining the reliable, connection-oriented communication protocol.
• Example: Investigating a TCP handshake and analyzing the sequence of packets in a connection.

UDP (User Datagram Protocol)

• UDP Communication: Analyzing the connectionless, lightweight protocol.
• Example: Studying UDP traffic for real-time applications, such as voice over IP (VoIP).

HTTP(S)

• HTTP(S) Analysis: Monitoring and analyzing web traffic for security incidents.
• Example: Examining HTTP headers and content to detect potential security threats.

SSH (Secure Shell)

• SSH Analysis: Investigating encrypted shell sessions for secure remote access.
• Example: Analyzing SSH traffic to identify unauthorized access or suspicious activities.

Telnet

• Telnet Analysis: Inspecting unencrypted remote terminal sessions.
• Example: Monitoring Telnet traffic to identify potential security vulnerabilities.

SMTP (Simple Mail Transfer Protocol)

• SMTP Analysis: Examining email communication for forensic insights.
• Example: Analyzing SMTP headers to trace the origin of suspicious emails.

POP/POP3 (Post Office Protocol)

• POP/POP3 Analysis: Investigating email retrieval protocols for evidence.
• Example: Analyzing POP3 traffic to understand user email interactions.

IMAP (Internet Message Access Protocol)

• IMAP Analysis: Studying email access and storage protocols.
• Example: Examining IMAP commands to reconstruct email-related activities.

FTP (File Transfer Protocol)

• FTP Analysis: Monitoring file transfer activities over the network.
• Example: Analyzing FTP sessions to identify unauthorized file transfers.

SFTP (Secure File Transfer Protocol)

• SFTP Analysis: Examining encrypted file transfer sessions.
• Example: Investigating SFTP traffic to ensure secure data transfers.

ARP (Address Resolution Protocol)

• ARP Analysis: Studying address resolution for mapping IP addresses to MAC addresses.
• Example: Detecting ARP spoofing attacks by analyzing ARP traffic patterns.

Packet Capture using Wireshark, tshark, and tcpdump

• Packet Capture Tools: Utilizing Wireshark, tshark, and tcpdump for capturing network traffic.
• Example: Capturing packets with tcpdump to analyze the flow of data during a suspected incident.

Packet Filtering

• Filtering Traffic: Employing filters to focus on specific packets of interest.
• Example: Setting Wireshark filters to isolate traffic from a specific IP address.

Extraction of Data from PCAP file

• Data Extraction: Extracting relevant information from packet capture (PCAP) files.
• Example: Extracting file attachments from email traffic captured in a PCAP file.

Netflow vs Wireshark

• Netflow vs. Wireshark: Comparing flow-based network monitoring with packet-level analysis.
• Example: Using Netflow to identify patterns in network traffic and Wireshark for detailed packet inspection.

Analysis of logs

• Log Analysis: Reviewing logs for security events and anomalies.
• Example: Analyzing firewall logs to identify patterns of unauthorized access attempts.

CISCO logs

• CISCO Log Analysis: Studying logs generated by CISCO networking devices.
• Example: Analyzing CISCO router logs to detect network configuration changes or security incidents.

Apache Logs

• Apache Log Analysis: Examining logs generated by Apache web servers.
• Example: Investigating Apache access logs to identify suspicious web requests.

IIS Logs

• IIS Log Analysis: Analyzing logs generated by Microsoft Internet Information Services (IIS).
• Example: Examining IIS logs to detect unusual patterns or potential security breaches.

Other System Logs

• System Log Analysis: Studying logs from various systems for forensic purposes.
• Example: Reviewing Windows event logs to identify system-level security events or user activities.

---

Unit 3: Memory Forensics

• History of Memory Forensics
• x86/x64 Architecture
• Data Structures
• Volatility Framework & Plugins
• Memory Acquisition
• File Formats – PE/ELF/Mach-O
• Processes and Process Injection
• Windows Registry
• Command Execution and User Activity
• Networking; Sockets, DNS, and Internet History
• File System Artifacts including $MFT, Shellbags, Paged Memory, and Advanced Registry Artifacts
• Related Tools – Bulk Extractor and YARA
• Timelining Memory
• Recovering and Tracking User Activity
• Recovering Attacker Activity from Memory
• Advanced Actor Intrusions

---

History of Memory Forensics

• Historical Overview: Evolution of memory forensics as a discipline for analyzing volatile system memory.
• Example: Introduction of the first memory analysis tools like Memdump in the early 2000s.

x86/x64 Architecture

• Architecture Types: Understanding the x86 and x64 architectures prevalent in computer systems.
• Example: Differentiating between 32-bit and 64-bit memory structures for analysis purposes.

Data Structures

• Memory Structures: Understanding data structures in volatile memory for forensic analysis.
• Example: Recognizing the layout of process control blocks (PCBs) within memory.

Volatility Framework & Plugins

• Volatility: An open-source framework for analyzing memory dumps.
• Example: Using Volatility plugins to extract information about running processes or network connections from memory.

Memory Acquisition

• Acquisition Methods: Techniques for capturing volatile memory for forensic analysis.
• Example: Using tools like DumpIt or LiME to acquire memory from a live system.

File Formats – PE/ELF/Mach-O

• Executable Formats: Recognizing file formats for executables in memory.
• Example: Identifying a PE (Portable Executable) file format in Windows memory.

Processes and Process Injection

• Process Analysis: Studying active processes and detecting injected processes.
• Example: Investigating a memory dump to find signs of process injection used in malware.

Windows Registry

• Registry Analysis: Examining the Windows Registry stored in memory for forensic insights.
• Example: Identifying changes to registry keys related to recent system activity.

Command Execution and User Activity

• Activity Analysis: Tracing command execution and user activities in memory.
• Example: Analyzing command history stored in memory to understand recent user actions.

Networking; Sockets, DNS, and Internet History

• Network Analysis: Extracting information about network-related activities from memory.
• Example: Identifying open sockets or DNS queries stored in memory.

File System Artifacts including $MFT, Shellbags, Paged Memory, and Advanced Registry Artifacts

• File System Artifacts: Analyzing artifacts related to the file system in memory.
• Example: Investigating the Master File Table ($MFT) in memory for file metadata.

Related Tools – Bulk Extractor and YARA

• Forensic Tools: Using tools like Bulk Extractor for large-scale data extraction and YARA for pattern matching.
• Example: Employing YARA rules to identify specific malware patterns in memory dumps.

Timelining Memory

• Timelining: Creating a chronological timeline of events based on memory artifacts.
• Example: Constructing a timeline of processes and network connections from memory data.

Recovering and Tracking User Activity

• User Activity Recovery: Extracting and analyzing user-related actions from memory.
• Example: Tracking login/logout events and file access patterns in memory.

Recovering Attacker Activity from Memory

• Attacker Activity: Identifying and analyzing traces of malicious activity in memory.
• Example: Detecting signs of privilege escalation or lateral movement by analyzing memory contents.

Advanced Actor Intrusions

• Advanced Intrusions: Investigating complex and sophisticated attacks through memory forensics.
• Example: Analyzing memory for indicators of advanced persistent threats (APTs) and complex attack techniques.

---

Unit 4: Virtual Machine Forensics

• Types of Hypervisors
• Hypervisor Files and Formats
• Use and Implementation of Virtual Machines in Forensic Analysis
  • Use of VMware to Establish Working Version of Suspect’s Machine
  • Networking and Virtual Networks within Virtual Machine
  • Forensic Analysis of a Virtual Machine
    • Imaging of a VM
    • Identification and Extraction of Supporting VM Files in the Host System
    • VM Snapshots
    • Mounting Image
    • Searching for Evidence

---

Types of Hypervisors

• Type 1 Hypervisor: Runs directly on hardware, providing better performance.
• Example: VMware ESXi, Microsoft Hyper-V Server.
• Type 2 Hypervisor: Runs on a host operating system, suitable for development and testing.
• Example: Oracle VirtualBox, VMware Workstation.

Hypervisor Files and Formats

• VMDK (Virtual Machine Disk): VMware’s virtual disk format for storing virtual machine files.
• Example: A forensic investigator encounters a VMDK file while analyzing a virtual machine.
• VHD (Virtual Hard Disk): Microsoft’s virtual disk format used by Hyper-V.
• Example: Identifying a VHD file during the examination of a virtual machine on a Windows system.

Use and Implementation of Virtual Machines in Forensic Analysis

• Implementation: Deploying virtual machines for forensic analysis to maintain the integrity of evidence.
• Example: Creating a virtual machine clone for forensic examination without altering the original evidence.

Use of VMware to Establish Working Version of Suspect’s Machine

• VMware Usage: Employing VMware to create a virtual copy of a suspect’s machine for analysis.
• Example: Setting up a VMware environment to replicate the suspect’s system without compromising the original.

Networking and Virtual Networks within Virtual Machine

• Virtual Networks: Configuring network settings within a virtual machine for connectivity.
• Example: Investigating network traffic within a virtual machine to trace communication patterns.

Forensic Analysis of a Virtual Machine

• Analysis: Examining digital evidence within a virtual machine environment.
• Example: Inspecting registry entries and file artifacts within a virtual machine for forensic insights.

Imaging of a VM

• Imaging: Creating a forensic image of the entire virtual machine for analysis.
• Example: Using forensic tools to create a bit-by-bit copy of a virtual machine’s disk for preservation and examination.

Identification and Extraction of Supporting VM Files in the Host System

• Identification: Locating and extracting supporting files related to a virtual machine on the host system.
• Example: Extracting configuration files or snapshots from the host machine to understand the VM’s state.

VM Snapshots

• Snapshots: Capturing the state of a virtual machine at a specific point in time.
• Example: Analyzing VM snapshots to understand changes made to the virtual machine over different sessions.

Mounting Image

• Mounting: Attaching a forensic image of a virtual machine to examine its contents.
• Example: Mounting a forensic image of a virtual machine to browse and extract specific files.

Searching for Evidence

• Evidence Search: Conducting searches within the virtual machine for relevant forensic evidence.
• Example: Using forensic tools to search for specific keywords or file types within the virtual machine’s file system.

---

Unit 5: Cloud Forensics

• Introduction to Cloud Computing
• Challenges Faced by Law Enforcement and Government Agencies
• Cloud Storage Forensic Framework
  • Evidence Source Identification and Preservation in the Cloud Storage
  • Collection of Evidence from Cloud Storage Services
  • Examination and Analysis of Collected Data
    • Cloud Storage Forensic Analysis
    • Evidence Source Identification and Preservation
    • Collection of Evidence from Cloud Storage Devices
    • Examination and Analysis of Collected Data
• Dropbox Analysis
  • Data Remnants on User Machines
  • Evidence Source Identification and Analysis
  • Collection of Evidence from Cloud Storage Services
  • Examination and Analysis of Collected Data
• Google Drive
  • Forensic Analysis of Cloud Storage and Data Remnants
  • Evidence Source Identification and Analysis
  • Collection of Evidence from Cloud Storage Services
  • Examination and Analysis of Collected Data
• Issues in Cloud Forensics
• Case Studies

---

Introduction to Cloud Computing

• Definition: Cloud computing refers to the delivery of computing services, including storage, processing power, and applications, over the internet.
• Example: Amazon Web Services (AWS) provides cloud computing services, allowing users to access computing resources on-demand.

Challenges Faced by Law Enforcement and Government Agencies

• Challenge: Jurisdictional issues arise as data may be stored in servers located in different geographical locations.
• Example: A suspect’s data stored on a server in another country may require legal cooperation between jurisdictions for access.

Cloud Storage Forensic Framework

• Framework: A systematic approach to investigating and analyzing digital evidence stored in cloud environments.
• Example: NIST Cloud Forensic Science Framework provides guidelines for cloud forensic investigations.

Evidence Source Identification and Preservation in Cloud Storage

• Identification: Determining the source of digital evidence within cloud storage platforms.
• Example: Identifying a specific user account as the source of potentially relevant data in a cloud storage service.

Collection of Evidence from Cloud Storage Services

• Collection: Gathering digital evidence from cloud storage platforms for forensic analysis.
• Example: Using forensic tools to extract files and metadata from a suspect’s Google Drive account.

Examination and Analysis of Collected Data

• Examination: In-depth review of the collected digital evidence for insights and patterns.
• Example: Analyzing timestamps and file access patterns to reconstruct a timeline of events in a cloud storage account.

Cloud Storage Forensic Analysis

• Analysis: Systematic examination of digital evidence to draw conclusions.
• Example: Analyzing access logs and version history in Dropbox to determine if files were tampered with or accessed by unauthorized users.

Dropbox Analysis

• Examination: In-depth scrutiny of digital evidence within the Dropbox cloud storage service.
• Example: Investigating file-sharing activities and collaboration logs in Dropbox to understand the flow of information.

Data Remnants on User Machines

• Remnants: Traces of data left on user devices after interacting with cloud storage.
• Example: Locating cached files or temporary data on a user’s computer related to files stored in the cloud.

Evidence Source Identification and Analysis

• Identification: Locating and attributing digital evidence to specific sources.
• Example: Determining if files found on a user’s local machine are linked to their activities on a cloud storage service.

Google Drive Forensic Analysis

• Examination: Detailed analysis of digital evidence within Google Drive.
• Example: Investigating file permissions, sharing activities, and revision history in Google Drive for forensic purposes.

Issues in Cloud Forensics

• Issues: Challenges and concerns related to conducting forensics in cloud environments.
• Example: Encryption and privacy concerns when accessing data stored in a cloud service during a forensic investigation.

Case Studies

• Case Studies: Real-world examples illustrating challenges and solutions in cloud forensics.
• Example: Analyzing a case where cloud-stored data played a crucial role in a cybercrime investigation, highlighting the unique challenges faced.

---