Cyber Security Forensics: Know all about restoring deleted files and evidence of execution.
C-DAC, The institution, which has developed a number of cyber forensic tools such as True Back, Cyber Check, Email Tracer, Cyber Investigator, Hasher and PDA Analyzer has proved the robustness of its tools used for probing cyber crimes.
Union Minister Raja said government had taken steps to amend the IT Act so that information collected using Cyber Forensic Tools developed by C-DAC would be considered as solid evidence in any court of law in the country. As of now, courts do not accept such information as evidence. The amendment would be brought in the next Parliament session.
TIP #1 :CyberCheck: Disk Forensics Tool
Cybercheck is a Windows-based application, which allows law enforcement agencies to analyze hard disk content, including deleted files.
CyberCheck supports data indexing. The text data in different document file formats can be indexed. This index-based search gives faster results compared to conventional search. The search facility of CyberCheck supports adding multiple keywords, regular expression and fuzzy options with filtering based on date and file size. CyberCheck has Unicode based searching to find data in any languages, search based on file hash values and search based on filename with wildcard options.
Other Features
Web browser based user interface.
Multiuser solution with multiple case analysis option.
Registry Analysis.
Sophisticated data carving facility to carve documents, images, audio and video.
Disk Indexing with stop and resume options.
Browser analysis feature for extracting forensically relevant information from Google Chrome, Firefox, Safari and Opera.
Communication App analyser for Microsoft Windows 10.
Shell bag Analysis & Anti Forensic activities detection like Signatures Mismatch analysis and password protected files detection.
Advanced Timeline Analysis with multiple event options.
Known good file filtering using NSRL dataset.
Document language detection.
Recycle bin data extraction.
Recover images from thumbnail database.
Evidence hash verification using MD5, SHA1, SHA256 and SHA512 algorithms
Can convert proprietary evidence file formats to raw image.
Integrated viewer for file content, Meta information, pictures and file hex-values.
Integrated Gallery view for viewing all pictures in the evidence.
File hash computation in MD5, SHA1, SHA256 and SHA512 algorithms
File bookmarking and bulk file export.
Tip #2: Win-LiFTImagerBuilder (Tool for building Win-LiFTImager)
Win-LiFT Imager Builder, which runs in the Investigator's machine, builds Win-LiFTImager tool.
Features
Facility to enter crime details
Facility to select / deselect the list of volatile artifacts to be collected from the Suspect's system
Win-LiFTImager (Forensic Volatile Data Acquisition Tool)
Facility to select USB/Hard Disk drive to which Win-LiFTImager tool is to be built
Searching and Filtering
Searching and filtering helps to reach analyst's goals faster. Flexible filter expressions are provided for packet level analysis and for data level analysis. The data level filtering supports filtering based on date, time, IP, MAC and port. The regular expression based searching gives the analyst the full power that he expects from a tool.
Features
Analyze the Live Forensics data captured by Win-LiFTImager from the Suspect's machine
Advanced Memory Analysis from Windows XP and Windows 7 Physical Memory dump to extract the following forensically sound information
Running Process and its associated details
Process Reconstruction
Bitlocker Key Reconstruction
Internet usage based Information
MFT Records
Executable Reconstruction
Structural Analysis of Reconstructed Executables
Forensic Data Carving
Event Log Analysis
Browser Forensics of IE, Edge, Chrome, Firefox, Mozilla and Safari
Keyword Searching facility
Detailed Report Generation
Bookmarking and appending to Report facility
Facility to save and print Report
Independent Loading and analysis of Memory dump
Hash Verification of acquired information
Other Features
Display forensic evidence acquired in List/Tree/Summary View.
Gallery View and Summary view
Text-Hex View of raw files with built-in search and go to facility.
Parent-Child view of Running processes
This first tip should be a juicy one. It’ll keep your readers with you.
Tip #3: NeSA (Network Packet Analysis Tool)
NetForce is a collection of three tools named NeSA, CyberInvestigator and EmailTracer used for Network Forensics. NeSA is used for packet analysis, CyberInvestigator is used for log analysis and EmailTracer is used for email tracing.
NeSA (Network Packet Analysis Tool)
Networks Forensics Tool to capture and analyse network traffic. Data sent through the network can be captured, recreated and exported using this tool.
Data Reconstruction
With the help of flexible and powerful filtering system, data from HTTP, SMTP, POP3 and FTP session can be recreated and visualized in an analysis friendly manner. The tool has built-in data viewers including a Mailview, to help the analyst to concentrate on analysis.
Analysis Modes
NeSA supports both data level and packet level analysis of network data. In data level, the analyst can concentrate on the data and can avoid the nuts and bolts of network protocols. But if he/she wishes to dig deeper, the packet analysis mode is ready to extend its helping hands.
Searching and Filtering
Searching and filtering helps to reach analyst's goals faster. Flexible filter expressions are provided for packet level analysis and for data level analysis. The data level filtering supports filtering based on date, time, IP, MAC and port. The regular expression based searching gives the analyst the full power that he expects from a tool.
Other Features
Loads pcap formatted dump files and rebuilds TCP sessions.
Reconstructs files from HTTP, FTP, SMTP and POP3 packets.
Built in Hex, Thumbnail, File and Mail view.
Powerful filter for filtering TCP sessions and packets.
Regular expression based search capability.
Supports port customization and time zone based analysis.
Loads multiple pcap files.
Statistics generation.
IP Tracing.
Merging and sorting of packets.
DNS Attack analysis.
Report generation.
Can capture from multiple interfaces.
CyberInvestigator (Log Analysis Tool)
CyberInvestigator is a Network Forensics Tool for log analysis. It involves gathering different kinds of logs available in machines which were compromised in an attack. The analysis involves tracing down the intrusions, usage of network and creating a detailed forensic report. Network Forensic analysts should analyze various type of logs such as Linux, Unix and Windows OS Logs, Web Server Logs, Database Logs, Firewall Logs, IDS Logs, VPN Logs, Router Logs, Proxy Logs, Windows Domain Logs, Wireless Access Point Logs etc. Manual analysis of these logs is very cumbersome and analysts need special tools to efficiently analyze and find out different types of attacks and other types of criminal activities.
Features
Supports Windows Logs, Linux Logs
Supports Analysis of wtmp, utmp, secure, mail, message, cron, access and IIS logs
Investigator friendly User Interface
Finds out Successful Login & Login Failures
Finds out the Insertion & Removal of Removable Media Displays Software Installation & Uninstallation details
Provides Intrusion Analysis
Provides Web Traffic Analysis
Customized Reports
EmailTracer
EmailTracer is a forensic tool to track email sender's identity. It can be used to trace the sender's details of any email by analyzing its header. The tool is able to analyze email headers collected from web based and local mail programs. EmailTracer gives details of the sending machine including IP address, which is the key point to find the culprit. It also gives geographical location of the sender, route traced by the email etc. It can also be used for retrieving emails and its details from mailbox files of local mail programs like Outlook Express(.dbx), .Microsoft Outlook(.pst), Eudora(.mbx), Pegasus(.cnm), The Bat(.tbb), Netscape Messenger(.nsm), Incredimail(.imm), KMail(MailDir), Mozilla(.mbox) and Windows7 Mail(.eml).
Trace IP Address of the machine from which mail is sent
Analyze email header collected from web based mail program like Yahoo!, Hotmail, Rediff etc.
Generates detailed analysis report in HTML format
Detects the city and country IP address location of the sender. Plots route traced by the mail from the sender to the receiver. Displays the geographic location of the mail in the world map. Whois Search, NS LookUp and IP TraceBack Facility
Extract emails from mailbox files of different local mail clients
Keyword Searching facility on recovered emails
Facility to extract and save attachments in native format
Facility to extract embedded mails
Facility to extract and analyze email header
Facility to save suspicious emails in .eml format
Tip #4 - Mix it up : DEMS
Information Technology revolution has changed the way the world lives. Electronic gadgets and devices exist in our society in myriad forms. Along with this development the amount of criminal activities associated with electronic devices also started increasing. Every crime has an electronic component associated with it. The investigation and analysis of these will be very pivotal in modern crime investigations. So, investigators have to deal with large volumes of digital devices as material evidence. These digital evidences have to undergo analysis and sometimes to be shared with external agencies for detailed analysis. Maintaining chain of custody and managing the life cycle of evidence is extremely difficult in such situations. The Digital Evidence Management System (DEMS) is a web evidence management system developed by CDAC, Thiruvananthapuram. The DEMS is mainly targeted for law enforcement agencies and analysis labs for managing large volumes of digital evidence including the chain of custody. It shall also be used for enterprises or government departments, who have to handle digital evidence.
Features
Provision to include additional dynamic fields to capture all details of Cases and Evidences
Provision to securely upload all forms digital images belonging to hard disk, image files, audio files, video files, Call Data Records (CDR) and mobile phones
Provide secure access to all digital images for authorized users
Extensive search and filter capabilities for Cases and Evidences
Email/SMS Notifications for updates on Cases and Evidences
Facility to upload analysis reports
Multiple levels of authorization for users
Feature rich dashboard for quick insight
Workflow support Case and Evidence Life Cycle Management
Rule based Service Level Agreements (SLA) for Case and Evidence handling
Comprehensive analysis and reporting
Tip #5 - Evidence Collection & Seizure
When a compromise of security or a unauthorized/illegal action associated with a computer is suspected, it is important that steps are taken to ensure the protection of the data within the computer and/or storage media.
The initial response to a computer security incident may be more important than later technical analysis of the computer system because of the actions taken by incident response team members. Actions taken by the incident response team impact subsequent laboratory examinations of the computer and/or media. Of most importance is that the first responder act appropriately.
In the event of a suspected computer incident, care must be taken to preserve evidence in its original state. While it may seem that simply viewing files on a system would not result in alteration of the original media, opening a file changes it. From a legal sense, it is no longer the original evidence and may be inadmissible in any subsequent legal or administrative proceedings.
The activities/procedures for securing a suspected computer incident scene include
Securing the scene
Shutting down the computer
Labeling the evidence
Documenting the evidence
Transporting the evidence
Providing chain-of-custody documentation
Documentation is key.
Detailed notes should be maintained during all aspects of the scene processing. This not only includes the usual who, what, where, when but overall observations of the scene. A evidence/property document should contain entries with a description of the items (model and serial number), any visible markings present on the item, the condition of the item, the manner it was marked for evidence and the location from within the scene it was seized. Every item of evidence has its own characteristics, but should be identified in a manner it can be easily identified at a later date. Items should be collected as found and documented.
Happy to do it all for you. Do let us know in case of any emergency. Cynorsense are of expertise are in forensics and security operations. We have seen them all recovered. Hope this blog post helped you know little more. Subscribe and follow us on Linkedin and Facebook to get instant updates. Please do comment for more interactive details.