Vidya Vikas Education Trust’s

Universal College of Engineering

Accredited with ‘B+’ Grade by NAAC | Recognized as a Linguistic (Gujarati) Minority Institute

Approved by AICTE, DTE, Maharashtra State Government and Affiliated to Mumbai University

Academic Year: 2021-22 Semester VI

Name:Aditya Patil, Roll no:45, Branch: IT Subject: Ethical
Hacking and Digital Forensics
Subject In charge: Mr. Akshay Agarwal

Q1. Explain guidelines for incident report writing. Give one report writing example?

Ans: General Guidelines for Report Creation

The reports are written to provide information to the reader and must start with a solid
foundation. Investigators can face difficulties in efficiently presenting their findings if the
report is prepared without some general guidelines or standards. Some general guidelines
which must be followed while creating digital forensic reports are given below

• Summary − The report must contain the brief summary of information so that the
reader can ascertain the report’s purpose.
• Tools used − we must mention the tools which have been used for carrying the
process of digital forensics, including their purpose.
• Repository − Suppose, we investigated someone’s computer then the summary of
evidence and analysis of relevant material like email, internal search history etc.,
then they must be included in the report so that the case may be clearly presented.
• Recommendations for counsel − The report must have the recommendations for
counsel to continue or cease investigation based on the findings in report.

Name: Shreya Sankhe INFORMATION TECHNOLOGY Page 1

 Vidya Vikas Education Trust’s

Universal College of Engineering

Accredited with ‘B+’ Grade by NAAC | Recognized as a Linguistic (Gujarati) Minority Institute
Approved by AICTE, DTE, Maharashtra State Government and Affiliated to Mumbai University

Fig 1.1: Computer Forensics Report format

Fig 1.2: Phase of Digital Forensics

Sample Report :

Overview / Case Summary

On April 11, 2011, Paul Ceglia filed an Amended Complaint seeking a share of
Facebook. Mr. Ceglia based his claim on a purported contract between Mr. Ceglia and
Mark Zuckerberg (the “Work for Hire Document”). In addition, the Amended Complaint
included excerpts of purported emails between Mr. Ceglia and Mr. Zuckerberg (the
“Purported Emails”).

Objectives

This report is a summary of Stroz Friedberg’s findings regarding the authenticity of the Work for
Hire Document and the Purported Emails based on its analysis of the media produced by Mr.
Ceglia pursuant to data received as part of expedited discovery. This report is not intended to
detail each and every aspect of Stroz Friedberg’s work in this engagement.

Evidence Analyzed

Pursuant to the Court Order, Stroz Friedberg collected digital media made available by Mr.
Ceglia. Stroz Friedberg inspected the data on the following media for analysis according to the
terms of the Court-ordered Protocol: A Compaq Presario SR5413WM desktop computer with a

Name: Shreya Sankhe INFORMATION TECHNOLOGY Page 2

 Vidya Vikas Education Trust’s

Universal College of Engineering

Accredited with ‘B+’ Grade by NAAC | Recognized as a Linguistic (Gujarati) Minority Institute

Approved by AICTE, DTE, Maharashtra State Government and Affiliated to Mumbai University
250 gigabyte hard drive. An machines ET1161-05 desktop computer with a 160 gigabyte hard
drive. A Toshiba Satellite L305-55968 laptop computer with a 320 gigabyte hard drive. A 200
gigabyte Maxtor Personal Storage 3200 external hard drive. A 500 gigabyte Western Digital
internal hard drive. 174 floppy disks.

Using widely-accepted digital forensic techniques and procedures, digital forensic personnel
from Stroz Friedberg made bit-for-bit, verified forensic copies or images of: the hard drive within
the Compaq Presario desktop computer; the hard drive within the machines desktop computer;
the hard drive within the Toshiba Satellite laptop computer; the Maxtor external hard drive; the
Seagate Hard Drive; and 173 of the 174 floppy disks.

The digital forensic copying process captured the entire contents of each piece of media,
including the active user-accessible files, the deleted files, and the unallocated space, which
may contain deleted content. Because the forensic image created by Plaintiff’s Expert is a
forensic image file, Stroz Friedberg used a forensically-sound copy method to copy the forensic
image file on that drive to preservation media.

Investigation Steps

Stroz Friedberg conducted its analysis of the Ceglia media pursuant to the Protocol issued by the
Court. Stroz Friedberg searched and analyzed the Ceglia Media “to identify only documents,
data, fragments, and artifacts that reasonably appear[ed] to be related to the authenticity of the
[Work for Hire Document] attached to the Amended Complaint and the Purported Emails
described in the Amended Complaint.”. The documents, data, fragments, and artifacts found by
Stroz Friedberg that reasonably appeared to be related to the authenticity of the Work for Hire
Document or the Purported Emails first were produced to Mr. Ceglia’s attorneys for a privilege
review. The material was turned over to attorneys from Gibson Dunn only if no privilege objection
was raised, an asserted privilege objection was withdrawn by Mr. Ceglia or his attorneys, or an
assertion of privilege was overruled by the Court. Stroz Friedberg has followed the terms of the
Protocol for all data found on the Ceglia Media and any other data subject to the Protocol during
its analysis, including the procedures for privilege review and production set forth above and the
maintenance of a search log.

During this analysis, Stroz Friedberg employed a methodology tailored to the particular facts of
this case. Stroz Friedberg’s methodology included: (1) conducting keyword and other searches
of the digital forensic copies of the Ceglia Media and other data, including webmail accounts, to
identify responsive documents or fragments of documents; (2) manually reviewing the
documents containing keyword hits, certain unsearchable file types, such as image files with no
text, and other documents to determine whether they were relevant to the authenticity of the
Work for Hire Document or the Purported Emails; and (3) reviewing the digital forensic copies of

Name: Shreya Sankhe INFORMATION TECHNOLOGY Page 3

 Vidya Vikas Education Trust’s

Universal College of Engineering

Accredited with ‘B+’ Grade by NAAC | Recognized as a Linguistic (Gujarati) Minority Institute
Approved by AICTE, DTE, Maharashtra State Government and Affiliated to Mumbai University

the Ceglia Media for digital forensic artifacts relevant to the authenticity of the Work for Hire
Document or the Purported Emails.

Findings

No exact copies of the Work for Hire Document were found on the Ceglia Media, which
comprised hundreds of pieces of media - including computers, hard drives and floppy disks.
Stroz Friedberg used a methodology that would have identified any copies of the Work for Hire
Document on the Ceglia Media if they had been present. Instead of the purported Work for Hire
Document, Stroz Friedberg found on the Ceglia Media seven unsigned versions of the Work for
Hire Document that are very similar but not identical to the purported Work for Hire Document.
All seven of those electronic documents contain metadata anomalies indicative of backdating
and document manipulation. Mr. Ceglia’s Amended Complaint purports to quote from or
otherwise reference 22 Purported Emails between Mr. Ceglia and Mr. Zuckerberg. During the
litigation, Mr. Ceglia acknowledged that he did not keep the Purported Emails referenced in the
Amended Complaint in their original native form, that is to say, as individual files in message
format. Rather, he claimed to have copied-and-pasted the text of the Purported Emails into
Microsoft Word documents saved to floppy disks in order to

Stroz Friedberg found substantial evidence that all three of the Word documents containing the
purported emails are backdated. The effect of backdating is to obscure the true date and time at
which computer activity, such as the creation or modification of documents, occurred.
Backdating can be accomplished by setting the system clock on a computer hard drive to an
earlier date, such that activity that occurs on the hard drive while the computer is in a backdated
state will appear to have occurred at that earlier time.

Moreover, the last printed date of the document is February 15, 2011, while the document’s last
modified date is April 25, 2003. As discussed above, absent backdating or manipulation of the
system clock, it is not possible for a file’s last printed date to post-date its last modification date.
Therefore, this document was fabricated on or after February 15, 2011. This date is years after
the Work for Hire Document was allegedly signed and months after Mr. Ceglia filed this lawsuit.

Conclusion

Stroz Friedberg found direct and compelling digital forensic evidence that the documents relied
upon by Mr. Ceglia to support his claim are forged. Stroz Friedberg also found what it believes to
be the authentic contract between Mr. Ceglia and Mr. Zuckerberg. That contract contains no
references to Facebook. As described more fully in this report, Stroz Friedberg made the
following findings bearing on the authenticity of the Work for Hire Document and the Purported
Emails: Stroz Friedberg did not find any exact copies of the Work for Hire Document on the
hundreds of pieces of media produced by Mr. Ceglia, including three computers, three hard
Name: Shreya Sankhe INFORMATION TECHNOLOGY Page 4
 Vidya Vikas Education Trust’s

Universal College of Engineering

Accredited with ‘B+’ Grade by NAAC | Recognized as a Linguistic (Gujarati) Minority Institute

Approved by AICTE, DTE, Maharashtra State Government and Affiliated to Mumbai University
drives, 174 floppy disks, and 1,087 CDs (hereinafter, the “Ceglia Media”). Stroz Friedberg did
find a signed copy of an April 28, 2003 contract between Mr. Ceglia and Mr. Zuckerberg, though
it concerns only Mr. Zuckerberg work on the Street Fax project and includes no references to
Facebook.
The Purported Emails themselves, which Mr. Ceglia has proffered as authentic communications
with Mr. Zuckerberg, are fabricated. Many of the Purported Emails reflect the wrong time zone.
For example, all of the Purported Emails purportedly sent from October 26, 2003 to April 4,
2004 contain the “-0400” time zone stamp that reflects Eastern Daylight Time. However,
Eastern Daylight Time was not in effect during this time. There is no place in the Continental
United States from which Mr. Ceglia could have sent these Purported Emails with an accurate “-
0400” time zone stamp. The Purported Emails have formatting differences in the email headers
that are inconsistent with Mr. Ceglia’s explanation that he copied-and-pasted the emails into
Word documents. These formatting differences indicate that the Purported Emails were typed or
edited manually and were not solely the result of a copy-and-paste operation. There is no digital
forensic evidence on the Ceglia Media supporting a conclusion that the Work for Hire Document
or the Purported Emails are authentic documents dating from 2003 and 2004. To the contrary,
the digital forensic evidence strongly indicates that these documents were fabricated by Mr.
Ceglia at a later date.

Exhibits

Fig 3: Some screenshorts showing Data Maupulation

Q 2. Explain the goals of report writing?

Ans : The main goal of Computer forensics is to perform a structured investigation on a
computing device to find out what happened or who was responsible for what

Name: Shreya Sankhe INFORMATION TECHNOLOGY Page 5

 Vidya Vikas Education Trust’s

Universal College of Engineering

Accredited with ‘B+’ Grade by NAAC | Recognized as a Linguistic (Gujarati) Minority Institute
Approved by AICTE, DTE, Maharashtra State Government and Affiliated to Mumbai University

happened, while maintaining a proper documented chain of evidence in a formal

report

Need of Report Creation

The process of digital forensics includes reporting as the third phase. This is one of the most important
parts of digital forensic process. Report creation is necessary due to the following reasons −

• It is the document in which digital forensic examiner outlines the investigation process and its
findings.

• A good digital forensic report can be referenced by another examiner to achieve same result by
given same repositories.

• It is a technical and scientific document that contains facts found within the 1s and 0s of digital
evidence.

Q 3.List and explain different tools used in network forensics?

Ans: Sniffing and analyzing tools help in analyzing network problems, detecting exploitation
attempts isolating exploited systems, and monitoring system usage, etc.

➢ Wire shark
➢ Aircrack-ng
➢ WebScarab

➢ eMailTrackerPro
➢ NetworkMiner

Wire shark : Wire shark is a network packet analyzer. A network packet analyzer
presents captured packet data in as much detail as possible.

You could think of a network packet analyzer as a measuring device for examining
what’s happening inside a network cable, just like an electrician uses a voltmeter for
examining what’s happening inside an electric cable (but at a higher level, of course).

In the past, such tools were either very expensive, proprietary, or both. However, with
the advent of Wire shark, that has changed. Wire shark is available for free, is open
source, and is one of the best packet analyzers available today.

Name: Shreya Sankhe INFORMATION TECHNOLOGY Page 6

 Vidya Vikas Education Trust’s

Universal College of Engineering

Accredited with ‘B+’ Grade by NAAC | Recognized as a Linguistic (Gujarati) Minority Institute

Approved by AICTE, DTE, Maharashtra State Government and Affiliated to Mumbai University
Aircrack-ng: airdump-ng is used to list all the network around us and display useful
information about them. It is a packet sniffer, so it is basically designed to capture all the
packets around us while we are in Monitor mode.

We can run it against all of the networks around us and collect useful information like the mac
address, channel name, encryption type, and number of clients connected to the network and
then start targeting to the target network. We can also run it against certain AP(access point)
so that we only capture packets from a certain Wi-Fi network

WebScarab :

WebScarab is designed to be a tool for anyone who needs to expose the workings of an
HTTP(S) based application, whether to allow the developer to debug otherwise difficult
problems, or to allow a security specialist to identify vulnerabilities in the way that the
application has been designed or implemented.

eMailTrackerPro

EmailTrackerPro not only offers the ability to trace an email using the email header but it also
comes with a spam filter (advanced edition), which scans each email as it arrives and warns the
user if it's suspected spam. Essentially stopping spam email before it reaches its intended recipient.

Trace an email using the header

An email 'header' contains all the information required to track where it came from. It holds the
footprint of each server the email travelled through which in almost all cases leads us back to the
city/town the email originated.

Report Abuse
whose information is essentially contact details for the organization that registered/is
responsible for the IP address or website being traced. Also uncovered are any services
running on the destination machine.

Spam filter
the most valuable feature is the ability to trace more than one IP address or domain name at a
time. Trace as many IP addresses and domain names as required and either output the results
to a new tab or an Excel/HTML file.

Q 4. List and explain different tools used in mobile forensics?

Name: Shreya Sankhe INFORMATION TECHNOLOGY Page 7

 Vidya Vikas Education Trust’s

Universal College of Engineering

Accredited with ‘B+’ Grade by NAAC | Recognized as a Linguistic (Gujarati) Minority Institute
Approved by AICTE, DTE, Maharashtra State Government and Affiliated to Mumbai University

Ans: The tools used for the Mobile forensics.

• Autopsy
• Encrypted Disk Detector
• RAM Capturer
• NMAP

Autopsy :

Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital
forensics tools. It is used by law enforcement, military, and corporate examiners to investigate
what happened on a computer. You can even use it to recover photos from your camera's memory
card.

Encrypted Disk Detector :

Encrypted Disk Detector (EDD) is a free command-line tool that checks the local physical drives on
a system for encrypted volumes created by True Crypt, PGP, Bit locker, and other full disk
encryption products

RAM Capturer :

MAGNET RAM Capture is a free imaging tool designed to capture the physical
memory of a suspect’s computer, allowing investigators to recover and
analyze valuable artifacts that are often only found in memory.

NMAP:

Nmap is short for Network Mapper. It is an open-source Linux command-line tool

that is used to scan IP addresses and ports in a network and to detect installed
applications.

Nmap allows network admin's to find which devices are running on their network,
discover open ports and services, and detect vulnerabilities.

Name: Shreya Sankhe INFORMATION TECHNOLOGY Page 8

 Vidya Vikas Education Trust’s

Universal College of Engineering

Accredited with ‘B+’ Grade by NAAC | Recognized as a Linguistic (Gujarati) Minority Institute

Approved by AICTE, DTE, Maharashtra State Government and Affiliated to Mumbai University
Q 5. What are the challenges in network forensics?

Ans: A challenge in the forensic analysis of the network is to first ensure that the network is
adequate to the forensic needs. For a successful investigation of the network, it must be equipped
with an infrastructure that allows the research to be fully supported The infrastructure must ensure
that there is the necessary data for a full investigation. Designing a network forensic infrastructure
is a complex task due to the many possibilities that exist in how the design is done in the various
spaces. The following is a brief description of some of these challenges:

Data sources

A typical network is made up of several data sources that include unprocessed network
packets and records of network devices and services. Although it is desirable to collect data from all
sources, this option is not always feasible, especially in those ecosystems consisting of large network
infrastructure. Therefore, an important decision is to select a subset of data sources that provide
good network coverage and make the collection processes practical [26].

Granularity in the data :

A problem related to the selection of data sources is to decide how many details should be
maintained. For example, when packets are collected on the network, full packages, packet headers,
connection information, for example, IP addresses, port numbers, etc. can be collected. Similarly,
maintaining extensive data details is not practical in large and complex networks

Data integrity :

It is essential to ensure the integrity of the data collected. The result of the forensic process
may be adversely affected if the data collected is accidentally altered. However, measures must
be implemented to ensure data integrity during and after data collection and analysis.

Privacy issues :

The data collected is expected to include confidential information, such as emails and files.
However, proper handling of this data is crucial. The data must be protected by access control
measures, so only authorized personnel have access.

Data as legal evidence :

Name: Shreya Sankhe INFORMATION TECHNOLOGY Page 9

 Vidya Vikas Education Trust’s

Universal College of Engineering

Accredited with ‘B+’ Grade by NAAC | Recognized as a Linguistic (Gujarati) Minority Institute
Approved by AICTE, DTE, Maharashtra State Government and Affiliated to Mumbai University

The use of data collected internally within an organization is quite different from how the
data is presented in a court of law. In the latter case, the data collected must pass written legal
procedures to qualify as evidence in a court of law. The data must go through an admissibility test
and a selection process by the court

Q 6. What are the challenges in mobile forensics?

Ans: Mobile forensics deals specifically with data retrieval from mobile devices. And, it's not
always as simple as 1-2-3 for investigators. Here are some common challenges these data
collectors encounter.

Mobile Forensics Challenges :

1 .True Mobility:
Today's devices make it easier than ever for data to be stored, shared and retrieved from one
platform to the next. A document started on a Smartphone can instantaneously be sent to a
computer, stored in a cloud service, or deleted from a remote location. A user's total control over
data they've created or received can be a huge roadblock to investigators.

2. Wiping or Resetting:
Real-life example of data that was unintentionally wiped from a device. Just as easily as you
may delete a text, lose a calendar appointment or accidentally erase a contact, investigators
deal with the same challenges.

3. Software and Hardware Variants:

Once upon a time, smart phones came with one or two operating systems residing on three or
four different types of phones. Since the first iPhone was introduced in 2007, there have been
nearly two dozen models of this phone alone. That doesn't account for Android phones, Google
phones Windows phones now you get the idea. Each of these comes with different menus,
settings, and features that can make data retrieval a real headache.

4. Password Protection:
Many of us protect our mobile devices with passwords. Now, phones are equipped with
fingerprint sensors and even facial recognition software programs to help ensure prying eyes
don't access a user's personal data. This creates an inherent challenge for law enforcement.
Although there are forensic tools available to bypass these credentials, this takes extra time and
money.

Q 7.Explain Evidence Collection and Acquisition in network forensics?

Ans: The way of collecting digital forensic evidence is very important. The evidence in this area
is volatile and delicate. It should be noted that due to improper handling, the investigation may be

Name: Shreya Sankhe INFORMATION TECHNOLOGY Page 10

 Vidya Vikas Education Trust’s

Universal College of Engineering

Accredited with ‘B+’ Grade by NAAC | Recognized as a Linguistic (Gujarati) Minority Institute

Approved by AICTE, DTE, Maharashtra State Government and Affiliated to Mumbai University
disrupted. In other words, acquisition, storage, transmission, and the preservation of evidence
require precise procedures.

When securing digital evidence, the following characteristics need to be ensured:

❖ Correctness of the data – the recovered data must be exactly the same as the source data.
❖ Authenticity – actual data from the analyzed medium.
❖ Integrity – the analyzed data is not altered; the alteration can be detected.
❖ Confidentiality, availability.

Depending on the type of data and the digital device, the method of data acquisition is selected.
There are several methods, for example logical disk-to-disk file, disk-to-disk copy, disk-to-image
file and also sparse data copy of a file or folder.

The method of obtaining digital evidence also depends on whether the device is switched off
or on.

a) If it is switched on, it is live acquisition. The evidence is collected from a running system.
Data changes because of both provisioning and normal system operation. So in
conclusion, live acquisition enables the collection of volatile data, but also influences the
data.
b) In case of postmortem acquisition, the evidence is collected from storage media of a
system that is shut down. Moreover, postmortem provides better integrity preservation
and does not influence the data. However, volatile data can be lost in the process of
shutting down a system.

A significant factor in the acquisition of digital evidence is its volatility. Based on their level of
fragility, the most volatile are acquired first. These are, for example, registers, cache, routing table,
Arp cache, process table and memory. It continues with temporary file systems and securing the
disk. Last is more static data, such as physical configuration, network topology, and archival
media.

It is also necessary to think about the documentation of the seizure and acquisition of digital
evidence. Chain of custody documents the entire process and the handling of data and
equipment.

A few facts to keep in mind when acquiring data from workstations or servers:

Name: Shreya Sankhe INFORMATION TECHNOLOGY Page 11

 Vidya Vikas Education Trust’s

Universal College of Engineering

Accredited with ‘B+’ Grade by NAAC | Recognized as a Linguistic (Gujarati) Minority Institute
Approved by AICTE, DTE, Maharashtra State Government and Affiliated to Mumbai University

• Deleted data is still not completely lost. Often it is possible to recover files and get
information about when they were deleted.
• Lot of information about how the computer was used can be recovered from the system.
• Formatting a disk does not remove all data.

• Information about visited websites can be retrieved relatively easily.

• Data is unusable unless it is decrypted.
• Volatile data can remain on the system for a relatively long time, even after a system reboot.

Common mistakes that occur when obtaining digital evidence:

• Digital evidence improperly seized is degraded for the purposes of criminal proceedings.
• Turning off a device that is switched on without acquiring volatile evidence.
• Inaccurate and chaotic marking of evidence.
• Failure to secure additional equipment (e.g., USB flash, CD/DVD

Name: Shreya Sankhe INFORMATION TECHNOLOGY Page 12

 Vidya Vikas Education Trust’s

Universal College of Engineering

Accredited with ‘B+’ Grade by NAAC | Recognized as a Linguistic (Gujarati) Minority Institute

Approved by AICTE, DTE, Maharashtra State Government and Affiliated to Mumbai University

Name: Shreya Sankhe INFORMATION TECHNOLOGY Page 13