Name: Harsh Parekh

Roll No: 40
Subject: EH&F
Assignment No 2

Q1. Explain guidelines for incident report writing. Give one report writing example.
Ans:
Guidelines for Incident report writing:
1. Know the goals of your analysis: Before you begin your analysis for examination, know
what the goals are. Every crime has elements of proof, for law enforcement examiners.
2. Organize your report: Write “macro to micro.” Organize your forensic report to start at the
high level and have the complexity of your report increase as your audience continues to read
it.
3. Follow a template: A standardized report template should be followed. This makes your
report writing scalable, establishes a repeatable standard, and saves time.
4. Use consistent identifier: There can be confusion created in a report by referring to an item
in different ways, such as referring to the same computer as a system, PC, box, web server,
victim system, and so on.
5. Use attachments and appendices: To maintain the flow of your report, use attachments or
appendices. Right in the middle of your conclusions, you do not want to interrupt your
forensic report with 15 pages of source code.
6. Have co-workers read your reports: To read your forensic reports, employ other
coworkers. This helps develop reports that are comprehensible to nontechnical personnel,
who have an impact on your incident response strategy and resolution.
7. Use MD5 hashes: Whether it is an entire hard drive or specific files, create and record the
MD5 hashes of your proof. Performing MD5 hashes for all evidence provides support to the
claim that you are diligent and attentive to the special requirements of forensic examination.
8. Include metadata: Record and include the metadata for every file or file fragment cited in
your report. This metadata includes the time/date stamps, full path of the file, the file size,
and the file’s MD5 sum.

Report writing example:

Q2. Explain the goals of report writing.
Ans:
Goals of Report writing:
• Accurately describe the details of an incident.
• Be understandable to decision makers.
• Be able to withstand a barrage of legal scrutiny.
• Be unambiguous and not open to misinterpretation.
• Be easily referenced (using paragraph numbers for the report and Bates’ numbers for
attached documents).
• Contain all information required to explain your conclusions.
• Offer valid conclusions, opinions, or recommendations when needed.
• Report should be ready in time.

Q3. List and explain different tools used in network forensics.

Ans:
Different Tools used in Network Forensics:
• Wireshark:
Wireshark is a network protocol analyzer, or an application that captures packets from a
network connection, such as from your computer to your home office or the internet. Packet
is the name given to a discrete unit of data in a typical Ethernet network. Wireshark listens
to a network connection in real time and then grabs entire streams of traffic quite possibly
tens of thousands of packets at a time.
• NetworkMiner:
NetworkMiner is an open-source Network Forensic Analysis Tool (NFAT) for Windows
(but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive
network sniffer/packet capturing tool to detect operating systems, sessions, hostnames,
open ports etc. without putting any traffic on the network. NetworkMiner can also parse
 PCAP files for off-line analysis and to regenerate/reassemble transmitted files and
certificates from PCAP files.
• Snort:
Snort is one of the most popular network Intrusion Detection Systems. Snort is highly
configurable, which allows the users to add custom plugins called pre-processors. In
addition to it, it comes with a great set of output options. At its core, Snort provides alerts
based on rulesets provided to it. The Snort administrator needs to feed the rules as the
default installation doesn’t come with any rules by default.
• Tcpdump:
Tcpdump is a popular command line tool available for capturing and analyzing network
traffic primarily on Unix based systems. Using tcpdump, we can capture the traffic and
store the results in a file that is compatible with tools like Wireshark for further analysis.
Tcpdump can either be used to do a quick packet capture for troubleshooting or for
capturing traffic continuously in large volumes for future analysis.
• Kismet:
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection
system. Works in raw monitoring (rfmon) mode, and (with appropriate hardware) can sniff
802.11b, 802.11a, 802.11g, and 802.11n traffic. It is passively collecting packets and
detecting standard named networks, detecting (and given time, decloaking) hidden
networks, and presence of nonbeaconing networks via data traffic.

Q4. List and explain different tools used in mobile forensics.

Ans:
Tools used in Mobile Forensics:
• XRY:
XRY is a digital forensics and mobile device forensics product by the Swedish company
MSAB used to analyze and recover information from mobile devices such as mobile
phones, smartphones, GPS navigation tools and tablet computers. It consists of a hardware
 device with which to connect phones to a PC and software to extract the data. XRY is
designed to recover the contents of a device in a forensic manner so that the contents of the
data can be relied upon by the user. Typically, it is used in civil/criminal investigations,
intelligence operations, data compliance and electronic discovery cases.
• Cellebrite:
Cellebrite is the one of the best known and widely used mobile device forensics tool for
data extraction and analysis. The combination of Cellebrite software and hardware helps
the investigator delve into the messages, phones calls, voicemails, images, browsing history
and more contained on a smart phone chip. Cellebrite will generate a series of reports once
the extraction is complete. The information contained in these reports is dependent on the
types of data retained in the phone’s memory.
• MOBILedit:
MOBILedit Forensic is a forensics tool that searches, examines and report on data from
GSM/CDMA/PCS cell phone devices. MOBILedit connects to cell phone devices via an
established, the phone model is identified by its manufacturer, model number, and serial
number (IMEI) and with a corresponding picture of the phone. Data acquired from cell
phone devices are stored in the .med file format.
• Elcomsoft
Elcomsoft is an iOS Forensic Toolkit allows for physical acquisition on iOS devices such
as iPhone, iPad or iPod. It also includes other utility features such as that of deciphering
the keychain that stores user passwords in the terminal analyzed or registering each action
that is performed during the whole process to keep a record of them.

Q5. What are the challenges in network forensics?

Ans:
Challenges in Network Forensics:
• High-Speed Data Transmission
 High-speed data transmission is one of the biggest challenges for network forensics because
it cannot capture and record all the packets on the network because of high speed. Millions
of data packets are transmitted on networks within a short period, and these packets pass
through a vast number of interconnected devices. The network devices can play a
significant role as evidence as the network data transmit through them. To identify the
network data’s susceptibilities, it is necessary to record the data packets at high speed;
however, it is a very time-consuming process.
• Data Storage
The amount of data captured and stored on the network for carrying out the investigation
is tremendous. Such a large amount of data creates problems for forensic experts while
retrieving relevant information from these networks. The interconnectivity devices’ storage
capacity is low, and huge storage space is required to store the captured data packets.
• Data Integrity
Data integrity is one of the major concerns for the investigators while performing the
network forensics. Data integrity means that the network must have the most consistent,
complete, and accurate data. Analyzing data integrity on the networks is one of the most
challenging and critical tasks for the investigators. Maintaining data integrity is difficult,
considering several factors, including velocity, size, and scope of data. Network
complications become higher when the trust and integrity of the data and data system
become low.
• Location of Data Extraction
The process of network forensics becomes challenging due to the virtualized characteristics
and distributive nature of networks. It becomes difficult for forensic experts to identify the
device and appropriate location for extracting data. It is almost impossible to handle all
links and the connected devices on the networks where thousands of devices are connected
and millions of packets of data pass through each device every second.
• Access to IP Addresses
 Identification of the IP address of the attacker is an essential step in carrying out network
forensics. The IP address of the source provides information about the origin of the attack.
Identifying the IP address can lead the investigators to the intruder and prevent future
attacks from the same intruder. The intruders use several techniques to hide their IP
addresses from the various devices installed on the network. Spoofing the IP address is one
such technique in which the intruder can show a fake IP address to the devices registered
on the network.

Q6. What are the challenges in Mobile Forensics?

Ans:
Challenges in Mobile Forensics:
• Mobile platform security features:
Modern mobile platforms contain built-in security features to protect user data and
privacy. These features act as a hurdle during the forensic acquisition and examination.
For example, modern mobile devices come with default encryption mechanisms from the
hardware layer to the software layer. The examiner might need to break through these
encryption mechanisms to extract data from the devices.
• Lack of resources:
With the growing number of mobile phones, the tools required by a forensic examiner
would also increase. Forensic acquisition accessories, such as USB cables, batteries, and
chargers for different mobile phones, have to be maintained in order to acquire those
devices.
• Anti-forensic techniques:
Anti-forensic techniques, such as data hiding, data obfuscation, data forgery, and secure
wiping, make investigations on digital media more difficult.
• Dynamic nature of evidence:
 Digital evidence may be easily altered either intentionally or unintentionally. For example,
browsing an application on the phone might alter the data stored by that application on the
device.
• Accidental reset:
Mobile phones provide features to reset everything. Resetting the device accidentally while
examining may result in the loss of data.
• Device alteration:
The possible ways to alter devices may range from moving application data, renaming
files, and modifying the manufacturer's operating system. In this case, the expertise of the
suspect should be taken into account.
• Passcode recovery:
If the device is protected with a passcode, the forensic examiner needs to gain access to
the device without damaging the data on the device.
• Communication shielding:
Mobile devices communicate over cellular networks, Wi-Fi networks, Bluetooth, and
Infrared. As device communication might alter the device data, the possibility of further
communication should be eliminated after seizing the device.

Q7. Explain Evidence Collection and Acquisition in mobile forensics.

Ans:
Evidence Collection and Acquisition:
1. The acquisition phase of mobile forensics refers to the ways in which data is retrieved from
the mobile device. Because evidence on mobile devices is so volatile, it is important that
appropriate techniques be used to collect it whatever acquisition method is being used. The
three types of acquisition include:
• Manual: A visual observation of the phone, such as scrolling through photos
• Logical: Connecting a phone to a forensic workstation to make a copy, such as
through an iTunes backup.
 • Physical: A bit-by-bit copy - or physical copy - of a phone's data, taken directly from
its memory.
2. The most critical aspect of data acquisition is maintaining the integrity of the evidence.
Whatever type of acquisition method is being used, documentation throughout that process
is key to producing evidence that is credible and reliable.
3. Since some acquisition methods can cause changes to existing data, such as unread text
messages, creating these comprehensive reports documents each step an investigator has
taken. Additionally, documentation makes acquisition results reproducible by another
investigator, which holds up even better in court.

---------------------