Disk Forensics

Disk forensics, also known as computer or digital forensics, is a branch of forensic science that focuses on the collection,
preservation, analysis, and interpretation of digital data stored on computer storage devices, such as hard disk drives (HDDs),
solid-state drives (SSDs), and other media.

The primary goal of disk forensics is to investigate and gather evidence related to computer crimes or incidents. It involves
the systematic examination of digital storage media to recover, analyze, and interpret data that may be relevant to a legal
investigation or an organization's internal investigation.

Disk forensics is a specialized field that requires a combination of technical expertise, knowledge of computer systems and
storage technologies, understanding of legal procedures, and adherence to strict forensic protocols to maintain the integrity of
the evidence.
The following are some key techniques and tools used in disk forensics:

● Identification and Seizure: The first step is to identify and seize the storage media that may contain relevant digital
evidence. This may involve seizing computer systems, hard drives, mobile devices, or any other storage medium.
● Preservation: Once the storage media is seized, it is crucial to preserve the integrity of the data. Forensic professionals
create a forensic image or exact copy of the storage media using specialized tools and techniques. This ensures that the
original data remains unaltered, and the investigation can be conducted on a duplicate copy.
● Analysis and Recovery: The forensic image is then analyzed to recover and extract relevant data. This may include
deleted files, email communications, internet browsing history, system logs, metadata, and other artifacts that can
provide insights into user activities and events.
● Data Interpretation: The extracted data is analyzed and interpreted to establish timelines, reconstruct events, identify
patterns, and understand the context of the investigation. This may involve correlating data from multiple sources and
using forensic tools to reconstruct user activities.
● Reporting and Presentation: The findings and evidence discovered during the disk forensics investigation are
documented in a detailed report. This report may be used for legal proceedings, internal investigations, or as evidence
in court. Forensic professionals may also present their findings and provide expert testimony if required.
 The process of Disk Forensics are

1. Identify digital evidence

2. Seize & Acquire the evidence

3. Authenticate the evidence

4. Preserve the evidence

5. Analyze the evidence

6. Report the findings

7. Documenting
First step in Disk Forensics is identification of storage devices at the scene of crime like hard disks with
IDE/SATA/SCSI interfaces,
CD,
DVD,
Floppy disk,
Mobiles, PDAs,
flash cards,
SIM,
USB/ Fire wire disks,
Magnetic Tapes,
Zip drives,
Jazz drives etc. These are some of the sources of digital evidence.
Role of Email in Investigation

An investigator has the following goals while performing email forensics −

● To identify the main criminal

● To collect necessary evidences
● To presenting the findings
● To build the case
Challenges in Email Forensics

Fake Emails

The biggest challenge in email forensics is the use of fake e-mails that are created by
manipulating and scripting headers etc. In this category criminals also use temporary
email which is a service that allows a registered user to receive email at a temporary
address that expires after a certain time period.
Spoofing

Another challenge in email forensics is spoofing in which criminals used to present an

email as someone else’s. In this case the machine will receive both fake as well as
original IP address.
Anonymous Re-emailing

Here, the Email server strips identifying information from the email message before
forwarding it further. This leads to another big challenge for email investigations.
Flow of Email
Role of Mail Servers and Email Clients
Techniques Used in Email Forensic Investigation

● Header Analysis
● Server investigation
● Network Device Investigation
● Sender Mailer Fingerprints
● Software Embedded Identifiers
Email Server Investigation
Email servers are investigated to locate the source of an email. For example, if an email is deleted
from a client application, sender’s, or receiver’s, then related ISP or Proxy servers are scanned as
they usually save copies of emails after delivery. Servers also maintain logs that can be analyzed
to identify the computer’s address from which the email originated.

It is worth noting that Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol
(SMTP) logs are archived frequently by large Internet Service Providers (ISPs). If a log is
archived, tracing relevant emails can take a lot of time and effort, requiring decompressing and
extraction techniques. Therefore, it is best to examine the logs as soon as possible.
Investigation of Network Devices

In some cases, logs of servers are not available. This can happen for many reasons, such as when servers are not configured to maintain
logs or when an ISPs refuses to share the log files. In such an event, investigators can refer to the logs maintained by network devices such
as switches, firewalls, and routers to trace the source of an email message.

Sender Mailer Fingerprints

X-headers are email headers that are added to messages along with standard headers, like Subject and To. These are often added for
spam filter information, authentication results, etc., and can be used to identify the software handling the email at the client, such as Outlook
or Opera Mail. In addition, the x-originating-IP header can be used to find the original sender, i.e., the IP address of the sender’s computer.

Message-IDs

Message-ID is a unique identifier that helps forensic examination of emails across the globe. It comprises a long string of characters that
end with the Fully Qualified Domain Name (FQDN). Message IDs are generated by client programs that send emails, such as Mail User
Agents (MUA) or Mail Transfer Agents (MTA). There are two parts of a Message-ID. One part is before @, and another part is after @. The
first part of the message-ID contains information, such as the message’s timestamp. This information is the data regarding the time when the
message was sent. The second part of the Message-ID contains information related to FQDN
Embedded Software Identifiers

Sometimes, the email software used by a sender can include additional information about the message and attached files in the email. For
example, it can be found in Multipurpose Internet Mail Extensions (MIME) content as a Transport Neutral Encapsulation Format (TNEF) or
custom header. An in-depth analysis of these sections can reveal vital details related to the sender, like the MAC address, Windows login
username of the sender, PST file name, and much more.
Demo on Email header Analyzer
https://mxtoolbox.com/EmailHeaders.aspx
Internet Tracing
Electronic passage through the Internet leaves a trail that can be traced. Tracing is a process that follows the Internet activity backwards, from
the recipient to the user. As well, a user's Internet activity on web sites can also be tracked on the recipient site (i.e., what sites are visited and
how often). Sometimes this tracking and tracing ability is used to generate email to the user promoting a product that is related to the sites
visited. User information, however, can also be gathered covertly.
Tracking Tools

Cookies. Cookies are computer files that are stored on a user's computer during a visit to a web site. When the user electronically enters the web
site, the host computer automatically loads the file(s) to the user's computer.

The cookie is a tracking device, which records the electronic movements made by the user at the site, as well as identifiers such as a username
and password. Commercial web sites make use of cookies to allow a user to establish an account on the first visit to the site and so to avoid
having to enter account information (i.e., address, credit card number, financial activity) on subsequent visits. User information can also be
collected unbeknownst to the user and subsequently used for whatever purpose the host intends.

Cookies are files, and so can be transferred from the host computer to another computer. This can occur legally (i.e., selling of a subscriber
mailing list) or illegally (i.e., "hacking in" to a host computer and copying the file). Also, cookies can be acquired as part of a law enforcement
investigation.

Bugs or Beacons. A bug or a beacon is an image that can be installed on a web page or in an email. Unlike cookies, bugs cannot be disabled.
They can be prominent or surreptitious. As examples of the latter, graphics that are transparent to the user can be present, as can graphics that are
only 1x1 pixels in size (corresponding to a dot on a computer monitor). When a user clicks onto the graphic in an attempt to view, or even to close
the image, information is relayed to the host computer.
Information that can be gathered by bugs or beacons includes:

● The user's IP address (the Internet address of the computer)

● The email address of the user
● The user computer's operating system (which can be used to target viruses to specific operating systems
● The URL (Uniform Record Locator), or address, of the web page that the user was visiting when the bug or beacon
was activated
● The browser that was used (i.e., Netscape, Explorer)
Active X, Java Script. These computer-scripting languages are automatically activated when a site is visited.
The mini-programs can operate within the larger program, so as to create the "pop-up" advertiser windows that
appear with increasing frequency on web sites. When the pop-up graphic is visited, user information such as
described in the above sections can be gathered.
Memory forensics

Memory forensics is a vital form of cyber investigation that allows an investigator to

identify unauthorized and anomalous activity on a target computer or server. This is
usually achieved by running special software that captures the current state of the
system’s memory as a snapshot file, also known as a memory dump. This file can then
be taken offsite and searched by the investigator.
This is useful because of the way in which processes, files and programs are run in
memory, and once a snapshot has been captured, many important facts can be
ascertained by the investigator, such as:
● Processes running
● Executable files that are running
● Open ports, IP addresses and other networking information
● Users that are logged into the system, and from where
● Files that are open and by whom
Memory Forensics: Acquisition Methods

Here are some examples of acquisition formats that are used in memory forensics. There
are many different memory acquisition types, but these are five of the most common
methods and formats that are used today:
● RAW Format – Extracted from a live environment
● Crash Dump – Information gathered by the operating system
● Hibernation File – A saved snapshot that your operating system can return to after
hibernating
● Page File – This is a file that stores similar information that is stored in your system
RAM
● VMWare Snapshot – This is a snapshot of a virtual machine, which saves its state as
it was at the exact moment that the snapshot was generated
The Best Memory Forensic Tools on the Market

There are both free and commercial products available on the market, and many forensics
investigators will have their own personal preferences. Some investigators may find that they
need to use commercial products only, however many professionals will use a wide array of both
free and paid tools to get the job done. Here are some examples:
● Volatility Suite: This is an open source suite of programs for analyzing RAM, and has
support for Windows, Linux and Mac operating systems. It can analyze RAW, Crash,
VMWare, and Virtualbox dumps with no issues.
● Rekall: This is an end-to-end solution for incident responders and investigators, and features
both acquisition and analysis tools. It can be thought of as more of a forensic framework
suite than just a single application.
● Helix ISO: This is a bootable live CD as well as a standalone application that makes it very easy for you to
capture a memory dump or memory image of a system. There are some risks associated with running this
directly on a target system, namely an acquisition footprint, so make sure that it fits your requirements.
● Belkasoft RAM Capturer: This is another forensic tool that allows for the volatile section of system memory
to be captured to a file. First responders will find that the functionality and wide range of tools available in this
software package will allow for their investigations to start off as quickly as possible.
● Process Hacker: This is an open source process monitoring application that is very useful to run while the
target machine is in use. It will give the investigator a better understanding of what is currently affecting the
system before the memory snapshot is taken, and can go a long way to help uncover any malicious processes,
or even help to identify what processes have been terminated within a set period of time.
MEMLAB