MODULE 1- Ethical Hacking Methodology

What is Ethical Hacking

Ethical hacking is a set of practices in which businesses enable

individuals to exploit system vulnerabilities in order to gain a better
understanding of their current security posture. A security expert or
researcher performs an ethical hack by replicating the behaviors
and methods of a malevolent hacker. This assists development and
security teams in detecting and identifying security risks before
hackers exploit them.
Ethical hacking, also known as White Hat Hacking, is a critical stage
in determining the efficiency of a company's security policy. The
goal of ethical hacking is to imitate the actions of hackers in order
to detect present and potential vulnerabilities in the future. To do
this, an ethical hacker goes through several steps of evaluation in
order to gather as much in-depth understanding about the system
as feasible.
Q. Why is Ethical Hacking necessary? Explain the steps of Ethical Hacking
Benefits of Ethical Hacking?
The primary benefit of ethical hacking is to prevent data from being stolen and misused by
malicious attackers, as well as:
 Discovering vulnerabilities from an attacker’s POV so that weak points can be fixed.
 Implementing a secure network that prevents security breaches.
 Defending national security by protecting data from terrorists.
 Gaining the trust of customers and investors by ensuring the security of their products and data.
 Helping protect networks with real-world assessments.

Steps of Ethical Hacking:

Planning,
Reconnaissance,
Scanning,
Exploitation,
post exploitation
and result reporting.
Reconnaissance

The first penetration testing phase is reconnaissance. In this phase, the tester
gathers as much information about the target system as they can, including
information about the network topology, operating systems and applications, user
accounts, and other relevant information. The goal is to gather as much data as
possible so that the tester can plan an effective attack strategy.
Reconnaissance can be categorized as either active or passive depending on what
methods are used to gather information (Braithwaite, 2022). Passive reconnaissance
pulls information from resources that are already publicly available, whereas active
reconnaissance involves directly interacting with the target system to gain
information. Typically, both methods are necessary to form a full picture of the
target’s vulnerabilities.
Scanning

Once all the relevant data has been gathered in the reconnaissance phase, it’s time
to move on to scanning. In this penetration testing phase, the tester uses various
tools to identify open ports and check network traffic on the target system. Because
open ports are potential entry points for attackers, penetration testers need to
identify as many open ports as possible for the next penetration testing phase.
This step can also be performed outside of penetration testing; in those cases, it’s
referred to simply as vulnerability scanning and is usually an automated process.
However, there are drawbacks to only performing a scan without a full penetration
test—namely, scanning can identify a potential threat but cannot determine the level
at which hackers can gain access (Agio, 2022). So, while scanning is essential for
cybersecurity, it also needs human intervention in the form of penetration testers to
reach its full potential.
Vulnerability Assessment

The third penetration testing phase is vulnerability assessment, in which the tester
uses all the data gathered in the reconnaissance and scanning phases to identify
potential vulnerabilities and determine whether they can be exploited. Much like
scanning, vulnerability assessment is a useful tool on its own but is more powerful
when combined with the other penetration testing phases.
When determining the risk of discovered vulnerabilities during this stage, penetration
testers have many resources to turn to. One is the National Vulnerability Database
(NVD), a repository of vulnerability management data created and maintained by the
U.S. government that analyzes the software vulnerabilities published in the Common
Vulnerabilities and Exposures (CVE) database. The NVD rates the severity of known
vulnerabilities using the Common Vulnerability Scoring System (CVSS).
Exploitation

Once vulnerabilities have been identified, it’s time for exploitation. In this penetration
testing phase, the penetration tester attempts to access the target system and
exploit the identified vulnerabilities, typically by using a tool like Metasploit to
simulate real-world attacks.
This is perhaps the most delicate penetration testing phase because accessing the
target system requires bypassing security restrictions. Though system crashes
during penetration testing are rare, testers must still be cautious to ensure that the
system isn’t compromised or damaged (Basu, 2022).
Reporting

Once the exploitation phase is complete, the tester prepares a report documenting
the penetration test’s findings. The report generated in this final penetration testing
phase can be used to fix any vulnerabilities found in the system and improve the
organization’s security posture.
Building a penetration testing report requires clearly documenting vulnerabilities and
putting them into context so that the organization can remediate its security risks.
The most useful reports include sections for a detailed outline of uncovered
vulnerabilities (including CVSS scores), a business impact assessment, an
explanation of the exploitation phase’s difficulty, a technical risk briefing, remediation
advice, and strategic recommendations (Sharma, 2022).

Popular Penetration Testing Tools

There are many different penetration testing tools available, and each has its
strengths and weaknesses. Some of the most popular include:
 Nmap. Nmap is a powerful network scanning tool that can scan for open ports and
services. It also includes features for identifying vulnerable applications.
 Metasploit. Metasploit is a vulnerability exploitation tool. It includes a library of exploits
for a variety of programs and operating systems, as well as a wizard that can assist
penetration testers in capitalizing on known vulnerabilities.
 Wireshark. Wireshark is a network analysis tool that can capture packet data from a
network and decode it into readable form. This can be useful for identifying malicious
traffic or sensitive information being transmitted over a network.
 Burp Suite. Burp Suite is an all-in-one web application security testing tool. It can scan
websites for vulnerabilities, manipulate requests and responses, and intercept traffic
between the client and server

Q. Explain in details Need and types of Reconnaissance

What is Reconnaissance?
Ethical hacking begins with gathering information and becoming familiar with the
target system. Reconnaissance refers to a set of processes and techniques, such as
footprinting and scanning and enumeration, that are used to gather and covertly
discover as much information as possible about a target system.
Reconnaissance is an essential step in locating and stealing confidential information.
In a proper recon, attackers would have access to detailed information. In this way,
reconnaissance, in information security, is used for penetration testing.

To gain information without actively engaging with the network, an attacker uses
recon to interact with the network’s open ports, running services, etc. The
information it provides can help gain access to networks beyond the internet. In
short, recon is a treasure trove of valuable information that is susceptible to attacks.

Unexpectedly, it is unknown how long a recon can take to get into networks; it may
take weeks or months. Moreover, a recon may not access any information system
but still result in data breach, collecting all sensitive data at once, exploiting
networks.

An ethical hacker takes the following seven steps during reconnaissance to gather
as much information about a target system as possible:

 Collecting initial information

 Determining the network’s range
 Identifying active machines
 Discovering available access points and ports
 Identifying the operating system by its fingerprint
 Locating services on ports
 Creating a network map

In order to gain information about a network, an attacker will use the following steps:

 File permissions
 Running network services
 OS platform
 Trust relationships
 User account information

Train under experts by enrolling in the Ethical Hacking course offered by

Intellipaat.
Types of Reconnaissance
There are two main types of reconnaissance, active reconnaissance and passive
reconnaissance. Let us understand the difference between active reconnaissance
and passive reconnaissance.

Active Reconnaissance

Cybercriminals, who use active reconnaissance, try to obtain information about

computer systems using tools such as automated scanning and manual testing,
ping, and netcat. Since active reconnaissance creates more noise within the system
and has a higher chance of detection, it is generally faster and more accurate.
Port Scanning

Port scanning is an example of active reconnaissance. Port scanning is the process

of scanning computer ports to identify open ports to a computer since the entire
information is going in and out through these ports.

Using port scanning, attackers determine what services are visible and where an
attack can be conducted. As part of port scanning, data is retrieved from opened
ports and analyzed.
Tools and Techniques Used

Here are a few examples of active reconnaissance tools.

Nmap

The most well-known tool for active network reconnaissance is probably Nmap.
Using Nmap, we can find out information about a system and its programs. It is
accomplished by using a series of different scan types that take advantage of the
details of how a system or service works. An attacker can learn a great deal about a
network by scanning a system or range of IP addresses under a target’s control.

Metasploit
Metasploit is designed primarily as an exploitation toolkit. Several modules in it
contain multiple prepackaged exploits for various vulnerabilities. Metasploit provides
a window into a wide range of vulnerable machines, even for novice hackers.

Although Metasploit is designed as an exploit toolkit, it can also be used for

reconnaissance. Using the auto pawn feature in Metasploit allows a hacker to use
any means necessary to attempt to exploit a target. A hacker can use Metasploit for
more subtle reconnaissance with more targeted analysis.

Passive Reconnaissance

In passive reconnaissance, methods such as Wireshark and Shodan are used to

gather information without interacting directly with systems, while OS fingerprinting is
used to harvest information.

By employing passive reconnaissance, we can gather data without interacting with

the framework or application we are trying to comprehend. Data is collected through
web searches and free reports. The framework is unlikely to know the IP address
when we use passive reconnaissance.

We can also conduct passive recon without directly interacting with the target. By
doing so, no request is sent to the target and, therefore, they have no idea that
information is being gathered about them. In most cases, passive information
gathering utilizes public resources that hold information on the target.

Open-source intelligence (OSINT) involves gathering information from public

resources. Among the things that can be gathered using OSINT are IP addresses,
domain names, email addresses, names, host names, DNS records, and even what
software is running on a website and its associated CVEs.
Tools and Techniques Used

Here are a few recon tools that are for passive attacks.

Wireshark
Wireshark is best known for its network traffic analysis capabilities, but it is
invaluable for passive network reconnaissance. A hacker who gains access to a
company’s Wi-Fi network or otherwise eavesdrops on employee network traffic, can
then analyze that traffic in Wireshark to gain valuable insights about that network.

Shodan

Shodan is an internet-connected device search engine. With the Internet of things

growing, increasingly insecure devices are being connected to the internet.

Shodan allows hackers to find devices within the IP address range of a company.
Identifying one or more vulnerable IoT devices on a network may give a hacker a
good starting point for a future attack since many IoT devices are vulnerable by
default.

To get to know more about Ethical Hacking tools and software, take a look at
our blog.

OS Fingerprinting

OS fingerprinting determines what operating system is run by a remote computer.

Most exploitable vulnerabilities are operating system-specific, so OS fingerprinting is
primarily used for cyber reconnaissance.

Google

Another way by which reconnaissance can be performed is by using search engines.

When it comes to passive reconnaissance tools, search engines are on top of the
list. Many remarkable pursuits can be accomplished with Google and other search
engines. Programmers and attackers may use search engines to perform Google
hacking. Innovative hacking strategies coupled with fundamental investigation
techniques can cause great damage.

Nessus
Nessus is a software program that scans for vulnerabilities in companies.
Specifically, it is intended to identify weak applications running in a network and
provide some insights into possible exploitable weaknesses. Even though Nessus is
a paid scanner, the data it offers is extensive, making it an advantageous venture for
hackers.

OpenVAS

As a result of the commercialization of Nessus, OpenVAS was created to scan for

vulnerabilities. OpenVAS was made out of the last open-source form of Nessus’s
weakness scanner, which became closed-source, to continue giving a free
alternative. Thus, OpenVAS provides a similar functionality as Nessus. However,
OpenVAS might fall short on a few features that have been added since Nessus was
released.

7 Fundamentals of Reconnaissance
Reconnaissance operations are characterized by the following seven fundamentals:

 Maintain a continuous reconnaissance system

 Do not reserve reconnaissance assets
 Orient yourself toward the reconnaissance objective
 Provide accurate and timely information
 Make sure to have room to maneuver
 Contact and maintain enemy forces
 Develop the situation quickly
 UNIT 2-Introduction to Digital Forensics

The Need for Digital Forensics,

Digital forensics is a necessary or required process in the organization due to the increased
number of financial and cybercrime incidents. The cybercrime incidents, such as cyberattack,
cause the loss of critical information or data, which lead to financial losses in terms of
ransom money or imposition of penalties or fines by the regulatory authorities.

In financial institutions, such as banks, digital frauds, money laundering, terrorist financing,
and other cybercrimes are very common. Therefore regulatory authorities prescribe
frameworks and guidelines to ensure that banks develop and implement appropriate controls
and measures to prevent the occurrence of cybercrimes and other criminal activities

Digital forensics is performed by a team of specialists and experts knowing the process and
digital devices being investigated to explore facts and evidence related to
particular cybercrime. Cyber forensic specialists are experts in performing investigations of
encrypted data using different types of forensics software, tools, and techniques. They can
crack passwords, recover deleted files, etc., to find evidence supporting the cybercrime
incident. The digital forensics process includes investigating devices that may store digital
data or information
.
The digital forensics process requires identification, preservation, assessment, and evaluation
of the digital evidence gathered. Uncovering and interpreting electronic data or information
requires subject matter expertise, which is performed to identify the root cause of the
particular cybercrime incident. The purpose of digital forensics is to identify and preserve the
digital evidence in its most-purest form, to make it possible for relevant investigation
procedures to be performed and conclusions made.
For corporates and businesses, digital forensics is a very important part related to the incident
response process. The digital evidence gathered from electronic devices may be asked to be
presented in a court of law. Therefore, organizations or businesses perform forensics reviews
diligently and with the required care.

Two groups of people mainly use digital forensics:

 Law enforcement agencies in criminal and civil cases: These

agencies use digital evidence to aid suspects’ convictions or
acquittals. These cases can vary from murder trials to civil
cases such as those involving transfer of property.
 Incident response teams in organizations: These teams are
the first responders to cyber attacks such as data breaches
or ransomware threats. They use digital forensics to investigate
the points of entry and possible remediation.
Digital forensics tools can be hardware- or software-based. These tools
are used to inspect devices while maintaining the integrity of the
data. Some standard tools are:

 File analysis tools: These tools extract and analyze individual

files.
 Network analysis tools: These are predominantly network
monitoring tools that extract traffic and payload information.
 Database analyzers: These tools extract, analyze, and query
the database to gather the necessary information.
 Registry tools: Windows-based computing systems maintain
user activity in something called registries. These tools gather
information from them.
 Data capture tools: These tools capture data, both encrypted
and otherwise. They provide a window into persistent hard
disks and enable data extraction without damaging original
content.
 Email scanners: They scan all email communications for
evidence. These are important for investigating social
engineering attacks.
 Mobile device scanners: These devices scan internal and
mobile memories in mobile devices.

Types of Digital Forensics

1. Electronic discovery
Electronic discovery, or e-discovery, is digital data analysis, processing,
and preservation. It is used in a regulatory or legal context.
2. Forensic data analysis

This is the type of cyber forensics that deals explicitly with organized data.
It involves data analysts combing through troves of data to arrive at usable
evidence. It mainly affects the financial fraud space.
3. Incident Response
Incident response is digital forensics from a corporate point of view. This
type of forensics aims to ensure business continuity and reduce the impact
of an event (such as a data breach). Internal teams in an organization
mainly carry it out.
4. Computer forensics
Computer forensics is digital forensics that deals with accessing,
gathering, and analyzing information on computer systems that operate at
a computing or storage capacity. Most types of digital forensics are a
branch of computer forensics.
5. Network forensics
Standalone computers are rare today. Almost all digital devices are
connected to each other and the internet using computer networks.
Network forensics involves the analysis of network traffic patterns and
incriminating payloads.
6. Database forensics
Database forensics involves the analysis and extraction of data and
metadata from databases. This includes data stored by third-party services
in a contract with the suspect. These might even be SaaS vendors when we
consider incidents in organizations.
7. Disk forensics
Another subset of computer forensics, disk forensics, specializes in data
retrieval and recovery from nonvolatile devices.
8. Memory forensics
While disk forensics focuses on persistent storage, memory forensics
focuses on RAM. Memory forensics is also called live acquisition since it
presents the ‘crime scene’ as it is.
9. Cloud forensics
With most systems on the cloud now, cloud forensics deals with cloud-
hosted information. It requires the analysis of configuration, security, and
the geolocation of cloud-based assets. Cloud forensics requires
cooperation from cloud vendors (such as AWS and Google Cloud).
10. Email forensics
Email forensics involves retrieving and scanning all email communication,
including the deleted ones. Forensic analysts look for identities, content,
time stamps, and other metadata attached to the emails. Email forensics
looks for forged emails and malicious content, such as phishing emails.
WHAT IS A COMPUTER SECURITY INCIDENT?
We define a computer security incident as any unlawful, unauthorized, or unacceptable
action that involves a computer system or a computer network. Such an action can include
any of the following events:
_ Theft of trade secrets
_ Email spam or harassment
_ Unauthorized or unlawful intrusions into computing systems
_ Embezzlement
_ Possession or dissemination of child pornography
_ Denial-of-service (DoS) attacks
_ Tortious interference of business relations
_ Extortion
_ Any unlawful action when the evidence of such action may be stored on
computer media such as fraud, threats, and traditional crimes.

WHAT ARE THE GOALS OF INCIDENT RESPONSE?

In our incident response methodology, we emphasize the goals of corporate security professionals
with legitimate business concerns, but we also take into consideration the concerns
of law enforcement officials. Thus, we developed a methodology that promotes
a coordinated, cohesive response and achieves the following:
_ Prevents a disjointed, noncohesive response (which could be disastrous)
_ Confirms or dispels whether an incident occurred
_ Promotes accumulation of accurate information
_ Establishes controls for proper retrieval and handling of evidence
_ Protects privacy rights established by law and policy
_ Minimizes disruption to business and network operations
_ Allows for criminal or civil action against perpetrators
_ Provides accurate reports and useful recommendations
_ Provides rapid detection and containment
_ Minimizes exposure and compromise of proprietary data
_ Protects your organization’s reputation and assets
_ Educates senior management

WHO IS INVOLVED IN THE

INCIDENT RESPONSE PROCESS?
Incident response is a multifaceted discipline. It demands a myriad of capabilities that
usually require resources from several different operational units of an organization. Human
resources personnel, legal counsel, technical experts, security professionals, corporate
security officers, business managers, end users, helpdesk workers, and other
employees may find themselves involved in responding to a computer security incident.
Most organizations establish a team of individuals, often referred to as a Computer
Security Incident Response Team (CSIRT), to respond to any computer security incident.
The CSIRT is a multidisciplined team with the appropriate legal, technical, and other

Q.

INCIDENT RESPONSE METHODOLOGY

Weare always on a quest for the perfect way to organize a process.Wesearch for the right
way to define phases of the process, look for bright-line separation of phases to avoid
murky areas, try to make the perfect flowchart to illustrate the process, and organize the
phases so the process can be applied to the widest range of possible scenarios. Since the
incident response process can involve so many variables and factors that affect its flow, it
is quite a challenge to create a simple picture of the process while maintaining a useful
level of accuracy. However, we feel that we have developed an incident response process
that is both simple and accurate.
Computer security incidents are often complex, multifaceted problems. Just as with
any complex engineering problem, we use a “black box” approach. We divide the larger
problem of incident resolution into components and examine the inputs and outputs of
each component. Figure 2-1 illustrates our approach to incident response. In our methodology,
there are seven major components of incident response:
Host-based Information Host-based evidence includes logs, records, documents, and any
other information that is found on a system and not obtained from network-based nodes.
For example, host-based information might be a system backup that harbors evidence at
a specific period in time. Host-based data collection efforts should include gathering information
in two different manners: live data collection and forensic duplication.
In some cases, the evidence that is required to understand an incident is ephemeral
(temporary or fleeting) or lost when the victim/relevant system is powered down. This
volatile data can provide critical information when attempting to understand the nature
of an incident. Therefore, the first stepof data collection is the collection of any volatile information
from a host before this information is lost. The volatile data provides a “snapshot”
of a system at the time you respond. You record the following volatile information:
_ The system date and time
_ The applications currently running on the system
_ The currently established network connections
_ The currently open sockets (ports)
_ The applications listening on the open sockets
_ The state of the network interface (promiscuous or not)
In order to collect this information, a live response must be performed. A live response
is conducted when a computer system is still powered on and running. This means that
the information contained in these areas must be collected without impacting the data on
the compromised device. There are three variations of live response:
_ Initial live response This involves obtaining only the volatile data from
a target or victim system. An initial live response is usually performed when
you have decided to conduct a forensic duplication of the media.
_ In-depth response This goes beyond obtaining merely the volatile data. The
CSIRT obtains enough additional information from the target/victim system
to determine a valid response strategy. Nonvolatile information such as log
files are collected to help understand the nature of the incident.
_ Full live response This is a full investigation on a live system. All data for
the investigation is collected from the live system, usually in lieu of performing
a forensic duplication, which requires the system to be powered off.

_ Pre-incident preparation Take actions to prepare the organization and the

CSIRT before an incident occurs.
Pre-Incident Preparation
Preparation leads to successful incident response. During this phase, your organization
needs to prepare both the organization itself as a whole and the CSIRT members, prior to
responding to a computer security incident.
We recognize that computer security incidents are beyond our control; as investigators,
we have no idea when the next incident will occur. Furthermore, as investigators, we
often have no control or access to the affected computers before an incident occurs. However,
lack of control does not mean we should not attempt to posture an organization to
promote a rapid and successful response to any incidents.
Incident response is reactive in nature. The pre-incident preparation phase comprises
the only proactive measures the CSIRT can initiate to ensure that an organization’s assets
and information are protected.
Ideally, preparation will involve not just obtaining the tools and developing techniques
to respond to incidents, but also taking actions on the systems and networks that
will be part of any incident you need to investigate. If you are fortunate enough to have
any level of control over the hosts and networks that you will be asked to investigate,
there are a variety of steps you can take now to save time and effort later.
Preparing the Organization
Preparing the organization involves developing all of the corporate-wide strategies you
need to employ to better posture your organization for incident response. This includes
the following:
_ Implementing host-based security measures
_ Implementing network-based security measures
_ Training end users
_ Employing an intrusion detection system (IDS)
_ Creating strong access control
_ Performing timely vulnerability assessments
_ Ensuring backups are performed on a regular basis
What are Incident handling steps ?
Preparing the CSIRT
The CSIRT is defined during the pre-incident preparation phase. Your organization will
assemble a team of experts to handle any in The hardware needed to investigate computer security incidents
_ The software needed to investigate computer security incidents
_ The documentation (forms and reports) needed to investigate computer
security incidents
_ The appropriate policies and operating procedures to implement your
response strategies
_ The training your staff or employees require to perform incident response in
a manner that promotes successful forensics, investigations, and remediation

Detection of Incidents
If an organization cannot detect incidents effectively, it cannot succeed in responding to
incidents. Therefore, the detection of incidents phase is one of the most important aspects
of incident response. It is also one of the most decentralized phases, in which those with
incident response expertise have the least control.
Suspected incidents may be detected in countless ways. Computer security incidents
are normally identified when someone suspects that an unauthorized, unacceptable,
or unlawful event has occurred involving an organization’s computer networks or
data-processing equipment. Initially, the incident may be reported by an end user,
detected by a system administrator, identified by IDS alerts, or discovered by many other
means. Some of the functional business areas involved in detection and some common indicators
of a computer security incident are illustrated in Figure 2-2.

Organizations must have a well-documented and simple mechanism for reporting

incidents. This is
critical to establish accurate metrics, which is often required to obtain the proper
budget required for an
organization’s incident response capability.

Initial Response
One of the first steps of any investigation is to obtain enough information to determine an
appropriate response. The initial response phase involves assembling the CSIRT, collecting
network-based and other data, determining the type of incident that has occurred,
and assessing the impact of the incident. The idea is to gather enough information to
begin the next phase, which is developing a response strategy. The other purpose of the
initial response phase is to document steps that must be taken. This approach prevents
“knee-jerk” reactions and panic when an incident is detected, allowing your organization
to implement a methodical approach in the midst of a stressful situation.

Formulate a Response Strategy

The goal of the response strategy formulation phase is to determine the most appropriate
response strategy, given the circumstances of the incident. The strategy should take into
consideration the political, technical, legal, and business factors that surround the incident.
The final solution depends on the objectives of the group or individual with responsibility
for selecting the strategy.

Taking Action
Occasionally, an organization will need to take action to discipline an employee or to
respond to a malicious act by an outsider. When the incident warrants, this action can be
initiated with a criminal referral, a civil complaint, or some administrative reprimand or
privilege revocation.
Legal Action It is not uncommon to investigate a computer security incident that is
actionable, or could lead to a lawsuit or court proceeding. The two potential legal choices
are to file a civil complaint or to notify law enforcement. Law enforcement involvement
will reduce the autonomy that your organization has in dealing with an incident, and
careful deliberation should occur before you engage the appropriate authorities. In cases
where your organization feels compelled to notify law enforcement, you may want to determine
the amount of effort and resources you want to invest in the investigation before
bringing in a law enforcement agency.

Investigate the Incident

The investigation phase involves determining the who, what, when, where, how, and
why surrounding an incident. You will conduct your investigation, reviewing host-based
evidence, network-based evidence, and evidence gathered via traditional, nontechnical
investigative steps.
No matter how you conduct your investigation, you are responding to an incident
caused by people. People cause these incidents by using things to destroy, steal, access,
hide, attack, and hurt other things. As with any type of investigation, the key is to determine
which things were harmed by which people. However, a computer crime incident

adds complexity to this simple equation. Establishing the identity behind the people on a
network is increasingly difficult.

Users are becoming more adept at using encryption, steganography, anonymous

email accounts, fakemail, spoofed source IP addresses, spoofed MAC addresses,
masquerading as other individuals, and other means to mask their true identity in
“cyberspace.” In fact, establishing the identity of an attacker who brought down your
web site can be so time consuming that most companies may elect not to even try. Since
establishing identity can be less of a concern to the victim than the things harmed or
damaged, many organizations choose to focus solely on what was damaged, how it was damaged,
and how to fix it.

Data Collection
Data collection is the accumulation of facts and clues that should be considered during
your forensic analysis. The data you collect forms the basis of your conclusions. If you do
not collect all the necessary data, you may not be able to successfully comprehend how an
incident occurred or appropriately resolve an incident. You must collect data before you
can perform any investigation.
Data collection involves several unique forensic challenges:
_ You must collect electronic data in a forensically sound manner.
_ You are often collecting more data than you can read in your lifetime
(computer storage capacity continues to grow).
_ You must handle the data you collect in a manner that protects its
integrity (evidence handling).
 Ethics in Digital Forensics

Ethic in investigation of digital forensic

Ethical conduct is fundamental to maintaining the credibility and reliability of
digital forensic investigations. Digital forensic professionals should adhere to
these ethical principles to ensure that their work serves justice, protects
privacy, and upholds the rule of law. Violations of ethics in digital forensic
investigations can have serious consequences, including the dismissal of
evidence and damage to professional reputations.

Digital forensic investigations require a strong commitment to ethical

principles and standards to ensure the integrity of the process and maintain
public trust. Here are some key ethical considerations for digital forensic
investigations:
1. Objectivity and Impartiality:
Digital forensic investigators must remain neutral and objective throughout the
investigation. They should avoid bias, preconceived notions, or personal
opinions that could influence the findings.
2. Privacy and Consent:
Respect individuals’ privacy rights and obtain proper consent or legal
authorization to access and examine their digital devices or data.
3. Legal Compliance:
Conduct investigations in compliance with all applicable laws, regulations, and
legal requirements. Obtain the necessary warrants or permissions when
required.
4. Integrity and Honesty:
Maintain the highest standards of integrity and honesty in all aspects of the
investigation, including data collection, analysis, and reporting.
5. Confidentiality:
Safeguard sensitive and confidential information obtained during the
investigation. Ensure that only authorized individuals have access to the
evidence and findings.
6. Data Preservation:
Preserve the integrity of digital evidence by using proper acquisition
techniques, ensuring the chain of custody, and avoiding any actions that could
alter or destroy the original data.
7. Transparency:
Be transparent about the methods, tools, and techniques used during the
investigation. Provide clear documentation of all actions taken.
8. Competence and Training:
Digital forensic investigators should maintain their competence through
ongoing training and education to keep up with evolving technologies and
techniques.
9. Conflict of Interest:
Avoid conflicts of interest that could compromise the impartiality and integrity
of the investigation. Disclose any potential conflicts and take appropriate steps
to mitigate them.
10. Respect for Professional Boundaries:
Maintain professional boundaries and avoid personal or emotional
involvement in cases. Focus on the facts and evidence.
11. Respect for Human Rights:
Uphold human rights and dignity in all interactions with individuals involved in
the investigation, including suspects, victims, and witnesses.
12. Evidence Handling and Retention:
Properly handle, document, and store evidence to prevent tampering,
contamination, or loss. Ensure that evidence is retained as required by law.
13. Testimony and Expertise:
When providing expert testimony in court, present findings accurately and
truthfully, and be prepared to explain and defend the methods used during the
investigation.
14. Professionalism:
Conduct investigations in a professional manner, treating all parties involved
with respect and courtesy.
15. Continuous Improvement:
Foster a commitment to continuous improvement in digital forensic practices,
ethics, and standards.

UNIT 3- Data Collection

Explain the steps of Live Data Collection from the Windows System

CREATING A RESPONSE TOOLKIT

For an initial response, you need to plan your approach to obtain all the information
without affecting any potential evidence. Because you will be issuing commands with
administrator rights on the victim system, you need to be particularly careful not to destroy
or alter the evidence. The best way to meet this goal is to prepare a complete response
toolkit.

STORING INFORMATION OBTAINED

DURING THE INITIAL RESPONSE
During your initial response, you will gather a lot of information from the live system.
We use the term live to refer to a system that is relevant to an investigation, whether it is
the attacking system or the victim, and is currently powered on. Think of it as the crime
scene before photos are taken and bodies are removed. You are operating in an untrusted
environment, where the unexpected should be anticipated.
You have four options when retrieving information from a live system:
_ Save the data you retrieve on the hard drive of the target system.
_ Record the data you retrieve by hand in a notebook.
_ Save the data you retrieve onto the response floppy disk or other
removable media.
_ Save the data you retrieve on a remote “forensic system” using
netcat or cryptcat.
Saving data to the hard drive is undesirable because it modifies the system. Recording
data by hand is not practical due to the volume of information. Floppy drives are usually
not a great choice because the data will not fit on the floppy. Other removable,
writable media with a larger capacity than a floppy would be ideal, but the victim system
may not have a drive for such media. However, we are happy to report a new solution:
the removable USB drive. These small devices, about the size of your thumb, provide fantastic
storage capabilities (up into the gigabyte range) and can be used to store your
toolkit as well as the collected data. These devices have drivers built in, so they will work
with any computer that sports a USB port and Windows software. USB ports are fairly
ubiquitous now, so we recommend obtaining a few of these devices for your response
toolkit.

Transferring Data with netcat

netcat is a freely available tool that creates a channel of communication between hosts.
We use it during initial response to create a reliable, TCP connection between the target
system and the forensic workstation used for analysis. All that you need to use netcat
is an IP address on the target network and a laptop system with enough storage space to
retain the information you gather

Encrypting Data with cryptcat

The drawback of transferring data across a network is that the data may be visible to network
eavesdroppers. Consider encrypting the traffic using cryptcat. An alternative is
to use a crossover cable to directly connect the victim system and the forensics workstation.
cryptcat has the same syntax and functions as the netcat command, but the data
transferred is encrypted. There are two compelling arguments for encrypting your traffic
when sending files from a target system:
_ An attacker’s sniffer cannot compromise the information you obtain.
_ Encrypting the data nearly eliminates the risk of contamination or injection
of data.

OBTAINING VOLATILE DATA

Now that you have a forensic toolkit and a methodology, you need to determine exactly
which data to collect. At this point, you want to obtain the volatile data from the Windows
NT/2000 system prior to turning off that system. At a minimum, we collect the following
volatile data prior to forensic duplication:
_ System date and time
_ A list of the users who are currently logged on
_ Time/date stamps for the entire file system
_ A list of currently running processes
_ A list of currently open sockets
_ The applications listening on open sockets
_ A list of the systems that have current or had recent connections to the system
If you know that your investigation is unlikely to require forensic duplication, you
may want to collect more data. For example, you may want to dump RAM, obtain some
information from the Registry, or perform other actions on the target system, pending the
totality of the circumstances. Gathering this information is covered in the “Performing an
In-Depth Live Response” section later in this chapter. Here, we describe the steps necessary
to obtain critical data that is lost if you simply turn off the system and perform forensic
duplication
Preparing the Toolkit
You need to ensure that your toolkit will function exactly as intended and not alter the
target system. We take several steps to prepare our toolkits for initial response:
_ Label the response toolkit media A first step in evidence collection is to
document the collection itself. Your response toolkit CD-ROM or floppy disks
should be labeled to identify this part of your investigation. For example, for
our response floppies and CDs, we make a specialized label that has the following
information on it:

Case number
_ Time and date
_ Name of the investigator who created the response media
_ Name of the investigator using the response media
_ Whether or not the response media (usually a floppy disk) contains output
files or evidence from the victim system
_ Check for dependencies with Filemon It is important to determine which
DLLs and files your response tools depend on. We use Filemon to determine
all the files accessed and affected by each of the utilities in our toolkit. It is
good to know which tools change access times on files on the target system.
When we can, we avoid using “loud” tools that alter a lot of the target system.
_ Create a checksum for the response toolkit One of the files on our response
kit floppy (and CD and USB drive) is a text file with a checksum of all the
commands on it. Figure 5-1 shows the md5sum command line used to create
the text file (named commandsums.txt).
_ Write-protect any toolkit floppies If you use floppy disks, be sure to writeprotect
the floppy after it is created. If you store evidentiary files on the response
floppy during an incident, you need to write-protect it after you accumulate
data and begin the chain of custody. The chain of custody tags should be filled
out for each response floppy or CD, whether or not it contains evidence files.

Collecting Volatile Data

Now that you know what to collect and how to document your response, you are ready
to retrieve the volatile data. We have created a “top-ten” list of the steps to use for data
collection:
1. Execute a trusted cmd.exe.
2. Record the system time and date.
3. Determine who is logged in to the system (and remote-access users,
if applicable

Record modification, creation, and access times of all files.

5. Determine open ports.
6. List applications associated with open ports.
7. List all running processes.
8. List current and recent connections.
9. Record the system time and date.
10. Document the commands used during initial response.

PERFORMING AN IN-DEPTH LIVE RESPONSE

Sometimes, your response at the console of a live system needs to go beyond merely obtaining
the volatile information. Perhaps shutting off the target system is not even an option,
because there are numerous concerns about disruption of service.
You may need to find evidence and properly remove rogue programs without disrupting
any services provided by the victim machine. In other words, you will not be able
to shut off the machine, disable network connections, overtax the CPU, or use Safeback
and EnCase (or any other popular Windows/DOS-based forensic software). This is
somewhat contrary to traditional computer forensics, but the requirement to be able to
retrieve forensically sound data without disrupting the operation of the victim computer
is becoming more common.

Q. Explain the steps of Live Data Collection from the UNIX System pg no 126-137
Q. Collecting Network-based Evidence - pg no 174-193
Q- chapter 7,8,9,1116,17