Professional Documents
Culture Documents
Digital Forensic
Digital Forensic
Digital Forensic
The first penetration testing phase is reconnaissance. In this phase, the tester
gathers as much information about the target system as they can, including
information about the network topology, operating systems and applications, user
accounts, and other relevant information. The goal is to gather as much data as
possible so that the tester can plan an effective attack strategy.
Reconnaissance can be categorized as either active or passive depending on what
methods are used to gather information (Braithwaite, 2022). Passive reconnaissance
pulls information from resources that are already publicly available, whereas active
reconnaissance involves directly interacting with the target system to gain
information. Typically, both methods are necessary to form a full picture of the
target’s vulnerabilities.
Scanning
Once all the relevant data has been gathered in the reconnaissance phase, it’s time
to move on to scanning. In this penetration testing phase, the tester uses various
tools to identify open ports and check network traffic on the target system. Because
open ports are potential entry points for attackers, penetration testers need to
identify as many open ports as possible for the next penetration testing phase.
This step can also be performed outside of penetration testing; in those cases, it’s
referred to simply as vulnerability scanning and is usually an automated process.
However, there are drawbacks to only performing a scan without a full penetration
test—namely, scanning can identify a potential threat but cannot determine the level
at which hackers can gain access (Agio, 2022). So, while scanning is essential for
cybersecurity, it also needs human intervention in the form of penetration testers to
reach its full potential.
Vulnerability Assessment
The third penetration testing phase is vulnerability assessment, in which the tester
uses all the data gathered in the reconnaissance and scanning phases to identify
potential vulnerabilities and determine whether they can be exploited. Much like
scanning, vulnerability assessment is a useful tool on its own but is more powerful
when combined with the other penetration testing phases.
When determining the risk of discovered vulnerabilities during this stage, penetration
testers have many resources to turn to. One is the National Vulnerability Database
(NVD), a repository of vulnerability management data created and maintained by the
U.S. government that analyzes the software vulnerabilities published in the Common
Vulnerabilities and Exposures (CVE) database. The NVD rates the severity of known
vulnerabilities using the Common Vulnerability Scoring System (CVSS).
Exploitation
Once vulnerabilities have been identified, it’s time for exploitation. In this penetration
testing phase, the penetration tester attempts to access the target system and
exploit the identified vulnerabilities, typically by using a tool like Metasploit to
simulate real-world attacks.
This is perhaps the most delicate penetration testing phase because accessing the
target system requires bypassing security restrictions. Though system crashes
during penetration testing are rare, testers must still be cautious to ensure that the
system isn’t compromised or damaged (Basu, 2022).
Reporting
Once the exploitation phase is complete, the tester prepares a report documenting
the penetration test’s findings. The report generated in this final penetration testing
phase can be used to fix any vulnerabilities found in the system and improve the
organization’s security posture.
Building a penetration testing report requires clearly documenting vulnerabilities and
putting them into context so that the organization can remediate its security risks.
The most useful reports include sections for a detailed outline of uncovered
vulnerabilities (including CVSS scores), a business impact assessment, an
explanation of the exploitation phase’s difficulty, a technical risk briefing, remediation
advice, and strategic recommendations (Sharma, 2022).
What is Reconnaissance?
Ethical hacking begins with gathering information and becoming familiar with the
target system. Reconnaissance refers to a set of processes and techniques, such as
footprinting and scanning and enumeration, that are used to gather and covertly
discover as much information as possible about a target system.
Reconnaissance is an essential step in locating and stealing confidential information.
In a proper recon, attackers would have access to detailed information. In this way,
reconnaissance, in information security, is used for penetration testing.
To gain information without actively engaging with the network, an attacker uses
recon to interact with the network’s open ports, running services, etc. The
information it provides can help gain access to networks beyond the internet. In
short, recon is a treasure trove of valuable information that is susceptible to attacks.
Unexpectedly, it is unknown how long a recon can take to get into networks; it may
take weeks or months. Moreover, a recon may not access any information system
but still result in data breach, collecting all sensitive data at once, exploiting
networks.
An ethical hacker takes the following seven steps during reconnaissance to gather
as much information about a target system as possible:
In order to gain information about a network, an attacker will use the following steps:
File permissions
Running network services
OS platform
Trust relationships
User account information
Active Reconnaissance
Using port scanning, attackers determine what services are visible and where an
attack can be conducted. As part of port scanning, data is retrieved from opened
ports and analyzed.
Tools and Techniques Used
Nmap
The most well-known tool for active network reconnaissance is probably Nmap.
Using Nmap, we can find out information about a system and its programs. It is
accomplished by using a series of different scan types that take advantage of the
details of how a system or service works. An attacker can learn a great deal about a
network by scanning a system or range of IP addresses under a target’s control.
Metasploit
Metasploit is designed primarily as an exploitation toolkit. Several modules in it
contain multiple prepackaged exploits for various vulnerabilities. Metasploit provides
a window into a wide range of vulnerable machines, even for novice hackers.
Passive Reconnaissance
We can also conduct passive recon without directly interacting with the target. By
doing so, no request is sent to the target and, therefore, they have no idea that
information is being gathered about them. In most cases, passive information
gathering utilizes public resources that hold information on the target.
Here are a few recon tools that are for passive attacks.
Wireshark
Wireshark is best known for its network traffic analysis capabilities, but it is
invaluable for passive network reconnaissance. A hacker who gains access to a
company’s Wi-Fi network or otherwise eavesdrops on employee network traffic, can
then analyze that traffic in Wireshark to gain valuable insights about that network.
Shodan
Shodan allows hackers to find devices within the IP address range of a company.
Identifying one or more vulnerable IoT devices on a network may give a hacker a
good starting point for a future attack since many IoT devices are vulnerable by
default.
To get to know more about Ethical Hacking tools and software, take a look at
our blog.
OS Fingerprinting
When it comes to passive reconnaissance tools, search engines are on top of the
list. Many remarkable pursuits can be accomplished with Google and other search
engines. Programmers and attackers may use search engines to perform Google
hacking. Innovative hacking strategies coupled with fundamental investigation
techniques can cause great damage.
Nessus
Nessus is a software program that scans for vulnerabilities in companies.
Specifically, it is intended to identify weak applications running in a network and
provide some insights into possible exploitable weaknesses. Even though Nessus is
a paid scanner, the data it offers is extensive, making it an advantageous venture for
hackers.
OpenVAS
7 Fundamentals of Reconnaissance
Reconnaissance operations are characterized by the following seven fundamentals:
Digital forensics is a necessary or required process in the organization due to the increased
number of financial and cybercrime incidents. The cybercrime incidents, such as cyberattack,
cause the loss of critical information or data, which lead to financial losses in terms of
ransom money or imposition of penalties or fines by the regulatory authorities.
In financial institutions, such as banks, digital frauds, money laundering, terrorist financing,
and other cybercrimes are very common. Therefore regulatory authorities prescribe
frameworks and guidelines to ensure that banks develop and implement appropriate controls
and measures to prevent the occurrence of cybercrimes and other criminal activities
Digital forensics is performed by a team of specialists and experts knowing the process and
digital devices being investigated to explore facts and evidence related to
particular cybercrime. Cyber forensic specialists are experts in performing investigations of
encrypted data using different types of forensics software, tools, and techniques. They can
crack passwords, recover deleted files, etc., to find evidence supporting the cybercrime
incident. The digital forensics process includes investigating devices that may store digital
data or information
.
The digital forensics process requires identification, preservation, assessment, and evaluation
of the digital evidence gathered. Uncovering and interpreting electronic data or information
requires subject matter expertise, which is performed to identify the root cause of the
particular cybercrime incident. The purpose of digital forensics is to identify and preserve the
digital evidence in its most-purest form, to make it possible for relevant investigation
procedures to be performed and conclusions made.
For corporates and businesses, digital forensics is a very important part related to the incident
response process. The digital evidence gathered from electronic devices may be asked to be
presented in a court of law. Therefore, organizations or businesses perform forensics reviews
diligently and with the required care.
This is the type of cyber forensics that deals explicitly with organized data.
It involves data analysts combing through troves of data to arrive at usable
evidence. It mainly affects the financial fraud space.
3. Incident Response
Incident response is digital forensics from a corporate point of view. This
type of forensics aims to ensure business continuity and reduce the impact
of an event (such as a data breach). Internal teams in an organization
mainly carry it out.
4. Computer forensics
Computer forensics is digital forensics that deals with accessing,
gathering, and analyzing information on computer systems that operate at
a computing or storage capacity. Most types of digital forensics are a
branch of computer forensics.
5. Network forensics
Standalone computers are rare today. Almost all digital devices are
connected to each other and the internet using computer networks.
Network forensics involves the analysis of network traffic patterns and
incriminating payloads.
6. Database forensics
Database forensics involves the analysis and extraction of data and
metadata from databases. This includes data stored by third-party services
in a contract with the suspect. These might even be SaaS vendors when we
consider incidents in organizations.
7. Disk forensics
Another subset of computer forensics, disk forensics, specializes in data
retrieval and recovery from nonvolatile devices.
8. Memory forensics
While disk forensics focuses on persistent storage, memory forensics
focuses on RAM. Memory forensics is also called live acquisition since it
presents the ‘crime scene’ as it is.
9. Cloud forensics
With most systems on the cloud now, cloud forensics deals with cloud-
hosted information. It requires the analysis of configuration, security, and
the geolocation of cloud-based assets. Cloud forensics requires
cooperation from cloud vendors (such as AWS and Google Cloud).
10. Email forensics
Email forensics involves retrieving and scanning all email communication,
including the deleted ones. Forensic analysts look for identities, content,
time stamps, and other metadata attached to the emails. Email forensics
looks for forged emails and malicious content, such as phishing emails.
WHAT IS A COMPUTER SECURITY INCIDENT?
We define a computer security incident as any unlawful, unauthorized, or unacceptable
action that involves a computer system or a computer network. Such an action can include
any of the following events:
_ Theft of trade secrets
_ Email spam or harassment
_ Unauthorized or unlawful intrusions into computing systems
_ Embezzlement
_ Possession or dissemination of child pornography
_ Denial-of-service (DoS) attacks
_ Tortious interference of business relations
_ Extortion
_ Any unlawful action when the evidence of such action may be stored on
computer media such as fraud, threats, and traditional crimes.
Q.
Detection of Incidents
If an organization cannot detect incidents effectively, it cannot succeed in responding to
incidents. Therefore, the detection of incidents phase is one of the most important aspects
of incident response. It is also one of the most decentralized phases, in which those with
incident response expertise have the least control.
Suspected incidents may be detected in countless ways. Computer security incidents
are normally identified when someone suspects that an unauthorized, unacceptable,
or unlawful event has occurred involving an organization’s computer networks or
data-processing equipment. Initially, the incident may be reported by an end user,
detected by a system administrator, identified by IDS alerts, or discovered by many other
means. Some of the functional business areas involved in detection and some common indicators
of a computer security incident are illustrated in Figure 2-2.
Initial Response
One of the first steps of any investigation is to obtain enough information to determine an
appropriate response. The initial response phase involves assembling the CSIRT, collecting
network-based and other data, determining the type of incident that has occurred,
and assessing the impact of the incident. The idea is to gather enough information to
begin the next phase, which is developing a response strategy. The other purpose of the
initial response phase is to document steps that must be taken. This approach prevents
“knee-jerk” reactions and panic when an incident is detected, allowing your organization
to implement a methodical approach in the midst of a stressful situation.
Taking Action
Occasionally, an organization will need to take action to discipline an employee or to
respond to a malicious act by an outsider. When the incident warrants, this action can be
initiated with a criminal referral, a civil complaint, or some administrative reprimand or
privilege revocation.
Legal Action It is not uncommon to investigate a computer security incident that is
actionable, or could lead to a lawsuit or court proceeding. The two potential legal choices
are to file a civil complaint or to notify law enforcement. Law enforcement involvement
will reduce the autonomy that your organization has in dealing with an incident, and
careful deliberation should occur before you engage the appropriate authorities. In cases
where your organization feels compelled to notify law enforcement, you may want to determine
the amount of effort and resources you want to invest in the investigation before
bringing in a law enforcement agency.
adds complexity to this simple equation. Establishing the identity behind the people on a
network is increasingly difficult.
Data Collection
Data collection is the accumulation of facts and clues that should be considered during
your forensic analysis. The data you collect forms the basis of your conclusions. If you do
not collect all the necessary data, you may not be able to successfully comprehend how an
incident occurred or appropriately resolve an incident. You must collect data before you
can perform any investigation.
Data collection involves several unique forensic challenges:
_ You must collect electronic data in a forensically sound manner.
_ You are often collecting more data than you can read in your lifetime
(computer storage capacity continues to grow).
_ You must handle the data you collect in a manner that protects its
integrity (evidence handling).
Ethics in Digital Forensics
Explain the steps of Live Data Collection from the Windows System
Case number
_ Time and date
_ Name of the investigator who created the response media
_ Name of the investigator using the response media
_ Whether or not the response media (usually a floppy disk) contains output
files or evidence from the victim system
_ Check for dependencies with Filemon It is important to determine which
DLLs and files your response tools depend on. We use Filemon to determine
all the files accessed and affected by each of the utilities in our toolkit. It is
good to know which tools change access times on files on the target system.
When we can, we avoid using “loud” tools that alter a lot of the target system.
_ Create a checksum for the response toolkit One of the files on our response
kit floppy (and CD and USB drive) is a text file with a checksum of all the
commands on it. Figure 5-1 shows the md5sum command line used to create
the text file (named commandsums.txt).
_ Write-protect any toolkit floppies If you use floppy disks, be sure to writeprotect
the floppy after it is created. If you store evidentiary files on the response
floppy during an incident, you need to write-protect it after you accumulate
data and begin the chain of custody. The chain of custody tags should be filled
out for each response floppy or CD, whether or not it contains evidence files.
Q. Explain the steps of Live Data Collection from the UNIX System pg no 126-137
Q. Collecting Network-based Evidence - pg no 174-193
Q- chapter 7,8,9,1116,17