UNIT 3

3. Cell Phone and Mobile Devices Forensics

Mobile devices are integral for personal and organizational tasks, storing significant
information such as calls, SMS, emails, web history, and multimedia. Mobile device
forensics, a branch of digital forensics, focuses on extracting this information under
forensically sound conditions.

Key Components:

1.Hardware and Operating Systems:

- Devices contain microprocessors, ROM, RAM, and various interfaces.

- Smartphones use operating systems like Android and iOS.

- Data is stored in EEPROM for remote reprogramming.

2. *Types of Evidence:*

- *Electronic Evidence:* Call history, contacts, calendar, and SIM card data.

- *Retained Data Evidence:* Telecom records and location information.

3. *Memory Types:*

- *Volatile Memory (RAM):* Loses content when powered off.

- *Non-volatile Memory (NAND and NOR flash):* Persistent storage, with NAND
offering higher capacity but less stability than NOR.

4. *SIM Cards:*

- Store subscriber information such as IMSI, call logs, SMS, location, and provider
details.

- Essential for device functionality and valuable forensics.

*Evidence Extraction Process:*

 1. **Intake:** Document chain of custody, ownership, and incident details.

2. **Identification:** Verify legal authority, goals, and device details.

3. **Preparation:** Research and prepare tools for examination.

4. **Isolation:** Prevent data alteration by blocking incoming signals.

5. **Processing:** Handle SIM cards separately for data integrity.

6. **Verification:** Ensure data extraction accuracy through multiple attempts.

7. **Documentation/Reporting:** Maintain thorough records of the examination.

8. **Presentation:** Provide clear reference information for the extracted data.

**Challenges in Mobile Device Forensics:**

1. **Data Volatility:** Keep devices powered to avoid data loss.

2. **Data Preservation:** Block new data to prevent overwriting.

3. **Operating Systems and Protocols:** Diverse systems complicate tool

development.

4. **Security Mechanisms:** Handset locks and other protections can hinder access.

5. **Unique Data Formats:** Proprietary formats require specialized software.

UNIT 4

1. *Footprinting and Reconnaissance*

**Footprinting**

Footprinting refers to the process of gathering as much information as possible about a

target system to find ways to penetrate it. This initial phase is crucial for ethical hackers as
it helps in profiling an organization by collecting information about the host, network, and
people related to the organization.
**Key Information Gathered During Footprinting:**

• IP addresses

• Whois records

• DNS information

• Operating systems used

• Employee email IDs

• Phone numbers

**Steps in Footprinting and Scanning:**

1. **Information Gathering:**

- Collecting data from sources like the organization’s website, trade papers,
Usenet, financial databases.

- Good information gathering can determine the success of a penetration test.

2. **Determining the Network Range:**

- Use tools like Whois lookup at www.arin.net to find the range of IP addresses available
for scanning .

3. **Identifying Active Machines:**

- Use a ping sweep to identify live machines before attempting to attack.

- Basic method involves sending ICMP Echo Request messages to a range of IP

addresses.

4. **Finding Open Ports and Access Points:**

 - Identify open ports on active devices which can indicate potential attack vectors.

- Tools like war dialing programs and techniques like war driving (for nearby locations)
can help find open access points.

5. **OS Fingerprinting:**

- Two methods: Passive and Active.

- Passive fingerprinting is less accurate but stealthier and active fingerprinting is more
accurate but less stealthy.

6. **Fingerprinting Services:**

- Knowing the services running on specific ports allows the formulation of application
specific attacks.

7. **Mapping the Network:**

- Provides a blueprint of the organization.

- Can be done manually or using automated tools to compile information.

**Whois**

• Whois is a query/response protocol tool used to determine the owner of a domain

name, an IP address, or an autonomous system number on the Internet.

• It normally runs on TCP port 43.

• Built-in on Linux; requires third-party tools or websites on Windows.

**Example Whois Queries:**

```

$ whois vtubooks.com

$ whois google.com

```
**Network Reconnaissance**

Reconnaissance is a method of gathering information on network systems and services to

discover vulnerabilities. It can be active or passive.

**Tools for Active Reconnaissance:**

1. **Application Mapper (AMAP):**

- Uses Nmap results to gather more information.

2. **Nessus:**

- Vulnerability scanner.

3. **Scanrand:**

- Fast network scanner.

4. **Paratrace:**

- TCP traceroute that utilizes selected TTL messages.

**Nmap**

• Nmap is a widely-used port scanner available for Windows and Linux.

• Capable of performing various scans, OS identification, and controlling scan speed.

• Useful for discovering and mapping hosts on a network.

**Basic Nmap Usage:**

```
$ nmap [ <Scan Type> ...] [ <Options> ] { <target specification> }

**Compliance Testing with Nmap:**

1. Testing for open ports on firewall interfaces.

2. Scanning workstation IP ranges for unauthorized applications.

3. Verifying correct web service versions in the DMZ.

4. Locating systems with open file-sharing ports.

5. Identifying unauthorized FTP servers, printers, or operating systems.

2. Password Cracking and Brute-Force Tools

Password Cracking:

• Recovering passwords from stored or transmitted data.

• Brute-Force Attack: Methodically tries every possible combination until the correct
password is found.
• Effectiveness depends on password length and computational resources.

Brute-Force Attacks

• Charset Specification: Define a set of characters.

• Password Length Range: Specify the range of lengths for passwords.
• Tools and Wordlists: Use pre-defined lists and rules to guess passwords.
• Often targets authentication systems and web applications via GET and POST
requests.
• Challenges: Easy to detect but hard to prevent.

Tools for Password Cracking

1. John the Ripper:

o Purpose: Detects weak UNIX passwords, supports UNIX, Windows,
OpenVMS.
o Cracking Modes:
 ▪ Wordlist Mode: Uses pre-defined password lists.
▪ Single Crack Mode: Uses login information as passwords.
▪ Incremental Mode: Tries all possible character combinations.
▪ External Mode: Custom cracking methods.
o Features:
▪ Dictionary attacks.
▪ Automatic algorithm selection.
▪ Saves cracked passwords in John.pot.
▪ Real-time status updates.
o Commands:
▪ Wordfile: Specifies wordlist file.
▪ Timeout: Sets a time limit.
▪ Beep: Alerts on password discovery.
2. L0PHTCRACK:
o Purpose: Cracks Windows NT/2000 passwords with a GUI.
o Capabilities:
▪ Extracts LANMan hashes from SAM files.
▪ Sniffs network hashes.
▪ Uses "pwdump" to dump password representations.
o Requirements: Administrator privileges on target machine.
3. Pwdump:
o Purpose: Extracts NTLM and LanMan hashes from Windows targets.
o Usage:
▪ Displays password histories.
▪ Outputs in L0PHTCRACK-compatible format.

Unit-5

1. Denial of Service (DoS) Attacks

Definition:

• DoS attacks aim to deny legitimate users access to resources by overwhelming the
system with malicious traffic.

Types of DoS Attacks:

1. SYN Attack: Exploits the TCP connection setup by flooding the target with SYN
packets, causing it to wait for ACK packets that never arrive.
 2. Ping of Death: Sends oversized ICMP packets that exceed the maximum IP packet
size, leading to system crashes.
3. Smurf Attack: Sends ICMP requests to a network's broadcast address with a
spoofed source address, causing the network to flood the target with responses.
4. Teardrop Attack: Sends fragmented packets that overlap when reassembled,
causing system crashes.
5. Malicious Misrouting: Alters router tables to misroute data packets.
6. UDP Flood: Sends UDP packets to random ports on the target, causing it to
respond with ICMP unreachable messages.

Detection and Symptoms:

• Slow network performance

• Inability to access websites
• Increased spam
• Specific services become unavailable

Protection:

1. Monitor resource consumption.

2. Detect and manage excess resource usage.
3. Reclaim resources from offending users.

DoS Attack Classifications:

1. Logic Attacks: Exploit software vulnerabilities.

2. Protocol Attacks: Target specific protocol features.
3. Bandwidth Attacks: Overwhelm network bandwidth.

Distributed Denial of Service (DDoS) Attacks:

• Uses multiple compromised systems (botnets) to flood the target with traffic,
making it more difficult to mitigate.
• Notable DDoS tools include:
o Trinoo: Uses UDP packets to flood targets.
o TFN (Tribe Flood Network): Executes multiple types of floods (ICMP, UDP,
SYN, Smurf).
o Stacheldraht: Adds encrypted communication and automated updates.

DDoS Characteristics:
 • Harder to defend against due to multiple sources.
• Consumes extensive system resources, reducing overall performance.

2. Session Hacking

Definition:

• Session hijacking involves an attacker taking over a valid session between two
computers by stealing the session ID, allowing them to interact with the system as
the legitimate user.

Mechanism:

• Obtaining Session ID: Attackers can steal session cookies or trick users into
clicking malicious links to get the session ID.
• Using Session ID: Once the attacker has the session ID, they can use it to access
the server, which treats their connection as the legitimate user's session.

Levels of Session Hijacking:

1. Network Level: Involves TCP and UDP sessions.

2. Application Level: Involves HTTP sessions.

Steps in Session Hijacking:

1. Tracking the Session: Identifying an open session and predicting the next packet's
sequence number.
2. Desynchronizing the Connection: Sending a TCP reset (RST) or finish (FIN) packet
to close the legitimate user’s session.
3. Injecting the Attacker’s Packet: Sending a TCP packet with the predicted
sequence number, which the server accepts as the legitimate user's next packet.

Types of Session Hijacking:

1. Active Hijacking: The attacker takes over the session, kicking the user off, and
performs actions like making purchases or changing passwords.
2. Passive Hijacking: The attacker quietly observes the session, collecting sensitive
information without disrupting the user's session.
3. SQL Injection

Definition:

• SQL injection is a code injection technique used to attack data-driven applications

by inserting malicious SQL statements into an entry field for execution. This allows
attackers to manipulate database queries, potentially bypassing authentication,
accessing or modifying data, and performing other unauthorized actions.

Mechanism:

• Injection: Attackers include user-provided data in SQL queries such that it is

treated as SQL code. For example, if a login form’s SQL query is improperly
handled, an attacker might input:

$username = "badUser"; $password = "' OR '1'='1";

$password = "' OR '1'='1";

This turns the SQL query:

SELECT COUNT(1) FROM `users` WHERE `username`='badUser' AND

`password`='' OR '1'='1';

• into always returning true, thus bypassing authentication.

Impact:

• SQL injection can lead to privilege escalation, data breaches, data corruption, and
unauthorized access to systems. Attackers may execute arbitrary SQL commands,
add, modify, or delete data, and even gain administrative control over the database.

Prevention:

1. Input Validation: Ensure user input is syntactically valid and free from SQL
commands.
 2. Parameterization: Use prepared statements and parameterized queries to
separate SQL code from data.
3. Limit Permissions: Restrict database user privileges to the minimum necessary.
4. Sanitization: Escape special characters in user inputs.
5. Stored Procedures: Use stored procedures for database queries to prevent direct
SQL execution.

Blind SQL Injection:

• Used when a web application is vulnerable to SQL injection but does not show the
results of the injection directly. Attackers use techniques like time delays or
analyzing web application responses to infer whether the injection was successful.

Example of Blind SQL Injection:

• By adding additional conditions to the SQL statement and evaluating the web
application’s output, attackers can determine vulnerabilities. For instance:
SELECT * FROM users WHERE id = 1 AND IF((SELECT COUNT(*) FROM users)
> 1, sleep(5), 1);

• If the response is delayed, it indicates a successful injection.

SQL Server Penetration Tools:

1. Sqlpoke: Locates MSSQL servers and attempts to connect with default accounts.
2. NGSSQLCrack: Identifies accounts with weak passwords.
3. SQLScan: Scans IP addresses for SQL servers and checks for default passwords,
potentially installing backdoors on vulnerable hosts.

4.Hacking Wireless Networks

Key Security Risks:

• Communication Channel: Wireless networks are vulnerable to eavesdropping and

jamming due to broadcast communications, making them susceptible to active
attacks exploiting protocol vulnerabilities.
• Mobility: Portable devices increase risks as they can be easily lost or stolen.
• Accessibility: Unattended devices in remote or hostile locations are prone to
physical attacks.
Types of Wireless Attacks:

1. Interruption of Service: Resource unavailability due to destruction.

2. Modification: Unauthorized access to and modification of resources like databases
and programs.
3. Fabrication: Sending fake messages to neighboring nodes without receiving related
messages.
4. Jamming: Deliberate interference with communication frequencies, preventing
legitimate packet reception.
5. Encryption Attacks: Exploiting weaknesses in encryption methods like WEP to gain
unauthorized access.
6. Brute Force Attacks: Repeatedly guessing access point passwords to gain
unauthorized access.
7. Misconfiguration: Improperly configured access points vulnerable to unauthorized
access.
8. Interception: Intercepting wireless communication to obtain confidential
information.

Wireless Equivalent Privacy Protocol (WEP):

• Purpose: Designed to secure wireless communication by encrypting data over

radio waves.
• Weaknesses: Vulnerable to attacks due to limitations in key size, IV collisions, and
related key vulnerabilities.
• Authentication: Uses the same key for authentication and encryption, making it
susceptible to man-in-the-middle attacks.

Strengthening WEP:

1. Increase Initialization Vector size.

2. Hash IV value and append/prepend to ciphertext.
3. Use alternative methods for data integrity verification instead of CRC checksum.
4. Regularly change secret keys.
5. Implement better key management and authentication mechanisms like EAP.

Wireless Sniffers and SSID Locating:

• Sniffing: Intercepting and decoding network traffic.

• SSID Discovery: Passive scanning reveals SSID in beacon frames; active scanning
involves injecting frames and sniffing responses.
 • MAC Address Collection: Gathering legitimate MAC addresses for spoofing or
bypassing MAC filters.

Wireless Hacking Techniques:

1. Cracking Encryption: Breaking encryption methods like WEP, WPA to gain

unauthorized access.
2. Eavesdropping: Capturing confidential information from unencrypted WLANs.
3. Denial of Service: Physically disrupting network communication.
4. AP Masquerading: Rogue APs impersonate legitimate ones.
5. MAC Spoofing: Pretending to be a legitimate WLAN client to bypass MAC filters.

Unit-1
1.Forensic Duplication and Investigation

Key Points:

• Forensic Analysis: Involves reviewing various data like log files, system
configurations, browser history, etc., and performing software analysis, keyword
searches, etc.
• Investigative Process: Includes preservation, collection, examination, and
analysis of digital evidence.
• Computer Forensics Activities: Secure data collection, identification of suspect
data, examination to determine origin and content, presentation in courts, and
application of relevant laws.
• Digital Evidence: Useful in various criminal investigations such as homicides,
fraud, theft, etc.
• Basic Principles: Evidence acquisition without alteration, demonstrable
preservation, and accountable, repeatable analysis.
• Digital Forensic Process: Preservation, survey and analysis, and event
reconstruction.

Principles of Computer Forensic Investigation:

1. Data Preservation: Data must not be altered as it may be presented in court.

2. Competency: Investigators must be competent in handling original data.
3. Audit Trail: Documentation of all processes applied to electronic evidence must be
preserved.
 4. Responsibility: Investigator must have overall responsibility for adhering to the law.

Scopes of Forensic Investigations:

1. Identifying Malicious Activities

2. Identifying Network Security Lapses
3. Assessing Impact of Compromised Systems
4. Understanding Legal Procedures
5. Providing Remedial Actions for System Hardening

2. Preparation for Incident Response: Creating Response Tool Kit and IR Team

Key Points:

• Delegation of Tasks: Essential in large organizations for effective operations.

• Incident Response Plan (IRP): Responsibility of the company to create, involving
collaboration with managers and systems administrators.
• IR Team Formation: Comprised of members from various communities of interest,
responsible for executing the IRP.
• Sets of Incident-Handling Procedures: Created for during, after, and before the
incident phases.
• IR Process: Moves from detection to reaction phase upon confirmation of an
incident.
• Objectives of IR: Stop the incident, mitigate its effects, and provide recovery
information.
• Incident Recovery Steps: Identify vulnerabilities, address failed safeguards,
evaluate monitoring capabilities, and restore system backups.

Incident Response Team (IRT):

• Established to provide quick, effective, and orderly response to computer-related

incidents.
• Composition and activation depend on organizational needs, with written
procedures in place.
• Members include IT and security personnel, with defined responsibilities.

Types of Incidents:

• Breach of Personal Information, Denial of Service, Excessive Port Scans, Firewall

Breach, Virus Outbreak.
 • Forensic Software Tools used for data imaging, recovery, integrity, extraction,
analysis, and monitoring.

Understanding Computer Investigation:

• Investigation process develops and tests hypotheses about events.

• Different from data recovery, focusing on hidden or deleted data.
• Digital Forensic Investigation involves scientific examination of digital objects.

Digital Evidence on the Internet:

• Internet crime involves illegal activities on the web.

• Importance of digital evidence in tracking offenders, investigating crimes like
identity theft.
• Rules of evidence: Admissible, Authentic, Complete, Reliable.

Digital Forensic Principles:

• Apply general forensic and procedural principles to digital evidence.

• Preserve evidence without alteration, document all activities, and ensure
accountability.

Difference between Direct Evidence and Indirect Evidence:

• Direct evidence requires no inference, while circumstantial evidence does.

• Both types are admissible and evaluated based on reliability.
• Digital evidence plays a crucial role in investigating violent crimes and developing
leads.

Case Study of Computer Investigations:

• Role of forensic professionals in collecting evidence and preparing cases against

suspects.
• Importance of maintaining chain of custody.
• Systematic approach and steps for problem-solving in investigations.

Method for Corporate High-Tech Investigations:

• Develop formal procedures and checklists for high-tech investigations.

• Examples include employee termination cases and Internet abuse investigations.
Attorney-Client Privilege Investigations:

• Protects confidential communications between corporation/client and attorney.

• Essential for conducting internal investigations and ensuring compliance with laws.
• Steps for conducting privilege cases include analysis, keyword searches, and data
recovery.

Attorney-Client Privilege: Requirements:

• Protects communications between corporation/client and attorney, for seeking

legal advice, and in confidence.
• Waiver of privilege by the client renders the communication unprotected.
• Attorney work-product doctrine protects confidential work product prepared in
anticipation of litigation.

3. Data Acquisition in Computer Forensics

Key Points:

• Process: Involves identifying digital sources and copying data accurately and
completely.
• Importance: Completeness and accuracy crucial for forensic standards.
• Dead vs. Live Acquisition: Dead: without suspect's system assistance; Live: using
suspect's system.
• Live Data Acquisition: Real-time acquisition from active systems ensuring
evidentiary status.
• Write Blockers: Prevent write commands to storage devices, allowing only read
commands.
• Acquisition Methods: Disk-to-image file, Disk-to-disk copy, Logical disk-to-
disk/file, Sparse data copy.
• Linux Boot CD: Offers a complete operating system for forensic acquisition.
• Forensic Linux Live CDs: Mount drives as read-only, eliminating the need for write
blockers.
• Acquisition with Linux: Utilizes commands like dd for acquisition, ensuring data
integrity.
• Challenges: Live analysis preserves volatile data but requires careful handling.
 • Scenario: Set up for data acquisition involves precautions to maintain integrity and
security.

Conclusion: Data acquisition in computer forensics is a meticulous process crucial for

maintaining the integrity of evidence. Utilizing tools like write blockers and forensic Linux
Live CDs, investigators ensure accurate and complete acquisition while adhering to
forensic standards. Live analysis scenarios demand careful handling to preserve volatile
data, emphasizing the importance of expertise and precautions in forensic investigations.