Professional Documents
Culture Documents
CF-answer-1
CF-answer-1
CF-answer-1
Mobile devices are integral for personal and organizational tasks, storing significant
information such as calls, SMS, emails, web history, and multimedia. Mobile device
forensics, a branch of digital forensics, focuses on extracting this information under
forensically sound conditions.
Key Components:
2. *Types of Evidence:*
- *Electronic Evidence:* Call history, contacts, calendar, and SIM card data.
3. *Memory Types:*
- *Non-volatile Memory (NAND and NOR flash):* Persistent storage, with NAND
offering higher capacity but less stability than NOR.
4. *SIM Cards:*
- Store subscriber information such as IMSI, call logs, SMS, location, and provider
details.
4. **Security Mechanisms:** Handset locks and other protections can hinder access.
UNIT 4
**Footprinting**
• IP addresses
• Whois records
• DNS information
• Phone numbers
1. **Information Gathering:**
- Collecting data from sources like the organization’s website, trade papers,
Usenet, financial databases.
- Use tools like Whois lookup at www.arin.net to find the range of IP addresses available
for scanning .
- Tools like war dialing programs and techniques like war driving (for nearby locations)
can help find open access points.
5. **OS Fingerprinting:**
- Passive fingerprinting is less accurate but stealthier and active fingerprinting is more
accurate but less stealthy.
6. **Fingerprinting Services:**
- Knowing the services running on specific ports allows the formulation of application
specific attacks.
**Whois**
```
$ whois vtubooks.com
$ whois google.com
```
**Network Reconnaissance**
2. **Nessus:**
- Vulnerability scanner.
3. **Scanrand:**
4. **Paratrace:**
**Nmap**
```
$ nmap [ <Scan Type> ...] [ <Options> ] { <target specification> }
Password Cracking:
Brute-Force Attacks
Unit-5
Definition:
• DoS attacks aim to deny legitimate users access to resources by overwhelming the
system with malicious traffic.
1. SYN Attack: Exploits the TCP connection setup by flooding the target with SYN
packets, causing it to wait for ACK packets that never arrive.
2. Ping of Death: Sends oversized ICMP packets that exceed the maximum IP packet
size, leading to system crashes.
3. Smurf Attack: Sends ICMP requests to a network's broadcast address with a
spoofed source address, causing the network to flood the target with responses.
4. Teardrop Attack: Sends fragmented packets that overlap when reassembled,
causing system crashes.
5. Malicious Misrouting: Alters router tables to misroute data packets.
6. UDP Flood: Sends UDP packets to random ports on the target, causing it to
respond with ICMP unreachable messages.
Protection:
• Uses multiple compromised systems (botnets) to flood the target with traffic,
making it more difficult to mitigate.
• Notable DDoS tools include:
o Trinoo: Uses UDP packets to flood targets.
o TFN (Tribe Flood Network): Executes multiple types of floods (ICMP, UDP,
SYN, Smurf).
o Stacheldraht: Adds encrypted communication and automated updates.
DDoS Characteristics:
• Harder to defend against due to multiple sources.
• Consumes extensive system resources, reducing overall performance.
2. Session Hacking
Definition:
• Session hijacking involves an attacker taking over a valid session between two
computers by stealing the session ID, allowing them to interact with the system as
the legitimate user.
Mechanism:
• Obtaining Session ID: Attackers can steal session cookies or trick users into
clicking malicious links to get the session ID.
• Using Session ID: Once the attacker has the session ID, they can use it to access
the server, which treats their connection as the legitimate user's session.
1. Tracking the Session: Identifying an open session and predicting the next packet's
sequence number.
2. Desynchronizing the Connection: Sending a TCP reset (RST) or finish (FIN) packet
to close the legitimate user’s session.
3. Injecting the Attacker’s Packet: Sending a TCP packet with the predicted
sequence number, which the server accepts as the legitimate user's next packet.
1. Active Hijacking: The attacker takes over the session, kicking the user off, and
performs actions like making purchases or changing passwords.
2. Passive Hijacking: The attacker quietly observes the session, collecting sensitive
information without disrupting the user's session.
3. SQL Injection
Definition:
Mechanism:
Impact:
• SQL injection can lead to privilege escalation, data breaches, data corruption, and
unauthorized access to systems. Attackers may execute arbitrary SQL commands,
add, modify, or delete data, and even gain administrative control over the database.
Prevention:
1. Input Validation: Ensure user input is syntactically valid and free from SQL
commands.
2. Parameterization: Use prepared statements and parameterized queries to
separate SQL code from data.
3. Limit Permissions: Restrict database user privileges to the minimum necessary.
4. Sanitization: Escape special characters in user inputs.
5. Stored Procedures: Use stored procedures for database queries to prevent direct
SQL execution.
• Used when a web application is vulnerable to SQL injection but does not show the
results of the injection directly. Attackers use techniques like time delays or
analyzing web application responses to infer whether the injection was successful.
• By adding additional conditions to the SQL statement and evaluating the web
application’s output, attackers can determine vulnerabilities. For instance:
SELECT * FROM users WHERE id = 1 AND IF((SELECT COUNT(*) FROM users)
> 1, sleep(5), 1);
1. Sqlpoke: Locates MSSQL servers and attempts to connect with default accounts.
2. NGSSQLCrack: Identifies accounts with weak passwords.
3. SQLScan: Scans IP addresses for SQL servers and checks for default passwords,
potentially installing backdoors on vulnerable hosts.
Strengthening WEP:
Unit-1
1.Forensic Duplication and Investigation
Key Points:
• Forensic Analysis: Involves reviewing various data like log files, system
configurations, browser history, etc., and performing software analysis, keyword
searches, etc.
• Investigative Process: Includes preservation, collection, examination, and
analysis of digital evidence.
• Computer Forensics Activities: Secure data collection, identification of suspect
data, examination to determine origin and content, presentation in courts, and
application of relevant laws.
• Digital Evidence: Useful in various criminal investigations such as homicides,
fraud, theft, etc.
• Basic Principles: Evidence acquisition without alteration, demonstrable
preservation, and accountable, repeatable analysis.
• Digital Forensic Process: Preservation, survey and analysis, and event
reconstruction.
2. Preparation for Incident Response: Creating Response Tool Kit and IR Team
Key Points:
Types of Incidents:
Key Points:
• Process: Involves identifying digital sources and copying data accurately and
completely.
• Importance: Completeness and accuracy crucial for forensic standards.
• Dead vs. Live Acquisition: Dead: without suspect's system assistance; Live: using
suspect's system.
• Live Data Acquisition: Real-time acquisition from active systems ensuring
evidentiary status.
• Write Blockers: Prevent write commands to storage devices, allowing only read
commands.
• Acquisition Methods: Disk-to-image file, Disk-to-disk copy, Logical disk-to-
disk/file, Sparse data copy.
• Linux Boot CD: Offers a complete operating system for forensic acquisition.
• Forensic Linux Live CDs: Mount drives as read-only, eliminating the need for write
blockers.
• Acquisition with Linux: Utilizes commands like dd for acquisition, ensuring data
integrity.
• Challenges: Live analysis preserves volatile data but requires careful handling.
• Scenario: Set up for data acquisition involves precautions to maintain integrity and
security.