This document discusses computer forensics and evidence collection in the cloud computing environment. It defines computer forensics and its aims to identify, analyze and present digital evidence legally. Evidence can be found in various sources like logs, storage media, browsers and memory. Logs provide details of activities, attacks and errors. Evidence is also collected from cloud storage and browsing history. Physical memory analysis allows retrieval of volatile data from memory dumps.
2. DEFINITION
• "Computer forensics is the process of
identifying, holding, analyzing and presenting
digital evidence in a manner that is legally
acceptable." (Rodney Mckemmish 1999).
3. AIM OF COMPUTER FORENSICS
• The main aim of computer forensics experts is
not only to find the criminal, but also to
expose the evidence and the presentation of
the evidence in a way that leads to legal
action by the criminal.
4. PROPERTIES OF THE COMPUTER
FORENSIC
• IDENTIFY
• RECEIVE
• ANALYZE
• PRESENT
5. FORENSIC NEEDS OF THE COMPUTER
• To present evidence in court that could lead
• To the punishment of reality.
• To ensure the integrity of the computer
system.
6. HISTORY OF COMPUTER FORENSICS
• In the US, developments began over 30 years ago when
law enforcement and military investigators began to
view criminals as technical.
• In the decades that followed and until today the field
has exploded. Law enforcement and the military
continue to have strong local, state, and federal levels
of information security and computer forensics.
• Today software companies continue to make newer
and more robust forensic software. Law enforcement
and the military are increasingly identifying and
training personnel in responding to technology-related
crimes.
7. CYBER CRIME AND EVIDENCE
• CYBER CRIME
– Cyber crime occurs when information technology is used to commit or hide a crime.
• TYPES OF CYBER CRIME
– Child Pornography
– Breach of Computer Security
– Fraud / Theft
– Copyright Infringement
– Identity Theft
– Drug Investigation
– Threat
– Burglary
– Suicide
– Obscenity
– Homicide
– Administrative Investigation
– Sexual Assault
– Stalking
8. • DIGITAL EVIDENCE
– “Any data recorded or stored on a medium in or
by a computer system or similar device that can
be read or understood by a person, computer
system or other similar device. It contains a
display, print or other output of this data.”
• latent as a fingerprint or fragile DNA
• can easily be changed, damaged or destroyed.
• Can be time sensitive
9. TYPES OF DIGITAL EVIDENCE
• PERSISTENT DATA, ie data that remains intact
when the computer is turned off. For example.
Hard drives, hard drives and removable media
(such as USB drives or flash drives).
• VOLATILE DATA, ie data that would be lost if
the computer were switched off. For example.
deleted files, computer history, computer
registry, temporary files and web browsing
history.
10. RULES OF EVIDENCE
• Admissible,
– Must be able to be used in court or elsewhere
• Authentic,
– The evidence relates to the incident in a relevant manner
• Complete (no tunnel vision),
– Excepted evidence for other suspects
• Reliable,
– None Question about authenticity and truthfulness
• Credible,
– Clear, easy to understand and credible by a jury.
11. TOP 10 EVIDENCE LOCATION
• Internet history files
• Temporary Internet files
• Free / unallocated space
• Friends lists, personal chat room records, P2P, other
saved areas
• Newsgroups / lists of number of clubs / publications
• Settings, folder structure, file names
• File storage data
• Software / Hardware added
• File sharing function
• Emails
12. COMPUTER METHODOLOGY
• Shut down the computer
• Document the system hardware configuration
• Move the computer system to a safe place
• Make bitstream backups of hard drives and floppy disks
• Check the data on all memories math devices
• Document the date and time of the system.
• List the search keywords
• Evaluate Windows swap file
• Evaluate file edge
• Evaluate unallocated storage space (deleted files)
• Find files, file edge and unallocated storage space for keywords
• Name, date and time of document files
• Identify file, Program and Memory Anomalies
• Assess program functionality.
• Document your results
13. COMPUTER APPLICATIONS
• APPLICATIONS
– FINANCIAL FRAUD DETECTION
– CRIMINAL PROCEEDINGS
– CIVIL DISPUTES
– "CORPORATE SECURITY POLICY AND ACCEPTANCE OF VIOLATIONS"
• Skills Required for Computer Forensic Applications
– Programming or computer experience
– Comprehensive understanding of operating systems and applications
– Strong analytical skills
– Strong basic computer skills
– Strong systems administration skills
– Knowledge of the latest intrusion tools
– Knowledge of cryptography and manipulation of evidence
– Ability to go to court To be an expert
14. Evidence collection
• Data collection plays an important role in identifying
and accessing data from various sources in the cloud
environment for forensic investigations. Evidence is no
longer stored on a single physical host and its data is
distributed in a different geographic area. So when a
crime occurs, it is very difficult to identify the evidence.
Evidence is gathered from various sources such as
routers, switches, servers, hosts, virtual machines,
browser artifacts and through internal storage media
such as hard drives, RAM images, storage physical, etc.
Evidence is also collected through log file analysis,
cloud storage data collection, web browser artifacts,
and physical storage analysis.
15. • Cloud log analysis
– Logging is considered a security check that can be
used to identify operational issues, incident violations,
and fraudulent activity. Logging is mainly used to
monitor the system and investigate various types of
malicious attacks. Using cloud log analysis, you can
identify the source of evidence generated at different
times by different devices such as routers, switches,
servers and VM instances, as well as other internal
components, namely hard drive, RAM images, physical
storage, log files, etc. Intervals. Information about
different types of attacks is stored in different log files
such as application logs, system logs, security logs,
configuration logs, network logs, web server logs, web
server logs, 'audit, VM logs, etc., which are specified
as follows:
16. – The application log is created by the developers by
inserting events into the program. System administrators
can use the application logs to determine the status of an
application running on the server.
– The system log contains information about the date and
time the log was created, the type of message such as
debugging, error, etc., the system generated messages
regarding the occurrence and the processes affected when
an event occurs. product.
– The firewall log contains information about source packets
routed, rejected IP addresses, outgoing internal server
activity, and connection failures.
– The network log contains detailed information about
various events on the network. Events include malicious
traffic logging, packet loss, bandwidth delays, etc. The
network administrator monitors and resolves daily activity
by analyzing network logs for various intrusion attempts.
17. – The web server log records entries for web pages executed on the web
server. Entries include the history of a page request, the client's IP
address, date and time, HTTP code, and bytes provided for the
request.
– The audit log records unauthorized access to the system or network in
sequential order. It helps security administrators analyze malicious
activity at the time of the attack. Information in audit log files includes
source and destination addresses, user credentials, and time stamps.
– The VM log records information specific to instances running on the
VM, such as: B. Startup configuration, operations, and the date the VM
instance finished running. It also logs the number of instances running
on the virtual machine, the execution time of each application, and
application migration to help the CSP locate malicious activity that
occurs during the attack.
– Due to the increasing use of network or new software version in the
cloud, the number of vulnerabilities or attacks in the cloud is
increasing and these attacks are reflected in various log files.
Application level attacks are reflected in different logs i.e. access log,
network protocol, authentication protocol, etc., and are also reflected
in different log file traces stored on Apache server . These logs are
used for forensic investigations to detect application-level attacks.
18. Capture evidence from cloud storage
• Evidence from cloud storage like Dropbox, Microsoft
SkyDrive, Google Drive, etc. are collected using the
web browser and files are downloaded using existing
software tools. This helps to identify illegal
modification or access to cloud storage while
uploading or uploading file contents to storage media
and to verify if attacker modifies timestamp
information in user accounts. The Virtual Forensic
Computing (VFC) tool is used by forensic investigators
to identify evidence from the virtual machine image
file. The proof is accessible for each account through
the web browser running in the cloud environment by
recording the encoded value of the VM image..
19. • Packets are captured using network packet tools like
Wireshark, Snappy, etc. from each VM instance running
on hosts. Account information is synchronized and
downloaded using client access software on each
device used to identify the source of evidence.
Evidence is isolated from files found in the virtual
machine using "C: Users [username] Dropbox "
for Dropbox . The zip file contains the name of the
folder accessible through the browser to determine the
effect of a timestamp on a drive. If an attacker modifies
the contents of a file, the evidence is determined by
scanning the VM disk, the history of files stored in the
cloud and also from a cache. It can also be analyzed by
calculating the hash value of the VM image
20. • Collecting evidence via a web browser
– Clients communicate with the server in the cloud
environment using a web browser to perform
various tasks eg. Check emails and messages, shop
online, get information, etc. An important source
of evidence is web browser history. Evidence is
found by analyzing URLs in web browser history,
timeline analysis, user browsing behavior, and URL
encoding and retrieved from deleted information.
Here is a sample web browser URL
– Likewise, evidence stored in the web browser
cache in the root directory of a web application is
used to identify the source of an attack.