Please enable JavaScript.
Coggle requires JavaScript to display documents.
DF Investigation Processes - Coggle Diagram
DF Investigation Processes
Managing crime scene
Evidence managements
DF team
collect digital evidence
First responder roles
Digital crime scene team leader
develop repo / manage the crew
Digital evidence examiner/investigator
using write blocker
Digital evidence custodian/documenter
Chain of Custody
computer used during investigations
gathering evidence
track the criminal suspect
research on IoC
forensic science team
collect the physical evidence like hair, dead skins
Local enforcement authority ( Police, Municipal (MPSJ) )
collect the evidence by talking to the victims
people evidence
Photographer and Videographer
collect image, video evidence
Lawyer
Direct evidence
evidence that stands it own, which does not required any other proof
example: a witness saw the criminal do smgt, that smgt is a direct evidence
circumstances evidence
is the evidence that determine whether the evidence provided by witness or others are whether is true or is a lie
develop repo with the first responder
Warrants
Search Warrants
Arrest warrants
Law of Act (US)
Pen Registers and Trap and Trace Devices Statute
Wiretap Act
The Federal Rules of Evidence (FRE)
All the US citizens are protected by the The Fourth Amendment
Stored Wired and Electronic Communication Act
Law of Act (Malaysia)
Malaysia Evidence Act 1950
step involved in forensic
Identification
Collection
preservation
examination
analysis
Documentation
Presentation
Cybercrime, Anti-Forensic
Cybercrime related terminology during investigation
ETI ( Enterprise Theory of Investigation)
there are a big fish (boss) behind the criminals
ESI (Electronic Stored Infornation)
Information in the computer
E-Discovery
collecting, securing digital evidence
Digital evidence collection toolkits
screwdriver
Chain of Custody
Glove
Gloggles
hat
evidence bag
mask
write-blocker
paraben strong hold case
marker
Forensic Triage
prioritize the digital evidence cuz there are many evidence
Anti-Forensic
Data Hiding
Steganography
hide a file into another file
Data obfuscation
use for confusing the investigator
like changes the file format
Data encryption
encryption program
vault program
windows default encryption program Bitlocker
Data Wiping
Eraser program
CCleaner
Compression
use password protection for the compress file
Malware tools
help to removed data
Artifact Wiping
Disk Wiping
erasing data from the disk by deleting its links to memory block
File Wiping
delete individual file and file table entries from an OS
ADS ( Alternate Data Streams)
Hide data in Windows NTFS file system which cannot revealed tru command Line or windows explorer
also supported in HFS+ file system which also supported in MacOS
physical destruction
Type of Cybercrime
Ransomeware
BEC (Business Email Compromise) / CEO Fraud/ Whaling
Financial cybercrime
investment scam
Macau scam
mule account
Cryptocurrency investment scam
DeFi (Decentralized Finance)
a place record all cryptocurrency transaction in Hyperledger
is in blockchain technology
cryptojacking
Email spam
computer in cybercrime
computer can be the object of a crime
targeted by criminals
computer can be the subject of a crime
used by criminals to commit crime
can be used as the tool for conducting or planning a crime
can be used to intimidate or deceive (black mailing)
Skills
Technical Skills / Hard Skills
Mobile forensic skills
Network forensic skills
Host forensic skills
Operating System forensic skills
Windows
Linux
MacOS
storage forensic skills
file system
Type of data acquistion
manual acquisition
this is normally when doing forensic on cellphone or older device
that not supported by forensic tools
normally there is a camera to record the acquisition
physical acquisition
extract data by plugin cable of the suspect hard drive, phone, PC to the forensic computer or FRED.
logical acquisition
this is involve using some software or tools to extract data out
two type of logical acquisitions
full disk logical acquisition
partitions logical acquisition
Live acquisition
this is usually extract data and information of volatile data like network, RAM, logged-on time, cloud, clipboard contents
file signatures
web browser forensic skills
browser forensics
social media network forensic
Twitter post
facebook post
weibo post
snapchat post
instagram story
Soft Skills
Communication skills
Project Management skills
Time Management skills
Decision-making skills
Problem-solving skills
Critical-thinking skills
Digital evidence
Type of data
Volatile data /dynamic data/ continuous data/ stream data
Data that will be lost when the power is removed, which usually stored in cache memory or RAM, and is the immediate state of a device/computer
Clipboard content
logged on time
network configuration, connection, status information
cloud
CPU cache
processes
memory
Temporary file
Non - volatile data / persistent data/ dead data/ static data/ linear data
data that will not change or lost even though the power is removed
hard drive data
secondary device data
Order Volatility
cache or registry
routing table, process table, kernel statistics, memory
temp system file (hiberfil.sys, page.sys)
storage media
remote logging and monitoring data
physical configuration, and network topology
archival media
Storage forensic
Type of data
saved data
The data that is not deleted or create temporarily ( normal file that we create and save in file )
Temporary data
the data is create temporary by the systems
example of temporary file will be present in "~" infront of the name of the file
extension of temp file is .tmp
deleted data
deleted data will be still present on a computer system or device, it just that the OS remove the link to the storage devices file table
when the drive is formatted the deleted data will be in the slack space or unallocated space
deleted data will be still recoverable
Data recovery
Tools for data recovery
Testdisk
Photorec
Foremost
HxD
WinHex
Recuva
metadata
data that describe data
timestamp
location
tool that used to read metadata
EXIF
file format
exif
IPTC
XMP
clusters
default size is 4096 bytes
Unused space in the cluster is slack space
when a cluster have fully occupied when though still have unused space. when there is a new data need to stored, it will store at a new cluster
data acquisition methods
disk to image file
this method is to create a image copy of a driver
GUI tools to create image file
Encase
Guymayer
FTK imager
Image file format
E01 (EnCase file format)(Expert Witness), .dd (raw), AFF,AFF4, L01, S01
Command-Line tool create image file
dd
disk to disk
this method is to do bit to bit copy the data on a disk to another disk
disk to data
sparse copy of a file
data carving
photorec
Remote acquisition
use cloud forensic tools to do data acquisition from suspect computer via internet connection to do extract disk data or fragment of data
file system
Windows
FAT
FAT32
NTFS
ReFS
Newest
Linux
ext
ext2
ext3
ext4
XFS
JFS
ReiserFS
MacOs
HFS
HFS+
APFS
Newest
data in storage
multimedia files
application software file
recycle folders and files
E-mails
sector size is 512 bytes
file signature
each file extension has its own signature
criminal might change the file extension to obfuscate investigator
tools that validate file signature
WinHex
HxD
look at the offset on the first row, that is the file signature
file hashing tools
File integrity checker tools
Microsoft FCIV (File Checksum Integrity Verification)
certutils
to check the hash values
tripwire
hashing algorithms
SHA-1
SHA-256
MD5
RIPEMD
HMAC
Email forensic
Type of email agents
MUA (Mail User Agent)
Type of Email MUA
GUI
Geary
Mozilla Thunderbird
Microsoft Outlook
CrawlMail
Terminal base
Alpine
Pine
Apache
MTA (Mail Transfer Agent)
MDA (Mail Delivery Agent)
Email cybercrime
BEC (business email compromise) / CEO fraud / Whaling
Email spamming
Email spoofing
Email Bombing
Email fraud
Sending threatening emails
sending sexual harassment email
Email formats
Apple mail
.EMLX
Microsoft Outlook
.PST
mailbox messages (sent, received, deleted, draft)
.OST
Offline emails / files
Mozilla Thunderbird
.MBOX
Microsoft Outlook Express
.DBX
.EML
is the common email format which saved on client side or left at the server
eml is just for one email
Personal Address Book
.CSV
Microsoft Exchange Email server logs
Information store files (database file)
.EDB
Responsible for messaging application program interface (MAPI) information
.STM
Responsible for non-MAPI information
Logs
Transaction logs
keep tracks of e-mail database
checkpoints
keep track of transaction logs
Temporary files
E-mail communication logs
Tracking logs
Server
email authentication server
DKIM
Microsoft Exchange Server
DMARC
SPF
is to determine whether a email can be sent by behalf of a company / organization
RADIUS
Internal Authentication Server in a company
Date and Time
UTC ( Coordinated Universal Time)
The common time standard across the world
is a time standard
GMT ( Greenwich Mean Time )
is a time zone
for example : for malaysia the GMT time is GMT +8
UNIX time / UNIX epoch / UNIX timestamp / POSIX time
Ports
SMTP
This port is used for sending email messages
Port number
25
Secure SMTP
995
IMAP4
This port is used for accessing email on a email server
Port number
143
Secure IMAP4
993
POP3
This port is used for received email
Port number
Port number
110
Secure POP3
587
Mobile forensics
Mobile artifacts
Location artifacts
Geolocation files
network artifacts
IP address
MAC address
Bluetooth logs
application artifacts
application account information
application logs
Device/hardware artifacts
Pen
digital stylus
deleted file and other deleted information / record artifacts
Archive files in cloud
PLIST ( for IoS device )
Android Manifest ( for android device )
time artifacts
timestamp recorded for files
web browsing history visit time
Database artifacts
sqlite database
FRM files
MYD files
Type of extraction in Mobile
Level 1
Manual Extraction
Level 2-3
Physical extraction
USSD ( Unstructured Supplemented Service Data )
SIM card info
any "features code"
IMEI
Logical extraction
Level 4-5
JTAG
Chip-off
mobile forensic acquisition methods
invasive acquisition methods
more hard, damaging
JTAG
Chip-off
if using a wrong tools to do acquisition, it might damage the phone or tempered the data
logical acquisition
non-invasive methods
Manual acquisitions
Logical acquisitions
physical acquisitions
Web browser forensic
Web browsing history
bookmarks
file extension is in JSON
web cache
file format for cache
edge
index.dat
internet explorer
WebCacheV01.dat
Chrome
Cache.db
Web database file
Google Chrome store their web browsing history in SQLite database
.db / .sqlite
Type of browser
Desktop Web Browser
Google Chrome
Mozilla FieFox
Internet Explorer
Microsoft Edge
Portable Web browser
Brave
Vivaldi
maxthon
tools used
Web Database viewer
DB browser for SQLite (DB4S)
SQLite Manager
Web cache viewer
nirsoft
IECacheView
Social Media analyzer
Maltego
Web History Viewer
nirsoft Browsing History Viewer
Browsing History Examiner (BHE)
Network Forensic
Promiscuous mode
will read all the network packets that arrived on the NIC, even tho the MAC address is different
Application program used in network forensic
Network sniffer / Network capture
Wireshark
Cisco Packet Tracer
File format is in pksz
Fiddler
Network analyzer
Xplico
Is the most porpula NFAT ( Network Forensic Analyzer Tools ) tool
Network Scanner
Nmap
To scan open ports
support many formats, recommended XML
commands used in windows for network forensic
ipconfig
ipconfig/ all
Show all the network configuration informations
trace DNS record
DNS cache is the cache that speed up browsing
ipconfig/ flush
remove DNS records
pathping
troubleshoot network latency issues
traceroute
is to trace the data packet in the transmissions when host send over to destination and provided the hop count during transmission
netstat
check the active connection on the network
nbstat
to show the protocol statistics and TCP/IP statistics using NBT ( NetBIOS over TCP/IP)
nslookup
display the information of system DNS. exp: domain name, and ip
arp
Address routing protocol
able to display, add, remove arp information from network device
command used in Linux for network forensic
ifconfig / ip addr show
same functions with ipconfig
ngrep
used to analyzing network packets
tcpdump
to capture and analyze network traffic
host
to perform DNS lookup
whois
display domain name, ip addresses and network device that specify the domain
servcie / systemctl
can be controlling how system can start on linux
cybercriminal may use this to clear or flushed DNS cache
Malware forensic
Windows OS
file extension that is suspicious
DLL ( Dynamic Library Link)
VXD
EXE
Mac OS
APP
Android OS
APK
side loading
installing smgt from open source / third party
IoC ( Indicator of Compromise)
smgt that suspicious
behavior's of malware/ malicious scripts
Web file extension IoC
Bookmarks file
web cache file
is depend on the browser
Linux OS
.OS