Miami Discuss Cyber Forensic Relevance by Solving Cyber Forensic Incident Questions

please follow the requirements with using a simple language to paraphrase the assignment. because I´m an international student try to be as simple as you can with your paraphrasing with avoiding academic words. in addition please be careful with plagrism i will attach the form for the questions to follow up with the answers. just the answers what need to be paraphrase. A1 A2 means the answers for the questions posted in the attached doc

Techniques (1.2): Discuss File, Memory, Network and Email Forensic Techniques in solving the above cyber forensic incident.

Questions:

1. Describe the file forensics technique in terms of the tasks that it performs, the file forensics process, and describe file encryption.

A1:

1) File forensic incidents leave a forensic “footprint” on the file system.

2) Cyber forensics deals with hidden files, deleted files, corrupted files, and encrypted files.

3) Cyber forensics software is used to make a forensic image of the hard disk drive.

4) A file forensics software is used to analyze this image to collect digital evidence. Specifically, the software analyzes all details about the files that were deleted: names, sizes, dates, and assess the extent and seriousness of the inflicted damages.

1) An encrypted file is obtained through encryption.

2) Encryption is a process that encodes a file so that it can only be read by certain people.

3) Encryption uses an algorithm to encrypt data, and then uses a secret key or password for the receiving party to decrypt the information.

4) If the private key is lost, file decryption becomes very difficult.

2.Discuss any limitations of the file forensics technique, that cyber criminals might exploit to avoid detection.

A2:

1) Cyber attackers increasingly try to hide their malware; so that it does not leave any traces on the suspect hard disk drive.

2) Disk damage, due to force, fire or water, makes file forensics difficult.

3) Some malware is specifically designed to avoid detection by Antivirus software.

3.Describe the digital memory forensic technique in terms of why is it important, how is it done, and discuss how memory and file digital evidences complement one another.

1) Memory forensics involves the analysis of volatile data (all running processes) in a computer’s memory. Memory forensics uses the collected evidence to investigate cyber crimes and hacking.

2) Forensics software is used to create an image of the Memory (memory dump). Memory forensics software is used to analyze the memory dump (all running processes) to collect evidence.

3) Volatile data is the set of processes that run in memory (CPU registers, RAM). Examples include Running processes, Logged on users, Closed text and doc files, Chat/Email messages, Open files.

4.Discuss any limitations of the digital memory forensics, that cyber criminals might exploit to avoid detection.

1. Some malware programs can:

1) Hide processes in the events log (For example, a malware program will not show in the list of events)

2) Change the ID of processes

3) Change the security access rights of processes (For example, malware can change the access

rights of a certain process; so that it is now able to write to a file)

2. If a memory dump is taken using a memory forensics software, that is not up-to-date with regards to the operating system, the memory image can be either corrupted or incomplete.

5.Describe the network forensics technique in terms of why is network forensics important, how is it done, and describe Intrusion Prevention Systems (IPS).

A5:

1) Network forensics is a sub-branch of cyber forensics that gathers digital evidence that is acceptable in the court of law, and fixes damages inflicted by cyber attacks.

2) Network forensics is important because it helps you to safeguard your network against both internal and external threats, hackers, and malware attacks. Specifically, it helps you to find out:

1. Who is behind the incident?

2. What actually happened?

3. When did it happen?

4. Which resources were compromised?

5. Why was it done?

6. How was it done?

3) Network Forensics detects cyber crimes through the investigative analysis of:

1. Network Packets: That hold valuable information such as source IP, destination IP, ports, protocols (TCP, UDP), and data.

2. Firewall and Router Logs: That contain valuable information such as source IP, destination IP, ports, protocols (TCP, UDP), and dates.

3. Server Logs: That consist of valuable information such as source IP, destination IP, ports, protocols (TCP, UDP), and dates

6.Discuss any limitations of the network forensics technique, that cyber criminals might exploit to avoid detection.

A6:

1. Hackers can find ways to sneak malware into the network through the firewall. To fix this limitation:

1) Install an IPS behind the firewall

2) Ensure the firewall and IPS policies are robust and updated.

2. Attackers try to modify the data in the logs to hide their intrusion footprints.

7.Describe the email forensics technique in terms of why is email forensics important, how is it done, and describe the consequences of an email phishing attack.

1) Email forensics is a branch of cyber forensic science. It investigates cyber crimes by extracting digital evidence from email messages.

2) Email forensics is performed through the analysis of email header, which produces the following digital evidence:

1) Sender email and IP address

2) Email servers the mail passed through

3) Date and time information 4) Client information

8.Discuss any limitations of the email forensics technique, that cyber criminals might exploit to avoid detection.

The main limitation of email forensics is related to the fact cyber criminals often operate underground by hiding their true identity to evade any legal action against them. They accomplish this by means of:

1) Email and IP spoofing (modified source IP address)

2) Compromised networks

3) Proxy servers

4) Untraceable internet connections

9.Illustrate the use of file, memory, network, and email forensics by means of a short scenario (application or real-world).

email:

You can give a similar scenario to the one given in this example. You might want to change some of the given details, such as the name of the company and the type of digital evidences. For example, you can include the following digital evidences: Phishing attack, IP address, and date and time information.

network :

You can give a similar scenario to the one given in this example. You might want to change some of the given details, such as the name of the company and the type of digital evidences. For example, you can include the following digital evidences: Network Packets, router and server logs that contain: source IP, destination IP, ports, protocols (TCP, UDP), data, and dates.

file :

You can give a similar scenario to the one given in this example. You might want to change some of the given details, such as the name of company and the type of digital evidences. For example, you can include digital evidences related to file forensic techniques, such as deleted, damaged and hidden files.

memory :

You can give a similar scenario to the one given in this example. You might want to change some of the given details, such as the name of company and the type of digital evidences. For example, you can include digital evidences related to the following types of volatile data: Date and time, Running processes, Logged on users, Closed text and doc files, Chat/Email messages, Open files, Executable programs, Web browsing history, Photos, IP addresses, Account Usernames and Passwords.Techniques (1.2): Discuss File, Memory, Network and Email Forensic Techniques in solving the above cyber forensic incident.

Questions:

1. Describe the file forensics technique in terms of the tasks that it performs, the file forensics process, and describe file encryption.

A1:

1) File forensic incidents leave a forensic “footprint” on the file system.

2) Cyber forensics deals with hidden files, deleted files, corrupted files, and encrypted files.

3) Cyber forensics software is used to make a forensic image of the hard disk drive.

4) A file forensics software is used to analyze this image to collect digital evidence. Specifically, the software analyzes all details about the files that were deleted: names, sizes, dates, and assess the extent and seriousness of the inflicted damages.

1) An encrypted file is obtained through encryption.

2) Encryption is a process that encodes a file so that it can only be read by certain people.

3) Encryption uses an algorithm to encrypt data, and then uses a secret key or password for the receiving party to decrypt the information.

4) If the private key is lost, file decryption becomes very difficult.

2.Discuss any limitations of the file forensics technique, that cyber criminals might exploit to avoid detection.

A2:

1) Cyber attackers increasingly try to hide their malware; so that it does not leave any traces on the suspect hard disk drive.

2) Disk damage, due to force, fire or water, makes file forensics difficult.

3) Some malware is specifically designed to avoid detection by Antivirus software.

3.Describe the digital memory forensic technique in terms of why is it important, how is it done, and discuss how memory and file digital evidences complement one another.

1) Memory forensics involves the analysis of volatile data (all running processes) in a computer’s memory. Memory forensics uses the collected evidence to investigate cyber crimes and hacking.

2) Forensics software is used to create an image of the Memory (memory dump). Memory forensics software is used to analyze the memory dump (all running processes) to collect evidence.

3) Volatile data is the set of processes that run in memory (CPU registers, RAM). Examples include Running processes, Logged on users, Closed text and doc files, Chat/Email messages, Open files.

4.Discuss any limitations of the digital memory forensics, that cyber criminals might exploit to avoid detection.

1. Some malware programs can:

1) Hide processes in the events log (For example, a malware program will not show in the list of events)

2) Change the ID of processes

3) Change the security access rights of processes (For example, malware can change the access

rights of a certain process; so that it is now able to write to a file)

2. If a memory dump is taken using a memory forensics software, that is not up-to-date with regards to the operating system, the memory image can be either corrupted or incomplete.

5.Describe the network forensics technique in terms of why is network forensics important, how is it done, and describe Intrusion Prevention Systems (IPS).

A5:

1) Network forensics is a sub-branch of cyber forensics that gathers digital evidence that is acceptable in the court of law, and fixes damages inflicted by cyber attacks.

2) Network forensics is important because it helps you to safeguard your network against both internal and external threats, hackers, and malware attacks. Specifically, it helps you to find out:

1. Who is behind the incident?

2. What actually happened?

3. When did it happen?

4. Which resources were compromised?

5. Why was it done?

6. How was it done?

3) Network Forensics detects cyber crimes through the investigative analysis of:

1. Network Packets: That hold valuable information such as source IP, destination IP, ports, protocols (TCP, UDP), and data.

2. Firewall and Router Logs: That contain valuable information such as source IP, destination IP, ports, protocols (TCP, UDP), and dates.

3. Server Logs: That consist of valuable information such as source IP, destination IP, ports, protocols (TCP, UDP), and dates

6.Discuss any limitations of the network forensics technique, that cyber criminals might exploit to avoid detection.

A6:

1. Hackers can find ways to sneak malware into the network through the firewall. To fix this limitation:

1) Install an IPS behind the firewall

2) Ensure the firewall and IPS policies are robust and updated.

2. Attackers try to modify the data in the logs to hide their intrusion footprints.

7.Describe the email forensics technique in terms of why is email forensics important, how is it done, and describe the consequences of an email phishing attack.

1) Email forensics is a branch of cyber forensic science. It investigates cyber crimes by extracting digital evidence from email messages.

2) Email forensics is performed through the analysis of email header, which produces the following digital evidence:

1) Sender email and IP address

2) Email servers the mail passed through

3) Date and time information 4) Client information

8.Discuss any limitations of the email forensics technique, that cyber criminals might exploit to avoid detection.

The main limitation of email forensics is related to the fact cyber criminals often operate underground by hiding their true identity to evade any legal action against them. They accomplish this by means of:

1) Email and IP spoofing (modified source IP address)

2) Compromised networks

3) Proxy servers

4) Untraceable internet connections

9.Illustrate the use of file, memory, network, and email forensics by means of a short scenario (application or real-world).

email:

You can give a similar scenario to the one given in this example. You might want to change some of the given details, such as the name of the company and the type of digital evidences. For example, you can include the following digital evidences: Phishing attack, IP address, and date and time information.

network :

You can give a similar scenario to the one given in this example. You might want to change some of the given details, such as the name of the company and the type of digital evidences. For example, you can include the following digital evidences: Network Packets, router and server logs that contain: source IP, destination IP, ports, protocols (TCP, UDP), data, and dates.

file :

You can give a similar scenario to the one given in this example. You might want to change some of the given details, such as the name of company and the type of digital evidences. For example, you can include digital evidences related to file forensic techniques, such as deleted, damaged and hidden files.

memory :

You can give a similar scenario to the one given in this example. You might want to change some of the given details, such as the name of company and the type of digital evidences. For example, you can include digital evidences related to the following types of volatile data: Date and time, Running processes, Logged on users, Closed text and doc files, Chat/Email messages, Open files, Executable programs, Web browsing history, Photos, IP addresses, Account Usernames and Passwords.

1. Identify three technical applications of cyber forensics in this incident (Identify three things that cyber forensics can be used for, or can do).

1) Search the proof of a cyber crime

2) looking for all the bad activities (Deletion of files and infection with a virus)

3) Assess and fix the damages caused by the above bad activities

2. Identify three real-world applications of cyber forensics.

1- Fraud, murder.

2- False accusations, threats, harassment.

3- Disclosing corporate information without permission.

3. Describe the potential evidences available in this incident.

A phishing attack took place.

1) A phishing attack took place.

2) A virus and spyware processes were running.

3) An unauthorized access to the database server.

4. Discuss how reliable are cyber forensics, and the digital evidences.

1) Cyber forensics is reliable cause it uses dependable scientific methods

and standards, and computer technology to investigate cyber crimes.

2) The evidences mentioned are reliable enough to prove that a cyber crime

was committed.

Techniques (1.2): Discuss cyber forensic Incident Response Techniques in investigating the above cyber forensic incident.

Questions:

1. Describe the cyber forensic incident response techniques: Identification, imaging, hashing and analysis.

Identification

Who are the prime suspects?

What are the best sources of digital evidence to be further investigated?

Ensure that no essential evidence is missed, that might affect a case.

The investigation costs can be estimated in advance.

The scope of the case can be adjusted: Local, national or international.

– Imaging

1. After successfully seizing the suspect device, a forensic image (duplicate or

logical copy) of the evidence is created from the physical device for further

analysis.

2. In the case of a hard disk drive, a write-blocking

device is used to allow only read-access to the

drive, and thus prevents any changes to it.

-5. Hashing: Computation

1. Every file or medium (e.g. hard disk) has a unique hash value (H).

2. The hash value (H) is computed as: H = File or Medium + Hashing Algorithm.

3. Meaning: H is computed by applying a Hashing Algorithm to the file or medium

(e.g. hard disk, forensic image of the hard disk).

4. To ensure the image copy is the same as the source data, a hash value is

created for every forensic image using various hashing algorithms such as:

MD5 (Message Digest 5) | SHA1 (Secure Hash Algorithm) | SHA25

– Analysis

1. After the process of imaging and hashing, the evidence is analyzed by a forensics

expert to either support or oppose the hypotheses in the investigation.

2. During the analysis, the forensics expert should

maintain the integrity of the digital evidence.

3. The Analysis is performed by using appropriate

forensics techniques and forensics software

2. Illustrate with a cyber forensic scenario example.

A healthcare company suspected an incident during their routine internal security auditing. As a digital forensic

expert, you were called to investigate this incident. Using forensics software and tools, your forensics

investigations found the following pieces of evidence:

1) A virus program was installed.

2) Network security settings were changed.

3) Some files were damaged

3. Discuss the limitations of seizure and imaging, that might be exploited by attackers to avoid detection.

Seizure Limitations: Equipment might be destroyed, damaged or even hidden in an unknown location.