Digital Forensics | All About Testing

Quick Overview: Booting Process of Windows

AAT Team — Wed, 26 Apr 2023 16:37:38 +0000

Booting is the process of starting a computer system. Also if you restart a computer system, you initiate a booting process. Both processes of starting or restarting Windows are called booting. On booting, the operating system resides in hard disk loading on the working memory i.e. RAM. Booting is the critical process of any OS. This blog provides a brief overview of the booting process of Windows-based systems.

Types of Booting

(1) Hard Boot or Cold Boot

Hard Boot simply means starting a computer system from the switch-off state. Generally, you start a day in your office by switching on the computer system and clicking on the power button. That is called a hard boot or cold boot.

(2) Soft Boot or Warm Boot

Soft Boot simply means re-starting a computer system from the already switch-on state. If you are working on the computer system, sometimes you restart your computer because of updates or any other reason. That restart came under the soft boot or warm boot.

Windows System Files

Windows OS needs so many files to run properly. Some are very critical as if those files are missing, Windows does not boot up. While some are not very essential, as it does not affect the operating system’s running.

Generally, attackers try to corrupt system files to compromise the computer system. Hence, it is very critical to prevent OS to compromise with malicious software. Below is the list of files that are required while running OS.

File Names	Description
Win32k.sys	System file that is used for handling Windows applications
Ntdll.dll	Part of the advanced API services library
Hal.dll	Hardware Abstraction Layer Dynamic-link Library
Ntkrnlpa.exe	New Technology Kernel Process Allocator
Ntoskrnl.exe	for memory management and hardware abstraction
User32.dll	Help in manipulating the user interface
Advapi32.dll	Part of advanced API services library
Kernel32.dll	Part of the advanced API services library
Gdi32.dll	help in operating Windows programs

Windows Boot Process

Windows 8 and above operating system uses the BIOS-MBR method or UEFI-GPT method. Please remember that the UEFI-GPT method is the newer method and the selection of the method depends on the choice of the user. BIOS-MBR method is also used by old Windows operating systems such as Windows XP, Vista, and Windows 7.

BIOS-MBR

The first step is to load the BIOS by hitting the power button. BIOS will check prerequisites such as whether the hardware is connected, and in a running state.
MBR starts.
The Volume Boot Sector (VBS) takes care of the operating system.
NT Boot Sector starts.
BOOTMGR.EXE starts. It checks Boot Configuration Data (BCD) and WINRESUME.EXE
WINLOAD.EXE starts loading the operating system kernel.
NTOSKRNL.EXE initiates to check HAL.DLL.
Phase 0 starts with NTOSKRNL.EXE.
Phase 1 starts with NTOSKRNL.EXE.
SMSS.EXE starts.
WINLOGON.EXE
LSASS.EXE

To check which boot method is used by your desktop, follow the below navigation

Open “Computer Management” with Administrator privilege
Click on Disk Management
Right-click on Disk 0 and select properties

The post Quick Overview: Booting Process of Windows first appeared on All About Testing.

Digital Forensics: Different Types of Digital Evidence

AAT Team — Fri, 14 Apr 2023 06:45:37 +0000

Digital evidence is any information available in digital form that may be useful while doing an investigation. This blog provides an overview of the different types of digital evidence.

Locard’s Exchange Principle

Locard’s Exchange Principle for investigation is the belief that if someone enters a crime scene, takes something from the crime scene, and also something leaves it behind of themselves. In reference to digital forensics, It simply means that digital evidence may provide a lot of information if collected properly.

Best Evidence Rule

Remember, the court always accepts original digital evidence of documents, and media files such as video, audio, image, etc. Generally, courts will not accept a copy of digital evidence unless it is justifiable in a court of law. Integrity is a critical aspect of any digital evidence. Cryptographic hashes may be used for checking the integrity of digital evidence.

Types of Digital Evidence

(1) Volatile Data

Volatile data is data that is lost after switching off the IT devices.

Examples of Volatile Data:

Running processes information
open files on desktop/laptop
Clipboard content
Open browsers
System time
Private Dynamic IP details
Logged-on users
Content on RAM

(2) Non-volatile Data

Non-volatile Data is data that is stored in hard disks and generally not lost after switching off IT devices.

Examples of Non-volatile Data:

Hidden files
Event logs
Registry settings
Files stored in memory drives

How is Digital Evidence got created?

Whenever digital evidence got seized, investigators try to identify potential information from them that is helpful in resolving the case. If perpetrators use IT devices, a lot of information is getting by investigators by seizing them. As Digital evidence is created by mainly 2 sources.

(1) By User

Users themselves created so many files on the desktop/laptops. Some of the examples of files created by the user are mentioned below:

Documents in Word, PowerPoint, Excel, etc. formats
Stored videos, audio, images, etc.
Stored passwords in a browser
Password protected files

(2) By System

Whenever you are using any IT devices, different logs are created and so many temporary files are created. Some of the examples of files created by the system are mentioned below

Log files
Backup files
System files
Cookies in browser
Configuration files

Rules to be Follow while Collecting Digital Evidence

This section provides basic rules that need to be followed for collecting digital evidence. As digital evidence needs to be presented in a court of law, the following are the things that need to take care of:

(1) Collected evidence is presented in such a way that it should be understandable by the judiciary.

(2) Collected evidence should be authentic and that is provable in front of the judiciary.

(3) Collected evidence’s integrity should be verifiable in front of the judiciary.

(4) Collected evidence should be complete in all respects.

The post Digital Forensics: Different Types of Digital Evidence first appeared on All About Testing.

Digital Forensics: Fundamentals of Network Forensics

AAT Team — Tue, 11 Apr 2023 17:04:31 +0000

Network Forensics is a systematic method of identifying sources of security incidents in the network. The method for identifying sources of security incidents includes capturing, recording, and analysis of network events by analysis of event logs. The Network Forensics Appliance (NFA) automates the whole process of collecting evidence of security incidents.

Network Forensics is very helpful in identifying the source of security incidents, what is the path of intrusion, the method used by an attacker to enter a network, and what traces and evidence left by the attacker.

Popular Network Attacks

(1) Distributed Denial of Service (DoS)

A Distributed Denial of Service (DDoS) attack is the most popular attack used by attackers to disrupt the services of the victim organization. This attack can be performed by using different tools to craft malicious packets against a target. Click Here to know more about DDoS attack types and possible mitigation techniques for the prevention of such attacks.

(2) Eavesdropping

This type of attack allows attackers to capture and analyze network traffic that belongs to the victim. If network traffic is not encrypted, an attacker easily sees the network traffic by using different tools and is able to extract secrets like usernames, passwords, etc.

(3) Spoofing

This type of attack allows the impersonation of the victim and sends malicious packets to the destination.

How to Secure a Network?

There are many methods and procedures as mentioned below to secure a network from any type of attack.

(1) Update all software components installed on the IT device

Most of the attacks use existing vulnerabilities to attack critical infrastructures. If all the software components are patched, most of the attacks are automatically mitigated from happening.

(2) Authentication of Users

Never allow unknowns in the organization’s secure network Always authenticate the users before allowing anyone in the network. Once authenticated, the firewall and network devices enforce security policies to access the internal network.

Tools Used for Network Forensics

(1) Wireshark

Wireshark is an open-source packet analyzer tool. This tool is very helpful in analyzing traffic on the network. Click Here to know more about Wireshark Tool.

(2) NetworkMiner

NetworkMiner is a network forensics tool used to detect artifacts, such as files, images, emails, and passwords, from captured network traffic in PCAP files.

(3) TCPDump

TCPDump is a similar tool to Wireshark. The only difference between Wireshark and TCPDump is the user interface. Click Here to know more about TCPDump.

(4) TShark

TShark is a command line-based tool similar to Wireshark. Most of the functionality is available in TShark. Click Here to know more about TShark.

The post Digital Forensics: Fundamentals of Network Forensics first appeared on All About Testing.

Digital Forensics: What is Cybercrime and its Different Types

AAT Team — Mon, 10 Apr 2023 17:17:59 +0000

Cybercrime is any illegal activity that is performed by the use of a connected device such as a computer, laptop, mobile, etc. This blog illustrate different types of cybercrime and also mentions its examples.

Different Types of Cybercrime

Internal Attack

When a cyber attack performed by internal entity of an organisation. e.g. deletion of base code of company’s website by disgruntled employee of that organisation

External Attack

When a cyber attack performed by external entity by exploiting vulnerabilities in the IT system. e.g. defacement of website by exploiting web based vulnerabilities

Examples of Cybercrimes

Example	Description
Cyberwarfare	Use of cyber security tools against country by another country
Phishing/Spoofing	Clone the existing IT system/website to trick genuine users
Espionage	Try to get secrets of individual or organisation or nation by an attacker
Cyberterrorism	Use to cyber tools by terrorists gainst entity/organisation
Brute-force Attack	Try all the combination of strings to crack the secret of any IT system
Cyber Defamation	Defame the entity by using internet technogies
Data Manipulation	Data is deleted, updated and viewed by an unauthorised entity
Intellectual Property Theft	Intellectual Property owned by an organization stolen by an attacker
Denial of Service Attack	Bombard IT system with useless requests to prevent access of genuine users
Trojan Horse Attack	Software turned into malware that used by an employee

The post Digital Forensics: What is Cybercrime and its Different Types first appeared on All About Testing.

7 Best Certifications in Digital Forensics

AAT Team — Sun, 09 Apr 2023 07:33:40 +0000

The best way to prove professional credentials to any interviewer is to show certifications. Nowadays, certifications include a lot of practicals in addition to the theory part. This blog list the best available certifications available in the market to enhance knowledge in the field of digital forensics. Please note that there is no preference given in order, all certificates have equal importance. You can choose certifications based on your existing skill sets and requirements.

(1) Computer Hacking Forensic Investigator (CHFI)

Certification Name	Computer Hacking Forensic Investigator (CHFI) by EC-Council ANSI 17024 accredited certification
What to study	Computer Forensics Investigation Process, File Systems, Hard Disks, Windows/Linux/Mac Forensics, DarkWeb/Malware/Cloud/IoT/Network Forensics
Exam Format	Multiple Choice Questions Number of Questions: 150 Duration of Test: 4 Hrs Passing Score: 60% to 85%
URL	https://www.eccouncil.org/train-certify/computer-hacking-forensic-investigator-chfi/
Who is it for?	Professionals who are working in the field of Information Security, Incident Response, and Computer Forensics

(2) Certified Digital Forensics Examiner (CDFE)

Certification Name	Certified Digital Forensics Examiner (CDFE) by NATIONAL INITIATIVE FOR CYBERSECURITY CAREERS AND STUDIES (NICCS)
What to study	Forensic Examination, Different Tools, Seizure Concepts, Incident Investigation, Fundamentals of Conducting an effective computer forensic examination, Electronic Discovery and Digital Evidence
Exam Format	Multiple Choice Questions Number of Questions: 100 Duration of Test: 2 Hrs Passing Score: 60% to 85%
URL	https://mile2.com/cdfe_outline/
Who is it for?	Professionals who are working as IS Security Officers, IS Managers, Virtualization Engineers, and Managers, Cloud Security Managers

(3) GIAC Certified Forensic Analyst (GCFA)

Certification Name	GIAC Certified Forensic Analyst (GCFA) by SANS
What to study	Advanced Incident Response and Digital Forensics, Memory Forensics, Timeline Analysis, Anti-Forensics Detection, Threat Hunting, APT Intrusion Incident Response
Exam Format	1 proctored examination Number of Questions: 82 Duration of Test: 3 Hrs Passing Score: 71%
URL	https://www.giac.org/certifications/certified-forensic-analyst-gcfa/
Who is it for?	Professionals who are working in the field of Information Security, Threat Hunters, Incident Response, Red Team, Penetration Testing, Exploit Development and Computer Forensics

(4) GIAC Advanced Smartphone Forensics (GASF)

Certification Name	GIAC Advanced Smartphone Forensics (GASF) by SANS
What to study	Fundamentals of mobile forensics and conducting forensic exams Device file system analysis and mobile application behavior Event artifact analysis and the identification and analysis of mobile device malware
Exam Format	1 proctored examination Number of Questions: 72 Duration of Test: 2 Hrs Passing Score: 69%
URL	https://www.giac.org/certifications/advanced-smartphone-forensics-gasf/
Who is it for?	Professionals who are working as IT Auditors, Enforcement Agencies, Incident Response Analyst, and Digital Forensic Examiners

(5) GIAC Certified Forensic Examiner (GCFE)

Certification Name	GIAC Certified Forensic Examiner (GCFE) by SANS
What to study	Windows Forensics, Data Triage Windows Registry Forensics, USB Devices, Shell Items, Email Forensics and Log Analysis Advanced Web Browser Forensics (Chrome, Edge, Firefox)
Exam Format	1 proctored examination Number of Questions: 82-115 Duration of Test: 3 Hrs Passing Score: 70%
URL	https://www.giac.org/certifications/certified-forensic-examiner-gcfe/
Who is it for?	Professionals who are working as IT Auditors, Enforcement Agencies, Incident Response Analyst, and Digital Forensic Examiners

(6) Certified Forensic Computer Examiner (CFCE)

Certification Name	Certified Forensic Computer Examiner (CFCE) by IACIS
What to study	Pre-Examination Procedures, Computer Fundamentals, Partition Schemes, File Systems, Data Recovery, Windows Artifacts, Presentation of Findings
Exam Format	The examination consists of two phases: Peer Review Certification Testing Both phases need to be completed in order to get certified.
URL	https://www.iacis.com/certification/cfce/
Who is it for?	The examination consists of two phases: (1) Peer Review (2) Certification Testing Both phases need to be passed in order to get certified.

(7) Paraben Corporation

Certification Name	Available training and certifications in Computer Forensics – Mobile Forensics – IoT Forensics
What to study	Computer/Mobile/IoT Forensics
Exam Format	—
URL	https://paraben.com/dfir-training-3/
Who is it for?	Professionals who are working in the field of Information Security, Incident Response, and Computer Forensics

Conclusion

As more and more cyber incidents happen across the globe, the need for professionals with digital forensics skills is on the rise. This blog list some certifications that will help you to gain knowledge and enhance expertise in the field of digital forensics. Let me know if I missed any certification related to digital forensics.

The post 7 Best Certifications in Digital Forensics first appeared on All About Testing.

Fundamentals of Digital Forensics

AAT Team — Sat, 08 Apr 2023 16:41:43 +0000

This blog provides you with a brief overview of the fundamentals of Digital Forensics. We will cover the explanation of digital forensics, what are the objectives, and when your organization needs digital forensics services. Please make a note that we will use both terms digital forensics and computer forensics interchangeably.

What is Digital Forensics?

To understand digital forensics, you should know about forensics. In simple terms, forensics is a set of methods and techniques to establish facts of crime in a court of law.

Now, learn about Digital Forensics. It is a set of methods, procedures, and techniques used to collect digital evidence. Remember, collected evidence must acceptable during legal and administrative proceedings. Here, we are collecting evidence from digital devices such as computers, mobile, hard disks, pen drives, etc.

Digital Forensics ensures that collected evidence is properly examined and able to serve its purpose in a court of law.

Objectives of Digital Forensics

The main objective of digital forensics is to collect evidence in a form that is acceptable in a court of law. Although, we can break the objective into the following :

(1) Identify digital evidence, gather it, and preserve it for the future.

(2) Estimate the damage caused by cybercrime in the victim organization

(3) Recommend mitigation techniques to save the organization in future

(4) Help in minimizing losses (tangible and intangible) of victim organizations because of cyber incidents

(5) Provide support for the prosecution of the perpetrator

When are Digital Forensic Services Required?

Sr. No.	Usage
1.	Preparation is needed to secure the organization from any cyber incident
2.	Identify actions needed to secure organization
3.	Estimate and minimize damage caused by cyber incidents
4.	Help in the preparation of policy documents in case of any cyber incidents
5.	Recover deleted files/folders from digital evidence

Users of Digital Forensics

There are many users of taking services of Digital Forensics. Some of them are mentioned below:

(1) Law Enforcement Agencies – for collecting, analyzing, preserving, and presenting digital evidence in a court of law

(2) Data Recovery Agencies – To recover data of victim organization/individual

(3) Insurance Companies – to investigate digital fraud

(4) Academia – for providing courses and diploma

(5) Defence/Military – to gather information or intelligence about the enemy

(6) Individuals – may utilize the services in case of sexual harassment, wrongful termination, etc.

Conclusion

Remember, digital Forensics is a science. You need to apply pre-defined methods and procedures to extract information that is used in a court of law. To learn about this subject, you must enhance skills in the field of operating systems (Linux, MAC, etc.), network communication, etc.

The post Fundamentals of Digital Forensics first appeared on All About Testing.

Course Outline of Digital Forensics

AAT Team — Thu, 06 Apr 2023 17:25:50 +0000

This blog provides you with a course outline of the Digital Forensics Course. You can request more topics to add while giving feedback in the Comment section.

Fundamentals of Digital Forensics

Skills Needed for Digital Forensics

Digital Forensics Certifications

What is Cybercrime and its Different Types

Different Types of Digital Evidence

Concept of Business Continuity

Legal Compliance in Computer Forensics

Investigation Process of Computer Forensics

Pre-Investigation Phase in Digital Forensics

Investigation Phase in Digital Forensics

Post-Investigation Phase in Digital Forensics

Types of Storage Drives

Logical Structures of a Disk

Booting Process of Windows OS

File Systems of Windows OS

Booting process of Linux OS

File Systems of Linux OS

Booting process of MAC OS

File Systems of MAC OS

Analyze File Systems

Data Acquisition

Types of Data Acquisition

Format of Data Acquisition

Data Acquisition Methodology

Anti-Forensic Techniques

Data Deletion Forensic

Recycle Bin Forensic

Techniques of File Carving

How to Recover Digital Evidence

Artifact Wiping

Metadata Detection

Collection of Volatile and Non-volatile data

Examine Cache, Cookie, and History in Web Browsers

Examine Windows Files and Metadata

Volatile and Non-volatile Data in Linux

Analysis of File System using Sleuth Kit

Memory Forensics

MAC Forensics

Fundamentals of Network Forensics

Event Correlation Concept

Investigation of Network Traffic

Web Application Forensics

How to Analyze Apache Web Server Logs

Dark Web

TPR Browser Forensics

How to Analyze Memory Dumps

Malware

Malware Forensics Fundamentals

Static Analysis of Malware

Dynamic Malware Analysis

The post Course Outline of Digital Forensics first appeared on All About Testing.