T.E. (Computer Engineering) Computer Forensic & Cyber Application

Transcription

1 SND College of Engineering & Research Center, Yeola Class: Subject Name: Subject Teacher: T.E. (Computer Engineering) s Prof. Pansare R.B. Important Questions & Answers Q.1 Explain Patents, Copyright & trademarks in details. Marks 8 Ans: 1. Patent A patent is an exclusive right granted for an invention, which is a product or a process that provides a new way of doing something, or offers a new technical solution to a problem. It provides protection for the invention to the owner of the patent. The protection is granted for a limited period, i.e 20 years. Patent protection means that the invention cannot be commercially made, used, distributed or sold without the patent owner's consent. A patent owner has the right to decide who may - or may not - use the patented invention for the period in which the invention is protected. The patent owner may give permission to, or license, other parties to use the invention on mutually agreed terms. The owner may also sell the right to the invention to someone else, who will then become the new owner of the patent. Once a patent expires, the protection ends, and an invention enters the public domain, that is, the owner no longer holds exclusive rights to the invention, which becomes available to commercial exploitation by others. All patent owners are obliged, in return for patent protection, to publicly disclose information on their invention in order to enrich the total body of technical knowledge in the world. Such an ever-increasing body of public knowledge promotes further creativity and innovation in others. In this way, patents provide not only protection for the owner but valuable information and inspiration for future generations of researchers and inventors. 2. Copyrights and related rights: Copyright is a legal term describing rights given to creators for their literary and artistic works. The kinds of works covered by copyright include: literary works such as novels, poems, plays, reference works, newspapers and computer programs; databases; films, musical compositions, and choreography; artistic works such as paintings, drawings, photographs and sculpture; architecture; and advertisements, maps and technical drawings. Copyright subsists in a work by virtue of creation; hence it s not mandatory to register. However, registering a copyright provides evidence that copyright subsists in the work & creator is the owner of the work. Creators often sell the rights to their works to individuals or companies best able to market the works in return for payment. These payments are often made dependent on the actual use of the work, and are then referred to as royalties. These economic rights have a time limit, (other than photographs) is for life of author plus sixty years after creator s death. 3. Trademarks: A trademark is a distinctive sign that identifies certain goods or services as those produced or provided by a specific person or enterprise. It may be one or a combination of words, letters, and numerals. They may consist of drawings, symbols, three- dimensional signs such as the shape and packaging of goods, audible signs such as music or vocal sounds, fragrances, or colors used as distinguishing features. It provides protection to the owner of the mark by ensuring the exclusive right to use it to identify goods or services, or to authorize another to use it in return for payment. It helps consumers identify and purchase May 2016 Dec 2014 Jun 2015 Dec 2015

2 a product or service because its nature and quality, indicated by its unique trademark, meets their needs. Registration of trademark is prima facie proof of its ownership giving statutory right to the proprietor. Trademark rights may be held in perpetuity. The initial term of registration is for 10 years; thereafter it may be renewed from time to time. Q 2 Describe FAT file System. Marks 8 Ans: The simplest Windows file systems to understand are the FAT (file allocation table) file systems: FAT12, FAT16, and FAT32. May 2016 Although relatively old, FAT file systems are still used on many storage systems such as removable storage media in digital cameras and mobile devices. Given their widespread use and simple structure, FAT file systems are a good starting point for forensic analysts to understand file systems and recovery of deleted data. It is also important to understand the fundamentals of NTFS, which is more complex than FAT and has substantially different structures. This section provides an overview of both Windows file systems, concentrating on aspects that are important from a forensic analysis viewpoint Figure Root Directory A FAT formatted volume uses directories and a file allocation table to organize files and folders. The root folder (e.g., C:\) is at a pre-specified location on the volume so that the operating system knows where to find it. This view of the folder shows the starting cluster and date-time stamps associated with each file.2 Notably, FAT file systems do not record the last accessed time, but only the last accessed date. Listing the contents of a volume using the dir command displays some of this information but does not show the starting cluster a critical component from the file system perspective. FAT12 uses 12-bit fields for each entry in the FAT and is mainly used on floppy diskettes. FAT16 uses 16-bit fields to identify a particular cluster in the FAT and there must be fewer than 65,525 clusters on a FAT16 volume. This is why larger clusters are needed on larger volumes a 1-GB volume can be fully utilized with 65, kB clusters (32 sectors per cluster), whereas a 2-GB volume requires clusters that are twice as big: that is, 65, kB clusters (64 sectors per cluster). FAT32 was created to deal with larger hard drives by using 28-bit fields in the FAT (4 bits of the 32-bit fields are reserved ). FAT32 also makes better use of space, by using smaller cluster sizes than FAT16 this can be a disadvantage for investigators because it can reduce the amount of slack space.

3 Q.3 Explain data recovery process in Unix file system Marks 8 Ans UNIX does not have file slack space. When UNIX creates a new file, it writes the remainder of the block with zeros and sets them as unallocated. Therefore, it is not possible to recover deleted data from slack space on UNIX systems. Some tools, such as testdisk7 and gpart8 are available for recovering deleted partitions on UNIX and Windows systems. There are only a few tools, such as tarfix, fixcpio, tarx, and tar-aids, for repairing damaged files on UNIX. May 2016 Unix-Based Tools One approach to recovering deleted files on UNIX systems is to search for inodes and recover the associated data. For instance, a list of all deleted inodes obtained from a Linux system using ils is shown here: Once the inode number of a deleted file is known, the contents of the file can be accessed using icat, provided the data still exist as shown here for inode 2054 in the previous list. The Linux Disk Editor9 and debugfs (Buckeye & Liston, 2002; Widdowson & Ferlito, 2001) use this approach to recover deleted files on ext2 file systems. The SMART tool also uses this approach to recover deleted files.

4 Q 4 Explain fundamentals of Mobile Device technology Marks 8 Ans Mobile devices are simple computers with a CPU, memory, batteries, input interfaces such as a keypad or mouthpiece, and output interfaces such as a screen or earpiece. Data in memory are generally the focus of a forensic examination, but some understanding of the input and output components are needed to access these data. May 2016 In some instances, it may be sufficient manually to operate a device and read information from the display. However, to recover deleted data or perform more advanced examination, specially designed tools are needed to interface with the device. In some situations, it is sufficient to acquire specific information of interest from a mobile device via a cable connected to the data port, but in other circumstances it is necessary to attach a specialized connector directly to the circuit board in order to acquire all of the information needed in a case. Knowledge of how data are manipulated and stored on handheld devices is sometimes needed to acquire all available digital evidence from handheld devices without altering it and translate it into a human readable form. For instance, placing a mobile device on a cradle and synchronizing it with a computer to obtain information from the device will not copy all data and may even destroy digital evidence. Mobile devices use radio waves to communicate over networks with various frequencies and standard communication protocols. Two of the most common mobile communication protocols are GSM and CDMA. Another common technology used in the United States and some other countries is iden. As shown in Figure mobile devices can have several identifiers, depending on the manufacturer, region, and technology. GSM devices are assigned a unique umber called the International Mobile Equipment Identity (IMEI), which includes a serial number for the device. On CDMA phones, the (ESN) is an 11-digit number with the first three digits designating the manufacturer and the remainder unique to the device. The ESN is being replaced with the MEID, which is the CDMA equivalent of the IMEI. There are tools available online that can be used to interpret many of these numbers (e.g.,

5 In addition, some manufacturers assign their own unique serial numbers to mobile devices they make, and Bluetooth-enabled devices also have a unique hardware (MAC) address. Q 5 Describe NTFS file System Marks 8 Ans NTFS is significantly different from FAT, storing file system information in several system files including a Master File Table (named $MFT), supporting larger disks more efficiently (resulting in less slack space), and providing file and folder level security using Access Control Lists (ACLs), and more. NTFS is designed with disaster recovery in mind, storing a copy of the $BOOT system file at both the beginning and end of the volume. In addition, a copy of the first four records in the $MFT file is stored in another system file named $MFTMIRR located in the middle of the volume. These copies of information can be useful from a forensic perspective when attempting to recover files. Dec 2014 Jun 2015 Dec 2015 Figure:- Example of SleuthKit viewing MFT entry with full detail The $MFT contains a list of records, each 1024 bytes in length, that store most of the information needed to locate data on the disk. Each entry in the $MFT represents a file or folder, and stores associated attributes including $STANDARD_INFORMATION and $DATA as shown in Figure using the SleuthKit. The $STANDARD_INFORMATION attribute stores the created, last modified, and last accessed dates and times. The $DATA attribute either contains the actual file contents of small files (called resident files) or the location on disk of large files (non-resident files). Directories are treated much like any other file in NTFS but are called index entries and store folder entries in a B-Tree to accelerate access and facilitate resorting when entries are

6 deleted. Instead of using ASCII to represent data such as file and folder names, NTFS uses an encoding scheme called Unicode. This difference must be taken into account when performing text searches. NTFS has a more formal file initialization process than FAT file systems, but the same issues can arise, such as storage space reserved for a new file not being used in its entirety, or at all, which can be misinterpreted as backdating. When only a portion of the disk space that was reserved for a new file is used to store data associated with that file, this leaves a discrepancy between the logical file size and the actual amount of data stored in the file. As a result, you can have a file that appears to have a logical size larger than the actual amount of data stored for that file. The space between the end of valid data and the end of file is called uninitialized space. Uninitialized space is similar in concept to file slack except that it is contained within the logical file size. Unlike file slack that is no longer associated with a file, data in uninitialized space are in a kind of limbo, trapped at the end of an allocated file but not actually a part of that file as depicted in Figure Q 6 Describe Unix file system Marks 8 Ans There are many different UNIX file systems including UFS (UNIX File System), Reiser, ext2, and ext3 (Extended File Systems 2 and 3) that have similar structures. Although directories play a role in UNIX file systems, they are much simpler than their Windows counterparts, containing only a list of filenames and their associated inode (index node) numbers. Every file has an associated entry in the inode table, identified by the inode number, which contains all information about the file, apart from its name. As shown in Figure the contents of an inode include date-time stamps, the number of bytes in the file, and which clusters (a.k.a. blocks) on the disk contain the data. Dec 2014 Dec 2015 Jun 2015 Figure: Conceptual representation of a directory and inode where the file types include regular, directory, symbolic link, and socket.

7 Figure: - Overview of UNIX file systems. As shown in Figure, UNIX file systems break each partition into block groups, each with its own inodes and data blocks. Compartmentalizing data in this way prevents catastrophic file system damage because there is no single point of failure. If the disk area containing one block group is damaged, only the data in that group are impacted, leaving data in the other groups intact. In addition to containing data, each block group contains duplicates of critical file system components, that is, the superblock and group descriptors, to facilitate recovery if the primary copy is damaged. The superblock contains information about the file system such as block size, number of blocks per block group, the last time the file system was mounted, last time it was written to, and the sector of the root directory s inode. As the name suggests, group descriptors contain the most important information for each block group including the location of the inode table (a list of inodes and their locations). Group descriptors for all of the block groups are duplicated in each block group in case of file system corruption. Therefore, if the primary group descriptor in any block group is damaged, a backup copy of the group descriptor can be used to repair the damage. If the inode table itself is damaged, it becomes more difficult to reconstruct the files in that block group. When a file is deleted on a UNIX system, the file s directory entry is hidden from view and the system notes that the associated inode is available for reuse. The file s directory entry, inode, and data remain on the disk until they are overwritten. Some systems such as Solaris, ext3, and newer versions of ext2 remove the inode number in the directory, thus breaking the link between directory entries and inodes, making it more difficult to recover deleted files. Also, some systems like HP-UX delete directory entries completely, making file recovery even more difficult. Furthermore, newer file systems also break the link between the inode and the sectors that contained the data, thereby removing all file system references to the data.

8 Q 7 Explain how to handle mobile devices as source of evidence Marks 8 In general, the same forensic principles that apply to any computing device also apply to mobile devices in order to enable others to authenticate acquired digital evidence. Recall that the purpose of a forensically sound process is to document that the evidence is what you claim and has not been altered or substituted since collection. At a minimum, all steps taken to extract data should be recorded to support transparency and repeatability, enabling others to assess and repeat your work. In addition, the MD5 hash of acquired data should be calculated and documented, allowing others to verify that nothing has been altered since the data were acquired. Any issues encountered during the acquisition process should also be noted, even when they are embarrassing or the cause is unknown. Dec 2014 Dec 2015 Jun 2015 Documentation must also show continuous possession and control throughout its lifetime. Therefore, it is necessary not only to record details about the collection process, but also every time it is transported or transferred and who was responsible. Keep in mind that some devices can receive data through wireless networks that might bring new evidence but might overwrite existing data. Therefore, an investigator must make a calculated decision to either prevent or allow the device to receive new data over wireless networks as depicted in Figure Figure:- Flowchart of handling mobile Devices Removing the battery from a mobile device will prevent it from communicating but may also activate security measures such as lock codes and encryption that could prevent further access to data on the device. In addition, when using acquisition methods that require the mobile device to be powered on, it is necessary to isolate the mobile device from networks. Network isolation ensures that the contents of a phone reflect the time at which it was seized, disallowing changes that may occur to it after it has been seized. Actions over the network that can alter content include receiving phone calls, messages, network polling activity, and the use of remote erasure systems; the latter being an enterprise feature designed for corporate smart phones. Such network activities can alter the contents of a mobile device, potentially adding new data, overwriting existing data or unallocated space, or erasing the phone contents remotely. Some devices can be reconfigured to prevent communication with the network. Devices that do not have such a feature can be isolated from radio waves by placing them in Faraday isolation, such as radio-frequency shielded evidence containers, which block network communications. Signal jamming systems provide another means for preventing mobile devices from communicating with a network but this type of equipment is illegal in some jurisdictions. Network isolation practices must be maintained during forensic

9 analysis, and this is achieved with shielded mobile phone examination rooms or extraction cases. To protect the device against damage or accidental activation, package it in an envelope or bag. After taking precautions to protect data on the device, examine it for physical damage or suspicious modifications. In most cases, a cursory examination of the exterior of the device will suffice. However, when dealing with a very technically savvy or dangerous offender, some investigative agencies use X-ray or high-resolution microscopes to detect physical damage or modifications. With the decreasing size of memory modules, they can be easily overlooked, hidden, destroyed, or swallowed. The micro SD card in Figure can store 256 MB of data, and much larger capacity cards are emerging. These storage modules can contain multimedia files, SMS/MMS messages, as well as backups of data from the mobile device. To more material about this Subject please visit: rishikeshpansare.wordpress.com