IN:+91-7503070001, IN:+91-9519066910 ozpaperhelp@gmail.com
  • My Account
  • solution

    Civil Law

    Digital Forensics

    Digital Forensics

    Task 3: Forensics Report


    The importance of digital forensic has grown with the increase of technology and the different types of devices that are used to access the internet. It is the process of penetrating a digital device to monitor the use of the device and the activities that are performed using the device. The field of digital forensics has been evolving with the number of new technological devices that are being released in the market. There has also been an increase in the malware and the spyware that is available today in the market.

    Forensic data is the recovery of lost or hidden data in a technological device, identify malware and recover stolen data. The digital forensics has become more and more importance with the use of the malware and spyware being used for listening into conversations and communication exchanges unlawfully. When digital crimes are committed, both malware and spyware are used. Every piece of personal information can be stolen from a device by a hack for a cyber criminal. Digital forensics also has a separate section called cell phone – forensics. Forensics is an ever growing integral part of human living since malware can be installed without the victim knowing and everything about the victim can be recorded and stolen which leads to identity theft.

    Digital forensics can be defined as the application of investigative processes to uncover digital forensic evidence and validating the findings with the use of validation- tools, repeatability and reporting the outcome in an accurate presentation. (Zatyko,2007). There are 8 basic steps that are used in digital forensics.

    Ø  Search- factors

    Ø  The custody chain

    Ø  Hashing functions

    Ø  Validation

    Ø  Analysis

    Ø  Repeatability

    Ø  Reporting

    Ø  Presentation

    Case Study

    The case study that is being studied is a network break in. The company being studied is a small company that had internet access readily available for its employees. The company in question had a system that had not been correctly configured and the maintenance of the system was poor. Due to the small earnings of the company they were unwilling to invest in the maintenance of the system and relied on third party maintenance.

    The company also did not understand the importance of the data that was stored in their systems. The machine was a Red Hat 6.2 machine which was compromised using the internet access of the company. This access was used without the company owner knowing about it. The perpetrator scanned the entire system for the available vulnerabilities and reported the scanning results to the actual perpetrator. They created a break down in the system and this caused losses to this small company.

    The network that the company has was a small Windows 98/Windows 2000 system network connected via a default install Red –hat 6.2 which acted as the firewall and gateway on the leased line of 256-K. There was no inetd –functions and all administration was done through the key board! After its installation there was degradation in the network which the users noticed in the throughput. The degradation was high when they used the internet. Machine locking up took place often. Most of the time the users rebooted the system to improve the speed.

    The provider of the connection received an email from a network administrator in Canada asking why a machine using the office IP address of a system has been scanning their network. When the provider tried to log on to the machine the machine did not accept the password which is when he realized that the network has been compromised. (SANS Institue,2002)


    The gateway was disconnected and the evidence was kept safely. The machine was not rebooted since that the intruder would have set up all the logic and the traps in the system when rebooted. This way the break in evidence was kept in the system. The investigator booted the system from another machine. The compromised hard disk was removed and placed in another computer. This was also a Red Hat machine with no network access. The compromised disk was copied using DD which is a forensic tool to collect evidence. In the copy of the compromised hard disk the investigator locked for evidence.

    The /var/log for any log files was checked, but these had been deleted by the criminal to cover his steps.

    The /root/.bash_history was checked only to find that the criminal had forgotten to delete this file.

    The .bash_history file showed that the criminal had installed the root – kit t0rn3 from ftp.tomb.org.

    Some files were also found in /dev/caca /dev/dsx and /dev/zzy. The files found had some same files in the t0rn root-kit. These were the Trojan versions of ps, ls and net-stat. An application was also fund that was used to sniff TCP/IP packets from a network and capture these packets into a log file. The TCP/IP logs, containing user names, passwords, e-mails and even some credit card data, had been sent via a clear email.

    Multiple root kits were found that had been installed in the machine. The Lamerk root kit was what had caused the maximum damage in the network. The log file showed the number of scans that had been done. Another scanner had been used to write logs as the system source dice had a bug which prevented re writing of logs in the system.

    /dev/zzy had an executable file, and some configuration files which showed that the machine had been connected to the internet via Internet Relay Chat to #Bulgaria on irc.tomb.org and there was remote egg-drop bot for the perpetrator to use.

    What this showed that there was evidence in all the 6.2 intrusions that a scan is invariably done before the system is hacked for vulnerabilities that can be used in the system in order to use it against the company. It is through these vulnerabilities that the system is used and attacked and the information is taken out from the company in order to be able to sell it or damage the company.

    It has also been seen from the forensic evidence that this is the type of data that is used by people in the black market. In this case the attack was found out on time which is why the network could be switched off from the mains. The information from the evidence of a penetration as locked into the compromised machine from where the copies were made for analysis. (Stillinger,2013)

    Based on the findings provided in the above section which show that the system administrator had acted quickly when he received the forensic investigation details from the investigator, what the findings clearly show that even though there had been loss of data and personal data to some extent large extents of damage could not be done because of the quick action that was taken on the compromised environment.

    As a result the changes also brought about a change in the policy of the company for the use of the company’s network system which meant that they could no longer put the valuable company data at risk by compromising their machines through weak passwords and were forced to use strong passwords that would not cause vulnerabilities in the network system of the company and allow them to work in a secure environment. The insider who assisted the outsider was taken to the police but was removed from the job without any severance pay for the losses that his unethical behaviour had caused for the company, this also served as a reminder to all employees that the policies had to be adhered to at all costs.