Question

Ryan is a hacker who plans to exploit victims by uploading a malicious webpage in the cloud. He uses a vulnerability to exploit the cloud presence of XYZ Coffee, a legitimate company. From there, he installs a malware that inserts a malicious payload into web pages displayed, social media, and hides his malicious activity from the anti-virus. He then redirects victims to the website, which infects them with malware. In addition, the hacker used anti forensics tools. Users complain to the legitimate company that they are being infected, so the company seeks to fix the problem and investigate the crime. Answer the following questions based on this scenario.

a) Provide a list of potential digital evidence and media that the investigator is going to seize for possible forensic examination in this case study. How would you gain access to this evidence?

b) Explain two acquisition methods that you should use in this situation.

c) Describe significant challenges with cloud forensics, including forensic acquisition and evidence preservation.
d) Explain what "anti-forensics" is, and provide detail on some anti-forensics tactics that could be used in this case study.

e) How should you proceed if the suspect’s computer is running?

Answer 1

a) Provide a list of potential digital evidence and media that the investigator is going to seize for possible forensic examination in this case study. How would you gain access to this evidence?

The potential digital evidence can be provided with repect to this case study.Generally forensic investigation can be considered as subset of the largest security.

When an investigation is going to take place,the investigators or the security team has to look after the crimes done during cyber attack.There was crime that took place in the company called "Legitimate Company" , but

there was no proof that the certain information has been stoled by a hacker Ryan,as a result we can implement a Forensic investigation.

(1)Initiation :

Here initiation is to understand the incident clearly and what could be the devices involed during this attack.

(2)Information gathering:

In Information gathering phase,the hackers will take the inputs or the information related to company or from client about devices involved and the investigators will ask some question about the incident by fetching some points from them.The cybercrime crime scene also includes the digital devices that potentially hold digital evidence, and spans multiple digital devices, systems, and servers. The crime scene is secured when a cybercrime is observed, reported, and documentation suspected.is needed throughout the entire investigative process . This documentation should include detailed information about the digital devices collected, including the operational state of the device - on, off, standby mode - and its physical characteristics, such as make, model, serial number, connections, and any markings or other damage.

(3)Acquisition

Unless live acquisition is performed, evidence is extracted from the seized digital devices at the forensic laboratory . At the forensics laboratory, digital evidence should be acquired in a manner that preserves integrity of the evidence (i.e., ensuring that the data is unaltered); that is, in sound manner . To achieve this, the tools and techniques used to acquire digital evidence must prevent alterations to the data or when this is not possible, at the very least minimize them . The tools and techniques used should be valid and reliable.

(4)Analysis :

For Analysis ,the browser usage ,file download,program execution has to be checked from the disk of a device.when the entire data is extracted frm the device ,then we have to make analysis of the incident which can prove it digitally and it depends on what proof that has been collected by investigator.

(5)Report:

Atlast the submitting the presentation of the report to the client.

b) Explain two acquisition methods that you should use in this situation

data collection is important to the Bureau, data collection is important to the data stewards. Data collection is an area where cost savings mechanisms are needed. For instance, Global Positioning Systems and mobile units are now being used to take field data and enter them directly from the source. The problem remains that quality data be collected initially at the source , where the strictest controls should be placed.

Therefore, before data are initially collected, strict controls must be in place. All of the analysis, definitions, and standards need to be in place prior to any field information collection. While this may seem obvious, it is not always practiced. Good planning will reduce this heavy budget item.

Data must be reviewed and updated on a regular schedule to maintain a high standard of quality. Metadata must also be updated at the same time. Managers need to be confident that they have the best possible data available when making decisions. Each time the data changes, the metadata must be updated as well.

(c)Describe significant challenges with cloud forensics, including forensic acquisition and evidence preservation.

Unlike the traditional digital forensic, where the investigator has full access to the machine and the process to investigate as per requirement, both machine and the process are beyond the access of the investigator. Distributed architecture, deficiency of handling big data and lack of forensic tools and services are the challenges of cloud. In cloud environment the Investigator has to depend upon CSP in order to do his forensic activity.

(1)Forensics Readiness:

Forensic readiness can be specified as preparation that gives the relevant capabilities of the digital forensic and minimizes the cost of doing forensic investigation.

(2)Identify the Malicious Actor:

The technique which is required to trace the malicious actor after doing the malicious activity is referred as foot printing. Among other components to investigate the log record has its significance.The log file contains the information regarding every activity andthe transition in the cloud. Therefore CSP has a greatresponsibility to protect these logs files, against alteration collected from various components such as temporary files, cache, register, process table.

(3) Forensics Enable Services:

The provision of services is a main objective of the cloud. In order to protect the end-user from cybercriminals, the developer of the services should develop forensically enabled services, which may help the investigators to solve the issue of criminal activities in the cloud.

(4) Evidence Collection:

The footprints are found in the log files, which help to trace the malicious actor, but it is much complex to trace and correlate these files in the heterogeneous structure of cloud. In order to handle the situation the CSP needs a systematic approach to collect evidence, which help to trace the malicious activity.

(5) Architectural Support

Among the various challenges faced by the cloud forensic thescattered cloud structure, handling big data and the lack of forensic services make forensic task more complex and the timeconsuming, consequently affects the cost and the delay in justice.

(6) Live Forensics:

In live forensic artifacts are collected from the running system against any suspicious activity. It is helpful to list the running current process in the memory and identify the malicious one. The code of the malicious process can be pulled and analysed. Pulling code from the running memory is simple.

d) Explain what "anti-forensics" is, and provide detail on some anti-forensics tactics that could be used in this case study.

Anti-forensics has only recently been recognized as a legitimate field of study. Within this field of study, numerous definitions of anti-forensics abound. Rogers uses a more traditional "crime scene" approach when defining anti-forensics. "Attempts to negatively affect the existence, amount and/or quality of evidence from a crime scene, or make the analysis and examination of evidence difficult or impossible to conduct.

e) How should you proceed if the suspect’s computer is running?

Computers require that a certain amount of computer memory called “random access memory” (RAM) be used by the operating system and its applications when the computer is in operation. The computer utilizes this RAM to write the current processes it is using as a form of a virtual clipboard. The information is there for immediate reference and use by the process. This type of data is called “volatile data” because it simply goes away and is irretrievable when the computer is off.6 Volatile data stored in the RAM can contain information of interest to the investigator.

There are other types of volatile data that could be considered evidence of interest to an investigation. This potentially exculpatory information may also simply “go away” when the system is turned off or loses power. This type of volatile data as potential evidence can also be collected from a running Microsoft Windows computer. Some of the additional data that can be collected may include:

1. Who is logged into the system.

2. Open ports and listening applications.

3. Lists of currently running processes.

4. Registry information.

5. System information.

6. Attached devices (this can be important if you have a wireless-attached device not obvious at the crime scene)