INTERNAL TEST -II

2MARKS

1. The roles of authentication and ESP protocol in IP sec layer

o There are two main transformation types that form the basics of IPsec,
1. The Authentication Header (AH) and
2. The Encapsulating Security Payload (ESP).
o Both AH and ESP are two protocols that provide connectionless integrity, data origin
authentication, confidentiality and an anti-replay service.
o These protocols may be applied alone or in combination to provide a desired set of
security services for the IP layer. They are configured in a data structure called a Security
Association (SA).

2. Features of mobile forensics tool simcon

 Acquire all available files on a SIM Card and store in an archive file
 Analyze and interpret content of files
 Recover deleted text messages stored on the card
 Manage PIN and PUK codes
 Compatible with SIM Cards and USIM Cards
 Print reports of evidence
 Secure file archive using hashing
 Export items to popular spreadsheet programs
 Supports international charsets
 Contains a "content" view for plain text viewing of data, as well as a hexadecimal
view for more specific analysis.

3. Example of Aggressive KEY Exchange

IKEv1 Phase 1, when in Aggressive mode, uses only three messages to establish IKE SA.
The first two messages in Aggressive mode exchange include almost everything required
to form IKE SA. IKEv1 Phase1 Aggressive Mode is quicker than Main Mode, but
endpoint identities are exchanged in Clear-Text. When comparing Main Mode and
Aggressive Mode, Main mode is considered more secure than Aggressive Mode, because
the Identification payload is encrypted in Main Mode.

4. Transport and Tunnel mode of Transmission

Transport Mode
Protection for upper-layer protocols
Used only between Hosts
In the case of AH, AH in transport mode
authenticates the IP payload and the
protection is also extended to selected
portions of the IP header, selected portions
of IPv6 extension headers and the selected
Tunnel Mode
Protection for IP packets
Used between hosts and security gateways
AH in tunnel mode authenticates the entire
inner IP packet and selected portions of the
outer IP header.
 options.

In the case of ESP, ESP in transport mode ESP in tunnel mode encrypts and
primary encrypts and optionally optionally authenticates the entire inner IP
authenticates the IP payload but not the IP packet, including the inner IP header.
header. A transport mode SA provides
security services only for higher-layer
protocols, not for the IP header or any
extension headers proceeding the ESP
header.

5. Windows Registry:
critical part of any Windows OSs - hierarchical database containing configuration
information about:
� system hardware;
� installed software (programs);
� property settings;
� profile for each user, etc.
� OS uses instructions stored in the registry to determine how installed hardware and
and software should function
� e.g. typical software comes with a Windows installer that writes to the registry during
installation
� system must be restarted for changes to take place

6. Tasks performed by computer Forensics Tools

 Acquisition
 Validation and discrimination
 Extraction
 Reconstruction
 Reporting

7. Features of OAKLEY protocol

Oakley is not only a refinement of the Diffie–Hellman key exchange algorithm, but a
method to establish an authentication key exchange. The Oakley protocol is truly used to
establish a shared key with an assigned identifier and associated authenticated identities
for the two parties. Oakley can be used directly over the IP protocol or over UDP
protocol using a well-known port number assignment available. It is worth to note that
Oakley uses the cookies for two purposes: anti-clogging (denial of service) and key
naming. Oakley employs nonces to ensure against replay attacks.

8. Shareware programs for remote acquisitions

 Shareware is software that is distributed free on a trial basis with the understanding that
the user may need or want to pay for it later. Some software developers offer a
shareware version of their program with a built-in expiration date (after 30 days, the user
can no longer get access to the program).

9. File slack Place

Slack space is the leftover storage that exists on a computer’s hard disk drive when a
computer file does not need all the space it has been allocated by the operating system.
The examination of slack space is an important aspect of computer forensics.

10. Effect of Scope Creep in investigation

Scope creep (also called requirement creep, function creep and feature creep) in project
management refers to uncontrolled changes or continuous growth in a project's scope. This
can occur when the scope of a project is not properly defined, documented, or controlled. It
is generally considered harmful.
16 MARKS
11(A)-I

IPsec Protocol Documents

This section will discuss the protocols and standards which apply to IPsec.
The set of IPsec protocols is divided into seven groups as illustrated in Figure.
The seven-group documents describing the set of IPsec protocols are explained in the following:

• Architecture

• ESP

• AH
• Encryption algorithm
• Authentication algorithm
• Key management
• DOI
 Figure -Document overview that defines IPsec.

11(A)-II

-IP Authentication Header

 The IP AH is used to provide data integrity and authentication for IP packets.

 It also provides protection against replays.
 The AH provides authentication for the IP header, as well as for upper-level protocol (TCP, UDP)
data.
The ESP provides a confidentiality service.
The primary difference between the authentication provided by ESP and AH is the extent of the coverage.

AH Format
The IPsec AH format is shown in Figure.

Figure 7.4 IPsec AH format.

The following six fields comprise the AH format:
• Next header (8 bits)

• Payload length (8 bits)

• Reserved (16 bits)
• SPI (32 bits)
• Sequence number (32 bits)
• Authentication data (variable)

11(B)-I

ISAKMP Payloads Types

1. Security Association Payload

 The Next Payload field (8 bits)

 The Reserved field (8 bits)
 The Payload Length field (16 bits)
 The Situation field (variable length)
2. Proposal Payload

 The Next Payload field (8 bits)

 The Reserved field (8 bits)
 The Proposal # field (8 bits)
 The SPI Size (8 bits)
 # of Transform (8 bits)
 SPI field (variable)

3. Transform Payload

 The Next Payload field (8 bits)

 The Reserved field (8 bits)
 The Transform # field (8 bits)
 The Transform-id field (8 bits)
 The Reserved 2 field (16 bits)
 The SA Attributes field (variable length)

4. Key Exchange Payload

 The Next Payload field (8 bits)

 The Reserved field (8 bits)
 The Payload Length field (16 bits)

5. Identification Payload
 The Next Payload field (8 bits)
 The Reserved field (8 bits)
  The Payload Length field (16 bits)
 The ID type field (8 bits)
 The DOI specific ID Data field (24 bits)
 The Identification Data field (variable length)

6. Certificate Payload

 The Next Payload field (8 bits)

 The Reserved field (8 bits)
 The Payload Length field (16 bits)
 The Certificate Encoding field (8 bits)
 The Certificate Data field (variable length)
7. Certificate Request Payload

 The Next Payload field (8 bits)

 The Reserved field (8 bits)
 The Payload Length field (16 bits)
 The Certificate Type field (8 bits)
 The Certificate Authority field (variable length)

8. Hash Payload

 The Next Payload field (8 bits)

 The Reserved field (8 bits)
 The Payload Length field (16 bits)
 The Hash Data field (variable length)
9. Signature Payload

 The Next Payload field (8 bits)

 The Reserved field (8 bits)
 The Payload Length field (16 bits)
 The Signature Data field (variable length)
10. Nonce Payload

 The Next Payload field (8 bits)

 The Reserved field (8 bits)
 The Payload Length field (16 bits)
 The Nonce Data field (variable length)
11. Notification Payload

 The Next Payload field (8 bits)

 The Reserved field (8 bits)
 The Payload Length field (16 bits)
 The Domain of Interpretation field (32 bits)
 The Protocol-id field (8 bits)
 The SPI Size field (8 bits)
 The Domain of Interpretation (DOI)
  The Notify Message Type field (16 bits)
 The Security Parameter Index (SPI)
 The Notification Data field (variable length)
12. Delete Payload
 The Next Payload field (8 bits)
 The Reserved field (8 bits)
 The Payload Length field (16 bits)
 The Domain of Interpretation field (32 bits)
 The Protocol-id field (8 bits)
 The SPI Size field (8 bits)
 The # of SPIs field (16 bits)
 The Security Parameter Indexes field (variable length)

13. Vendor ID Payload

 The Next Payload field (8 bits)

 The Reserved field (8 bits)
 The Payload Length field (16 bits)
 The Vendor ID field (variable length)

11(B)-II
ISAKMP Payload Processing

 General Message Processing

 ISAKMP Header Processing
 Generic Payload Header Processing
 Security Association Payload Processing
 Proposal Paylaod Processing
 Transform Payload ProcessinG
 Key Exchange Payload Processing
 Identification Payload Processing
 Certificate Payload Processing
 Certificate Request Payload Processing
 Hash Payload Processing
 Signature Payload Processing
 Nonce Payload Processing
 Notification Payload Processing
 Delete Payload Processing

12(A)-I

ISAKMP

(I) ISAKMP Payloads

ISAKMP Header

Initiator Cookie (64 bits)

Responder Cookie (64 bits)
Next Payload (8 bits)
Major Version (4 bits)
Minor Version (4 bits)
Exchange Type (8 bits)
Flags (8 bits)
Message ID (32 bits)
Length (32 bits)

Generic Payload Header

Next Payload (8 bits)

Reserved (8 bits)
Payload Length (16 bits)

ISAKMP Payloads Types

1.Security Association Payload

 The Next Payload field (8 bits)

 The Reserved field (8 bits)
 The Payload Length field (16 bits)
 The Situation field (variable length)
2.Proposal Payload

 The Next Payload field (8 bits)

 The Reserved field (8 bits)
 The Proposal # field (8 bits)
 The SPI Size (8 bits)
 # of Transform (8 bits)
 SPI field (variable)

3.Transform Payload

 The Next Payload field (8 bits)

 The Reserved field (8 bits)
 The Transform # field (8 bits)
 The Transform-id field (8 bits)
 The Reserved 2 field (16 bits)
 The SA Attributes field (variable length)

4.Key Exchange Payload

 The Next Payload field (8 bits)

 The Reserved field (8 bits)
 The Payload Length field (16 bits)

5.Identification Payload
 The Next Payload field (8 bits)
 The Reserved field (8 bits)
  The Payload Length field (16 bits)
 The ID type field (8 bits)
 The DOI specific ID Data field (24 bits)
 The Identification Data field (variable length)

6.Certificate Payload
 The Next Payload field (8 bits)
 The Reserved field (8 bits)
 The Payload Length field (16 bits)
 The Certificate Encoding field (8 bits)
 The Certificate Data field (variable length)
7.Certificate Request Payload
 The Next Payload field (8 bits)
 The Reserved field (8 bits)
 The Payload Length field (16 bits)
 The Certificate Type field (8 bits)
 The Certificate Authority field (variable length)

8.Hash Payload
 The Next Payload field (8 bits)
 The Reserved field (8 bits)
 The Payload Length field (16 bits)
 The Hash Data field (variable length)
9.Signature Payload
 The Next Payload field (8 bits)
 The Reserved field (8 bits)
 The Payload Length field (16 bits)
 The Signature Data field (variable length)
10.Nonce Payload
 The Next Payload field (8 bits)
 The Reserved field (8 bits)
 The Payload Length field (16 bits)
 The Nonce Data field (variable length)
11.Notification Payload
 The Next Payload field (8 bits)
 The Reserved field (8 bits)
 The Payload Length field (16 bits)
 The Domain of Interpretation field (32 bits)
 The Protocol-id field (8 bits)
 The SPI Size field (8 bits)
 The Domain of Interpretation (DOI)
 The Notify Message Type field (16 bits)
 The Security Parameter Index (SPI)
 The Notification Data field (variable length)
12.Delete Payload
 The Next Payload field (8 bits)
 The Reserved field (8 bits)
 The Payload Length field (16 bits)
  The Domain of Interpretation field (32 bits)
 The Protocol-id field (8 bits)
 The SPI Size field (8 bits)
 The # of SPIs field (16 bits)
 The Security Parameter Indexes field (variable length)

13.Vendor ID Payload

 The Next Payload field (8 bits)

 The Reserved field (8 bits)
 The Payload Length field (16 bits)
 The Vendor ID field (variable length)

ISAKMP Payload Processing

 General Message Processing

 ISAKMP Header Processing
 Generic Payload Header Processing
 Security Association Payload Processing
 Proposal Paylaod Processing
 Transform Payload ProcessinG
 Key Exchange Payload Processing
 Identification Payload Processing
 Certificate Payload Processing
 Certificate Request Payload Processing
 Hash Payload Processing
 Signature Payload Processing
 Nonce Payload Processing
 Notification Payload Processing
 Delete Payload Processing

12(B)-I
Hashed Message Authentication Code (HMAC)
HMAC = H[(K ⊕ opad)||H[(K ⊕ ipad)||M]]

where

ipad = 00110110(0x36) repeated 64 times (512 bits)

opad = 01011100(0x5c) repeated 64 times (512 bits)
ipad is inner padding opad is outer padding
The following explains the HMAC equation:

1. Append zeros to the end of K to create a b-byte string (i.e. if K = 160 bits in length and b = 512
bits, then K will be appended with 352 zero bits or 44 zero bytes 0x00).
2. XOR (bitwise exclusive-OR) K with ipad to produce the b-bit block computed in step 1.
3. Append M to the b-byte string resulting from step 2.
4. Apply H to the stream generated in step 3.
5. XOR (bitwise exclusive-OR) K with opad to produce the b-byte string computed in step 1.
6. Append the hash result H from step 4 to the b-byte string resulting from step 5.
7. Apply H to the stream generated in step 6 and output the result.

The alternative operation for computation of either HMAC–MD5 or HMAC–SHA-1

is described in the following:

1. Append zeros to K to create a b-bit string K, where b = 512 bits.

2. XOR K (padding with zero) with ipad to produce the b-bit block.

3. Apply the compression function f(IV, K ⊕ ipad) to produce (IV)i = 128 bits
4. Compute the hash code h with (IV)i and Mi.
5. Raise the hash value computed from step 4 to a b-bit string.
6. XOR K (padded with zeros) with opad to produce the b-bit block.
7. Apply the compression function f(IV, K’⊕opad) to produce (IV)0 = 128 bits.
8. Compute the HMAC with (IV)o and the raised hash value resulting from step 5.

12(B)-II
Security Associations (SAs)
An SA is uniquely identified by three parameters as follows:

 Security Parameters Index (SPI)

 IP Destination Address
 Security Protocol Identifier

There are two nominal databases

 Security policy database
 Security association database
Transport mode SA
Tunnel mode SA

13(A)-I
Investigating E-mail Crimes and Violations
1. Mention that investigating crimes or policy violations involving e-mail is similar to investigating
other types of computer abuse and crimes.
2. List the goals of e-mail crimes and violations investigations, including: a. Find who is behind the
crime b. Collect the evidence c. Present your findings d. Build a case
3. Explain that what is considered a crime or policy violation involving e-mail depends on the city,
state, or country in which the e-mail originated.
4. Present a list with some examples of crimes involving e-mails, such as: a. Narcotics trafficking b.
Extortion c. Sexual harassment d. Stalking e. Fraud f. Child abduction g. Terrorism h. Child
pornography
Examining E-mail Messages
1. Describe to your class how to acquire evidence from an e-mail during an investigation.
First describe how to use the victim’s computer for retrieving evidence. Then describe what to
do if you cannot have access to the victim’s computer. In that case, you will need to guide the
victim over the phone to do your job. Finally, explain how to deal with deleted e-mails from a
suspect’s computer.
2. Illustrate your explanations using any e-mail client like Microsoft Outlook.
Viewing E-mail Headers
 1. Use Figures 12-3 through 12-11 to illustrate how to view e-mail headers using different kinds
of clients including GUI, command-line, and Web-based clients such as: a. Microsoft Outlook
b. Microsoft Outlook Express c. Novell Evolution d. Pine e. ELM f. AOL g. Hotmail h. Apple
Mail i. Yahoo!
Examining E-mail Headers
1. E-mail headers contain useful information for an investigation. Use 12-12 to explain how to
analyze header content line by line. Information included on e-mail headers includes: a. Return
path b. Recipient’s e-mail address c. Type of sending e-mail service d. IP address of sending
server e. Name of the e-mail server f. Unique message number g. Date and time e-mail was sent
h. Attachment files information
Examining Additional E-mail Files
1. Depending on settings, e-mails are saved at the client’s side or left on the server. Explain to
your class how to deal with files related to different e-mail clients. For example, Microsoft
Outlook saves e-mails on .pst and .ost files. Web-based e-mails are like any other Web page.
Check History, Cookies, Cache, and temporary files and folders for evidence.
2. Mention that another source of valuable information is the personal address book
Tracing an E-mail Message
1. Explain how to track down a suspect using the information acquired so far from an e- mail. Use
the following sites to find the contact point of the originating domain name: a. www.arin.net b.
www.internic.com

13(A)-II
Procedure of acquiring data from cell phone and mobile devices

International Numbering Plans

 Phone number
 IMSI number
 IMEI number
 SIM number
 ISPC number
Authenticating a Subscriber on a Network
SIM Card Forensics
SIM Hardware
SIM File System
Access to the SIM
SIM Card Clone
Types of Evidence
Short Message Service (SMS)
Multimedia Messaging Service (MMS)
Handset Specifications
Memory and Processing
. They can contain the following data:
 Photos
 Videos
 Apps
 Maps
 Battery
Other hardware
 Accelerometer
 Camera

13(B)-I
General information about NTFS
Foundations of NTFS
Backup Copy of Boot Sector
Journaling in NTFS
NTFS Volume Components
Overview over the NTFS file system
Time stamps in NTFS
File System Meta Data Files
The Master File Table (MFT)
The boot sector points to the MFT
MFT Record Overview
Areas of an MFT Record
MFT Header Overview
Overview over an MFT entry
A sample MFT entry
Addressing MFT Records
Attributes
Sample MFT Attributes
Two Areas of an MFT Attribute
Data Structures for an MFT Attribute Header
Attribute Type Identifiers
Cluster Runs for Non-Resident Attributes
File System Metadata Files
File System Metadata Files
Essential data of the NTFS boot sector
Interpretation of byte patterns in the boot sector
NTFS file operations
NTFS file creation
NTFS file deletion
Compression
Encrypting File System (EFS)
EFS Encryption
EFS Decryption
Alternate Data Stream (ADS)
Fundamentals to ADS
Detection of Alternate Data Streams
ADS and IT-Security

13(B)-II
Virtual Machines
Approaches to Virtualization
Virtual Machine Files
Paravirtualization
 Processor Issues
Processor Allocation
Ring O
Memory Management
I/O Management
Performance Technologies
VMware ESXi
VMware ESXi Features
Java VM
Linux VServer
Architecture
Android Virtual Machine
Zygote

14(A)-I
Primary concerns of conducting Forensics examination of Virtual Machine
virtualmachine overview
collecting evidence for virtual machines
static analysis for virtual machines
Files generated by VMWare
virtual machines imaging
Analysis of vmware snapshots
VHD formats

14(A)-II
PERFORMING REMOTE ACQUISITION

In addition to the steady acquisition and live acquisition, there is also another type of acquisition,
which is remote acquisition. Remote acquisition is done through a network connection and
involves a client server type of architecture. In many cases, you install a client on a machine
from which you want to retrieve the data. Remote acquisition is a form of live acquisition,
especially because it requires that the computing device in form of a host or a host computer, is
still up an running.

14(A)-III
VALIDATING FORENSICS DATA
Software validation is a part of the design validation for a finished device…considers software
validation to be ‘confirmation by examination and provision of objective evidence that
software specifications conform to user needs and intended uses, and that the particular
requirements implemented through software can be consis- tently fulfilled.

14(B)-I
Data Hiding Techniques
Encryption
Steganography
Other forms of data hiding
 Slacker
bad sectors.

14(B)-II
Windows Registry:
critical part of any Windows OSs - hierarchical database containing configuration
information about:
� system hardware;
� installed software (programs);
� property settings;
� profile for each user, etc.
� OS uses instructions stored in the registry to determine how installed hardware and
and software should function
�e.g. typical software comes with a Windows installer that writes to the registry during
installation
� system must be restarted for changes to take place
Forensics implications – information (i.e. potential evidence) that reside in the Registry
make it a significant forensics resource

15(A)-I
Microsoft file structure
Disk partitions
Master Boot Record
Examing FAT Disks
15(A)-II
FAT File formats
File system category
FAT 12
FAT 16
FAT 32
FAT X
15(B)-I
Systematic approach for preparation of computer investigation
Identifying Digital Evidence
Collecting Evidence in private Sector
Identifying the nature of the case
Identifying the type of computing System

15(B)-II

Overview of computer policy violation

Computer Policies are rules that the user should follow while using the computer. Policies gives
the way how the user should use the computer, data , files and folders in computer.