Documente Academic
Documente Profesional
Documente Cultură
2MARKS
In the case of ESP, ESP in transport mode ESP in tunnel mode encrypts and
primary encrypts and optionally optionally authenticates the entire inner IP
authenticates the IP payload but not the IP packet, including the inner IP header.
header. A transport mode SA provides
security services only for higher-layer
protocols, not for the IP header or any
extension headers proceeding the ESP
header.
5. Windows Registry:
critical part of any Windows OSs - hierarchical database containing configuration
information about:
� system hardware;
� installed software (programs);
� property settings;
� profile for each user, etc.
� OS uses instructions stored in the registry to determine how installed hardware and
and software should function
� e.g. typical software comes with a Windows installer that writes to the registry during
installation
� system must be restarted for changes to take place
This section will discuss the protocols and standards which apply to IPsec.
The set of IPsec protocols is divided into seven groups as illustrated in Figure.
The seven-group documents describing the set of IPsec protocols are explained in the following:
• Architecture
• ESP
• AH
• Encryption algorithm
• Authentication algorithm
• Key management
• DOI
Figure -Document overview that defines IPsec.
11(A)-II
AH Format
The IPsec AH format is shown in Figure.
11(B)-I
3. Transform Payload
5. Identification Payload
The Next Payload field (8 bits)
The Reserved field (8 bits)
The Payload Length field (16 bits)
The ID type field (8 bits)
The DOI specific ID Data field (24 bits)
The Identification Data field (variable length)
6. Certificate Payload
8. Hash Payload
11(B)-II
ISAKMP Payload Processing
12(A)-I
ISAKMP
ISAKMP Header
3.Transform Payload
5.Identification Payload
The Next Payload field (8 bits)
The Reserved field (8 bits)
The Payload Length field (16 bits)
The ID type field (8 bits)
The DOI specific ID Data field (24 bits)
The Identification Data field (variable length)
6.Certificate Payload
The Next Payload field (8 bits)
The Reserved field (8 bits)
The Payload Length field (16 bits)
The Certificate Encoding field (8 bits)
The Certificate Data field (variable length)
7.Certificate Request Payload
The Next Payload field (8 bits)
The Reserved field (8 bits)
The Payload Length field (16 bits)
The Certificate Type field (8 bits)
The Certificate Authority field (variable length)
8.Hash Payload
The Next Payload field (8 bits)
The Reserved field (8 bits)
The Payload Length field (16 bits)
The Hash Data field (variable length)
9.Signature Payload
The Next Payload field (8 bits)
The Reserved field (8 bits)
The Payload Length field (16 bits)
The Signature Data field (variable length)
10.Nonce Payload
The Next Payload field (8 bits)
The Reserved field (8 bits)
The Payload Length field (16 bits)
The Nonce Data field (variable length)
11.Notification Payload
The Next Payload field (8 bits)
The Reserved field (8 bits)
The Payload Length field (16 bits)
The Domain of Interpretation field (32 bits)
The Protocol-id field (8 bits)
The SPI Size field (8 bits)
The Domain of Interpretation (DOI)
The Notify Message Type field (16 bits)
The Security Parameter Index (SPI)
The Notification Data field (variable length)
12.Delete Payload
The Next Payload field (8 bits)
The Reserved field (8 bits)
The Payload Length field (16 bits)
The Domain of Interpretation field (32 bits)
The Protocol-id field (8 bits)
The SPI Size field (8 bits)
The # of SPIs field (16 bits)
The Security Parameter Indexes field (variable length)
13.Vendor ID Payload
12(B)-I
Hashed Message Authentication Code (HMAC)
HMAC = H[(K ⊕ opad)||H[(K ⊕ ipad)||M]]
where
1. Append zeros to the end of K to create a b-byte string (i.e. if K = 160 bits in length and b = 512
bits, then K will be appended with 352 zero bits or 44 zero bytes 0x00).
2. XOR (bitwise exclusive-OR) K with ipad to produce the b-bit block computed in step 1.
3. Append M to the b-byte string resulting from step 2.
4. Apply H to the stream generated in step 3.
5. XOR (bitwise exclusive-OR) K with opad to produce the b-byte string computed in step 1.
6. Append the hash result H from step 4 to the b-byte string resulting from step 5.
7. Apply H to the stream generated in step 6 and output the result.
3. Apply the compression function f(IV, K ⊕ ipad) to produce (IV)i = 128 bits
4. Compute the hash code h with (IV)i and Mi.
5. Raise the hash value computed from step 4 to a b-bit string.
6. XOR K (padded with zeros) with opad to produce the b-bit block.
7. Apply the compression function f(IV, K’⊕opad) to produce (IV)0 = 128 bits.
8. Compute the HMAC with (IV)o and the raised hash value resulting from step 5.
12(B)-II
Security Associations (SAs)
An SA is uniquely identified by three parameters as follows:
13(A)-I
Investigating E-mail Crimes and Violations
1. Mention that investigating crimes or policy violations involving e-mail is similar to investigating
other types of computer abuse and crimes.
2. List the goals of e-mail crimes and violations investigations, including: a. Find who is behind the
crime b. Collect the evidence c. Present your findings d. Build a case
3. Explain that what is considered a crime or policy violation involving e-mail depends on the city,
state, or country in which the e-mail originated.
4. Present a list with some examples of crimes involving e-mails, such as: a. Narcotics trafficking b.
Extortion c. Sexual harassment d. Stalking e. Fraud f. Child abduction g. Terrorism h. Child
pornography
Examining E-mail Messages
1. Describe to your class how to acquire evidence from an e-mail during an investigation.
First describe how to use the victim’s computer for retrieving evidence. Then describe what to
do if you cannot have access to the victim’s computer. In that case, you will need to guide the
victim over the phone to do your job. Finally, explain how to deal with deleted e-mails from a
suspect’s computer.
2. Illustrate your explanations using any e-mail client like Microsoft Outlook.
Viewing E-mail Headers
1. Use Figures 12-3 through 12-11 to illustrate how to view e-mail headers using different kinds
of clients including GUI, command-line, and Web-based clients such as: a. Microsoft Outlook
b. Microsoft Outlook Express c. Novell Evolution d. Pine e. ELM f. AOL g. Hotmail h. Apple
Mail i. Yahoo!
Examining E-mail Headers
1. E-mail headers contain useful information for an investigation. Use 12-12 to explain how to
analyze header content line by line. Information included on e-mail headers includes: a. Return
path b. Recipient’s e-mail address c. Type of sending e-mail service d. IP address of sending
server e. Name of the e-mail server f. Unique message number g. Date and time e-mail was sent
h. Attachment files information
Examining Additional E-mail Files
1. Depending on settings, e-mails are saved at the client’s side or left on the server. Explain to
your class how to deal with files related to different e-mail clients. For example, Microsoft
Outlook saves e-mails on .pst and .ost files. Web-based e-mails are like any other Web page.
Check History, Cookies, Cache, and temporary files and folders for evidence.
2. Mention that another source of valuable information is the personal address book
Tracing an E-mail Message
1. Explain how to track down a suspect using the information acquired so far from an e- mail. Use
the following sites to find the contact point of the originating domain name: a. www.arin.net b.
www.internic.com
13(A)-II
Procedure of acquiring data from cell phone and mobile devices
13(B)-I
General information about NTFS
Foundations of NTFS
Backup Copy of Boot Sector
Journaling in NTFS
NTFS Volume Components
Overview over the NTFS file system
Time stamps in NTFS
File System Meta Data Files
The Master File Table (MFT)
The boot sector points to the MFT
MFT Record Overview
Areas of an MFT Record
MFT Header Overview
Overview over an MFT entry
A sample MFT entry
Addressing MFT Records
Attributes
Sample MFT Attributes
Two Areas of an MFT Attribute
Data Structures for an MFT Attribute Header
Attribute Type Identifiers
Cluster Runs for Non-Resident Attributes
File System Metadata Files
File System Metadata Files
Essential data of the NTFS boot sector
Interpretation of byte patterns in the boot sector
NTFS file operations
NTFS file creation
NTFS file deletion
Compression
Encrypting File System (EFS)
EFS Encryption
EFS Decryption
Alternate Data Stream (ADS)
Fundamentals to ADS
Detection of Alternate Data Streams
ADS and IT-Security
13(B)-II
Virtual Machines
Approaches to Virtualization
Virtual Machine Files
Paravirtualization
Processor Issues
Processor Allocation
Ring O
Memory Management
I/O Management
Performance Technologies
VMware ESXi
VMware ESXi Features
Java VM
Linux VServer
Architecture
Android Virtual Machine
Zygote
14(A)-I
Primary concerns of conducting Forensics examination of Virtual Machine
virtualmachine overview
collecting evidence for virtual machines
static analysis for virtual machines
Files generated by VMWare
virtual machines imaging
Analysis of vmware snapshots
VHD formats
14(A)-II
PERFORMING REMOTE ACQUISITION
In addition to the steady acquisition and live acquisition, there is also another type of acquisition,
which is remote acquisition. Remote acquisition is done through a network connection and
involves a client server type of architecture. In many cases, you install a client on a machine
from which you want to retrieve the data. Remote acquisition is a form of live acquisition,
especially because it requires that the computing device in form of a host or a host computer, is
still up an running.
14(A)-III
VALIDATING FORENSICS DATA
Software validation is a part of the design validation for a finished device…considers software
validation to be ‘confirmation by examination and provision of objective evidence that
software specifications conform to user needs and intended uses, and that the particular
requirements implemented through software can be consis- tently fulfilled.
14(B)-I
Data Hiding Techniques
Encryption
Steganography
Other forms of data hiding
Slacker
bad sectors.
14(B)-II
Windows Registry:
critical part of any Windows OSs - hierarchical database containing configuration
information about:
� system hardware;
� installed software (programs);
� property settings;
� profile for each user, etc.
� OS uses instructions stored in the registry to determine how installed hardware and
and software should function
�e.g. typical software comes with a Windows installer that writes to the registry during
installation
� system must be restarted for changes to take place
Forensics implications – information (i.e. potential evidence) that reside in the Registry
make it a significant forensics resource
15(A)-I
Microsoft file structure
Disk partitions
Master Boot Record
Examing FAT Disks
15(A)-II
FAT File formats
File system category
FAT 12
FAT 16
FAT 32
FAT X
15(B)-I
Systematic approach for preparation of computer investigation
Identifying Digital Evidence
Collecting Evidence in private Sector
Identifying the nature of the case
Identifying the type of computing System
15(B)-II