65,65 €
Mehr erfahren.
- Herausgeber: Bentham Science Publishers
- Kategorie: Fachliteratur
- Sprache: Englisch
Practical Digital Forensics: A Guide for Windows and Linux Users is a comprehensive resource for novice and experienced digital forensics investigators. This guide offers detailed step-by-step instructions, case studies, and real-world examples to help readers conduct investigations on both Windows and Linux operating systems. It covers essential topics such as configuring a forensic lab, live system analysis, file system and registry analysis, network forensics, and anti-forensic techniques. The book is designed to equip professionals with the skills to extract and analyze digital evidence, all while navigating the complexities of modern cybercrime and digital investigations.
Key Features:
- Forensic principles for both Linux and Windows environments.
- Detailed instructions on file system forensics, volatile data acquisition, and network traffic analysis.
- Advanced techniques for web browser and registry forensics.
- Addresses anti-forensics tactics and reporting strategies.
- Includes real-world examples and practical case studies.
Readership: Digital forensics professionals, law enforcement, cybersecurity analysts, legal practitioners, IT administrators, students, and corporate investigators.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 359
Veröffentlichungsjahr: 2024
Ähnliche
BENTHAM SCIENCE PUBLISHERS LTD.
End User License Agreement (for non-institutional, personal use)
This is an agreement between you and Bentham Science Publishers Ltd. Please read this License Agreement carefully before using the book/echapter/ejournal (“Work”). Your use of the Work constitutes your agreement to the terms and conditions set forth in this License Agreement. If you do not agree to these terms and conditions then you should not use the Work.
Bentham Science Publishers agrees to grant you a non-exclusive, non-transferable limited license to use the Work subject to and in accordance with the following terms and conditions. This License Agreement is for non-library, personal use only. For a library / institutional / multi user license in respect of the Work, please contact: [email protected].
Usage Rules:
All rights reserved: The Work is the subject of copyright and Bentham Science Publishers either owns the Work (and the copyright in it) or is licensed to distribute the Work. You shall not copy, reproduce, modify, remove, delete, augment, add to, publish, transmit, sell, resell, create derivative works from, or in any way exploit the Work or make the Work available for others to do any of the same, in any form or by any means, in whole or in part, in each case without the prior written permission of Bentham Science Publishers, unless stated otherwise in this License Agreement.You may download a copy of the Work on one occasion to one personal computer (including tablet, laptop, desktop, or other such devices). You may make one back-up copy of the Work to avoid losing it.The unauthorised use or distribution of copyrighted or other proprietary content is illegal and could subject you to liability for substantial money damages. You will be liable for any damage resulting from your misuse of the Work or any violation of this License Agreement, including any infringement by you of copyrights or proprietary rights.Disclaimer:
Bentham Science Publishers does not guarantee that the information in the Work is error-free, or warrant that it will meet your requirements or that access to the Work will be uninterrupted or error-free. The Work is provided "as is" without warranty of any kind, either express or implied or statutory, including, without limitation, implied warranties of merchantability and fitness for a particular purpose. The entire risk as to the results and performance of the Work is assumed by you. No responsibility is assumed by Bentham Science Publishers, its staff, editors and/or authors for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products instruction, advertisements or ideas contained in the Work.
Limitation of Liability:
In no event will Bentham Science Publishers, its staff, editors and/or authors, be liable for any damages, including, without limitation, special, incidental and/or consequential damages and/or damages for lost data and/or profits arising out of (whether directly or indirectly) the use or inability to use the Work. The entire liability of Bentham Science Publishers shall be limited to the amount actually paid by you for the Work.
General:
Any dispute or claim arising out of or in connection with this License Agreement or the Work (including non-contractual disputes or claims) will be governed by and construed in accordance with the laws of Singapore. Each party agrees that the courts of the state of Singapore shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this License Agreement or the Work (including non-contractual disputes or claims).Your rights under this License Agreement will automatically terminate without notice and without the need for a court order if at any point you breach any terms of this License Agreement. In no event will any delay or failure by Bentham Science Publishers in enforcing your compliance with this License Agreement constitute a waiver of any of its rights.You acknowledge that you have read this License Agreement, and agree to be bound by its terms and conditions. To the extent that any other terms and conditions presented on any website of Bentham Science Publishers conflict with, or are inconsistent with, the terms and conditions set out in this License Agreement, you acknowledge that the terms and conditions set out in this License Agreement shall prevail.Bentham Science Publishers Pte. Ltd. 80 Robinson Road #02-00 Singapore 068898 Singapore Email: [email protected]
FOREWORD
Akashdeep Bhardwaj1,Pradeep Singh1,Ajay Prasad1In the ever-evolving realm of digital forensics, where evidence resides in the intricate pathways of computers and digital devices, the need for a comprehensive and practical guide has never been greater. "Practical Digital Forensics: A Hands-on Guide for Windows & Linux Users" rises to this challenge, offering an invaluable resource for both seasoned investigators and those embarking on their journey into this critical field. This book transcends theory, providing a hands-on approach that empowers readers with the skills to navigate the complexities of digital investigations. From establishing a secure forensic workstation to meticulously recovering deleted data and analysing intricate file systems, the book delves deep, equipping readers with the tools and techniques needed to uncover the truth hidden within digital landscapes.
"Practical Digital Forensics" is more than just a collection of techniques; it recognizes the legal and ethical considerations paramount in this field. By addressing these crucial aspects, the book ensures that investigators not only gather evidence effectively but also maintain its integrity for use in legal proceedings. This book caters to a diverse audience, from law enforcement professionals to cybersecurity analysts and legal practitioners. Each chapter builds upon the foundation of the previous, ensuring a smooth learning curve for novices while offering valuable insights and advanced techniques for experienced investigators.
With its clear explanations, practical exercises, and real-world case studies, "Practical Digital Forensics: A Hands-on Guide for Windows & Linux Users" is poised to become a trusted companion in the ever-growing field of digital forensics. It empowers readers to navigate the intricate landscape of digital evidence, ensuring that no digital footprint remains hidden from the pursuit of justice.
PREFACE
Akashdeep Bhardwaj1,Pradeep Singh1,Ajay Prasad1Welcome to the ever-expanding world of digital forensics! In our increasingly digital age, evidence often resides not in physical objects but in the intricate pathways of computers and networks. This book, “Practical Digital Forensics: A Hands-on Guide for Windows & Linux Users”, aims to equip you with the knowledge and skills necessary to navigate this complex digital landscape.
Whether you are a seasoned investigator, a burgeoning cybersecurity professional, or simply someone with a keen interest in digital forensics, this book provides a comprehensive yet accessible introduction to the field. We will delve into the core principles and methodologies that underpin digital forensics, ensuring you understand the foundation before diving into the practical aspects.
This book is specifically crafted for both Linux and Windows users. We will guide you through setting up a robust forensic lab environment on both operating systems, equipping you with the essential software tools and utilities needed for in-depth analysis. Throughout the journey, you will gain hands-on experience with critical forensic techniques, from acquiring volatile data and analysing file systems to dissecting Windows registries and investigating network traffic.
As technology evolves, so do the challenges faced by digital forensic investigators. We will explore advanced techniques for tackling web browser artifacts and delve into the ever-present threat of anti-forensic measures. This book equips you not only to uncover hidden evidence but also to document your findings and present them effectively in a court of law.
Finally, we will conclude by exploring the exciting advancements and emerging challenges within the field of digital forensics. By understanding the ever-changing landscape, you will be well-positioned to adapt your skills and stay ahead of the curve.
This book is designed to be an interactive learning experience. Each chapter builds upon the previous one, culminating in a well-rounded understanding of the entire digital forensics process. We encourage you to actively engage with the material, practice the presented techniques, and explore further resources to deepen your knowledge.
Get ready to embark on a thrilling journey into the world of digital forensics. With dedication and this book as your guide, you will be well on your way to becoming a skilled digital investigator, ready to uncover the truth hidden within the digital realm.
Navigating the Ethical Landscape of Digital Investigations
Akashdeep Bhardwaj1,Pradeep Singh1,Ajay Prasad1Abstract
This book aims to provide you with a comprehensive understanding of Digital Forensics, from its relatively new beginnings as a Digital forensics sub-discipline to its rapidly growing importance when combined with the more established digital forensic field of investigations. You should be able to comprehend the function of digital forensic professionals as well as the business and cybercrime contexts in which they are actively looking for proof of criminal and civil offenses after reading this chapter. You can gain an understanding of the difficulties faced by forensic practitioners and the intricacy of many cases by looking through case studies and examples presented in the book chapters.
INTRODUCTION
Interest in Digital Forensics [1] as a subject for higher education and as a possible career path in business and law enforcement investigations has developed over the last ten years or more. To handle the increasing number of cases involving digital evidence, new forensic techniques and technology have emerged. But it is clear that practitioners are having trouble keeping up with the growing complexity, size, and quantity of cases. They also have limited funding and resources, and there is a dearth of qualified, experienced staff. The book aims to help practitioners, both current and prospective, address problems effectively in the future by discussing these challenges while providing some solutions that have helped me in my work and studies.
Due to the widespread use of personal computers in the workplace, inherent security issues with them have created new challenges for law enforcement. For instance, companies conducting internal audits or criminal investigations frequently must spend a lot of time going through computer data to locate digital evidence. New forensic procedures and instruments are desperately needed for these kinds of exams to support practitioners in doing their work more quickly. For practitioners looking to strengthen their crucial role in supporting the legal
community, these are exciting times. In terms of developments impacting evidence recovery and management, practitioners are at a crossroads when it comes to new entries into the field.
A category of forensic science called Digital Forensics investigates and analyzes digital devices and data to find evidence of fraud, espionage, cybercrimes, and other illegal activity. In order to collect, maintain, review, and present digital evidence in court, its guiding concepts and procedures are essential. Within this discipline, complacency, banality, and exhaustion are commonplace, and despite the work's intrinsic importance and excitement, the monotony and hefty caseloads can quickly stifle initial enthusiasm. This book presents new and efficient methods for cutting down on boredom and time-wasting, energizing practitioners, and bringing back the thrill of the evidence-gathering process. Courts and judicial procedures use digital forensic evidence, despite the opinions of certain purists who do not see forensics as science. Although the word may be deceptive, it might refer to the technology associated with certain disciplines rather than the sciences themselves.
The judiciary has become more aware of the growing use of digital evidence in court disputes. This places a great deal of pressure on digital forensic experts to strive to present reliable data and careful analyses of their findings, which may also be useful in establishing and evaluating precedents for future court rulings. Information security management must be improved because of the sharp rise in desktop computing and the spread of cybercrime that targets network infrastructure. It also calls for practitioners to sort through the chaos and try to hold the violators accountable. Specializations in digital forensics include the following domains as career options.
• Computer Forensics: This is the traditional area of digital forensics, which focuses on recovering and analyzing data from computers and other electronic devices. Computer forensic specialists are often involved in criminal investigations, but they can also be used in civil litigation and corporate investigations.
• Network Forensics: Network forensics specialists focus on investigating network traffic to identify security breaches and other criminal activity. They use a variety of tools and techniques to track down the source of attacks and to collect evidence.
• Mobile Device Forensics: As mobile devices have become more and more popular, the need for mobile device forensics specialists has grown. These specialists are experts in recovering data from mobile devices, such as smartphones and tablets.
• Cloud Forensics: Cloud forensics is a new and emerging specialization that focuses on investigating crimes that involve cloud-based storage and applications. Cloud forensic specialists need to have a deep understanding of cloud computing technologies and how they can be used to store and transmit evidence.
• Incident Response: Incident response specialists are responsible for responding to security incidents, such as data breaches and malware attacks. They work to contain the damage from the incident and to collect evidence that can be used to identify the attackers and bring them to justice.
The area of digital forensics emerged as more crimes involved the use of computer systems as the object of a crime, a tool for committing a crime, or a source of evidence for a crime. It did not take long to identify crucial tasks the need for looking at and analysing digital evidence while also making sure that the original evidence's integrity is maintained.
DIGITAL FORENSICS PRINCIPLES
The investigation and prosecution of cybercrimes and other digital offenses depend heavily on the concepts and procedures of Digital Forensics. Forensic specialists may efficiently gather, examine, and present digital evidence to support judicial processes and guarantee justice in the digital sphere by abiding by these guidelines and using reliable procedures. This section provides an overview of the concepts and procedures related to Digital Forensics.
• Evidence Preservation [2] is crucial to maintain the integrity of digital evidence. This involves protecting the digital environment, or crime scene, against manipulation. This ensures that the integrity of the evidence is maintained during its collection, preservation, and examination. Forensic specialists, for instance, take a forensic image of the hard disk while confiscating a computer used in a cybercrime investigation so they may work with a duplicate while protecting the original data.
• Chain of Custody [3] creates and preserves the formal chain of custody to ensure the admissibility and dependability of the evidence by documenting how it is handled, moved, and stored. For example, keeping track of who, when, and why someone used a confiscated device aids in preserving the integrity of the evidence.
• Volatility [4] involves if digital evidence is not handled quickly, it may be volatile and vulnerable to change or deletion. Before beginning a comprehensive investigation, forensic specialists give priority to gathering dynamic data first, such as real-time system information or network connections. For instance, transient information from active processes or network connections might offer vital information on current cyberattacks.
• Forensic Acquisition [5] maintains the integrity and authenticity of data, forensic acquisition entails removing it from digital devices in an appropriate and safe manner. Typically, this procedure uses specialized equipment and methods to build a forensic image, of the original stored digital medium. Forensic specialists, for example, employ write-blocking devices to stop modifications being made to the original evidence while it is being acquired.
• Digital Analysis Techniques [6] uses a variety of methods to efficiently review and decipher digital evidence. This includes keyword searching to find pertinent information, file carving to recover lost or fragmented files, and metadata analysis to ascertain the origin and validity of files. An image file's metadata, for instance, can provide information on the equipment that was used to take the picture as well as its creation date and time.
• Steganography detection [7] is the process of finding hidden information in digital files or communications. Experts in Digital Forensics find and retrieve concealed data from pictures, audio files, and other digital media using specific instruments and techniques. For example, locating hidden files or messages within seemingly innocent photos might yield important proof in digital fraud or espionage cases.
• Malware Analysis [8] comprehends the behavior, operation, and impact of harmful software. Forensic professionals perform malware analysis in situations involving cyberattacks or digital intrusions. Reverse engineering malware entails determining its origin, function, and possible exploitable vulnerabilities. For instance, figuring out the encryption methods employed and creating mitigation techniques might be aided by examining the code of a ransomware strain.
• Timeline analysis [9] is the process of reassembling the events that led up to a digital incident using metadata, file system artifacts, and timestamps. This aids in the investigation team's comprehension of the offenders' conduct and the sequence of events that preceded the occurrence. A history of file creation, modification, and access, for instance, might help shed light on a suspect's actions during a data breach.
• Network Forensics [10] focuses on investigating and analyzing network traffic to uncover evidence of unauthorized access, data exfiltration, or other malicious activities. This involves capturing and analyzing network packets, logs, and communication protocols to identify anomalies and intrusions. For instance, exa- mining firewall logs and packet captures can reveal suspicious connections or unauthorized access attempts.
• Report and Presentation [11] include the digital forensic findings being documented in detailed reports that summarize the investigation process, methodologies employed, and the evidence discovered. These reports are presented to stakeholders, including law enforcement, legal teams, or corporate management, to support decision-making and legal proceedings. For example, a forensic report may include a summary of findings, analysis results, and recommendations for strengthening digital security measures.
LEGAL AND ETHICAL CONSIDERATIONS
Concerns about politicians' and lawyers' ignorance of the problems resulting from the increasing use of digital evidence in court cases were raised in the 1980s. The rapid rise in computer use and the introduction of new technologies, including digital mobile phones, were the main causes of this worldwide phenomenon. Consequently, a concerted plan of action was put forth in the United States to assist forensic and legal experts in overcoming obstacles associated with digital evidence tendering. The US and the EU created a research corpus at the beginning of the new millennium to solve forensic cases driven by practitioner needs using scientific techniques. Back then, scientists expressed alarm over a general misperception of what digital evidence is. They were more concerned about the inefficiency and ineffectiveness of the different forensic techniques used in its recovery, analysis, and eventual use in court proceedings.
It was acknowledged that the first steps in conducting digital forensic investigations were to identify potential violators and, most importantly, to create a digital trail connecting the suspect to the binary data. While it was widely believed that having a digital computer would connect a transgressor to all the information on it, questions were being raised about the validity of these presumptions. The defence was represented in Clarkson versus Clarkson of the Circuit Court for Roanoke Court [12] in 1999 by Digital Forensics designer Andrew Rosen. In the end, it was determined that the defendant's wife had planted child porn on his computer and tried to use it as leverage to get him to divorce, retain custody of the kids, and marry her new partner. Because of this case, practitioners who were focused on law enforcement and prosecution and who were clearly more interested in winning the case than achieving a just resolution started to call Rosen a traitor. This set a dangerous precedent, as some practitioners assumed that the person who owned and used the computer the most was likely the one who had broken the law.
In my experience, when it comes to addressing defence cases in criminal trials, the sound identification of other individuals who might be suspects has often been given lip service. This implies investigations that are suspect-driven rather than evidence-led, which is hardly a fair and objective method. This runs counter to the notion that the practitioner is the court's servant. The years 1999–2007 were considered the “golden age” of digital forensics because they gave investigators the ability to observe crimes and stop time by retrieving deleted emails, texts, and files that contained insights into the motivations of criminals. Formerly, Digital Forensics was a specialized field of study that mainly assisted in criminal investigations. These days, popular crime programs and books frequently include elements of Digital Forensics.
The web series Crime Scene Investigation (CSI) [13] dramatizes digital forensics and greatly exaggerates the technical proficiency of forensic experts and equipment. By 2005, Digital Forensics was still devoid of standards and technique and was naturally mostly focused on Windows and, to a lesser extent, typical Linux PCs. Even in 2010, there was still considerable debate among academics over the development of a formal digital forensic model, even though the fundamental stages of Digital Forensics tests were well documented. Those onlookers saw it as obviously inferior to other tangible forensic criteria like blood analysis.
There are currently no standards that particularly address the topic, despite the Joint Technical Committee of the International Standard Organization seeking to have a standard governance model on digital forensics. Nonetheless, there is a global understanding of the issues surrounding the disparities in the information sharing of judicial procedures between jurisdictions. Since the field of digital forensics has grown quickly, it requires governance like that of information systems and information technology (IS and IT), even though there are currently very few international standards for methodology, procedures, or administration. Being a highly specialized field, digital forensics has raised concerns recently from several academics about how the highly technical discipline and the commercial approach to governance interact.
Digital forensic investigations and criminal prosecutions are often conducted by government organizations operating under the auspices of criminal law. Under applicable criminal legislation, law enforcement officials are authorized to search and seize property to find and seize equipment that may be used in criminal activity or to aid in criminal activity. Ordinarily, oral evidence is not admissible in court and witness opinions are expressly forbidden. However, if their opinions are limited to the evidence that has been presented, expert witnesses and scientific experts may offer their opinions based on their significant training and study. If it is within their area of expertise, these privileged witnesses may share with the court any conclusions they have drawn from the evidence they have seen. Professionals in the field of forensics not only gather and examine evidence, but they also present it to attorneys, investigators, and juries, explaining its significance to them. Of course, having good analytical skills is essential, but practitioners also need to be able to clearly convey to the public their conclusions and expert opinions. Because evidence is blind and cannot speak for itself, it needs an interpretation to explain what it means or could mean as well as why it is significant to the case.
To make sure that the juries and legal teams fully comprehend the evidence, Digital Forensics experts spend a lot of time on casework presenting technical details to them. Experts in forensics are supposed to offer data that might aid the court in reaching a decision, as well as the expert's personal viewpoint. Based on the presented testimony, the court must still reach its own judgment regarding the defendant's guilt or innocence. When serving as a forensic expert, the forensic practitioner should only offer their scientific opinion about the data to assist the court in making judgment calls. Experts should refrain from offering their own final conclusions since expertise is not always 100% definite. Courts in a variety of legal countries need forensic experts to have a solid grasp of computer technology for their evidence to be taken seriously.
There are several subcategories within Digital Forensics, with each one concentrating on certain kinds of digital evidence and methods of investigation. It is vital to comprehend these classifications to conduct efficient investigations and analyses of digital occurrences. The following lists some of the main subcategories of Digital Forensics.
• Computer Forensics finds evidence of digital crimes, forensics examines and analyses digital equipment including computers, laptops, servers, and storage media. Investigators recover lost files, analyse metadata and system logs, and restore data using specialist tools and methodologies. This type of forensics is frequently used in situations involving fraud, theft of intellectual property, hacking, or illegal access.
• Network Forensics involves finding security lapses, intrusions, or unapproved activity by examining and analysing network traffic, communication protocols, and hardware like switches and routers. To reconstruct events, identify attackers, and assess the scope of a security incident, investigators gather and examine network packets, logs, and metadata. Investigating cyberattacks, data breaches, and network-based crimes requires the use of network forensics.
• Mobile Forensics focuses on the digital evidence from smartphones, tablets, and other mobile devices, which is extracted and analysed in mobile device forensics. To retrieve information from device storage, SIM cards, and cloud backups, including call logs, text messages, emails, photographs, and app usage histories, investigators employ specialized tools and methodologies. In situations involving digital fraud, cyberbullying, child exploitation, or corporate espionage, mobile device forensics is frequently used.
• Forensic data analysis finds patterns, anomalies, and proof of illegal activity by looking through and analysing massive amounts of digital data, including databases, log files, and financial records. To find patterns, connections, and questionable transactions, investigators employ data mining, statistical analysis, and visualization approaches. Investigating financial crimes, insider threats, and sophisticated cyberattacks all need forensic data analysis.
• Memory Forensics retrieves information regarding current network connections, running programs, and system configurations through the study of volatile memory (RAM). Memory dumps are obtained and analysed by investigators using specific tools and procedures to detect harmful behaviours, malware, or rootkits that may not be visible through disk-based forensics alone. When looking at memory-resident malware and advanced persistent threats (APTs), memory forensics is hugely rewarding.
• Database Forensics examines and analyzes databases to find proof of illegal access, data modification, or data breaches is the main goal of database forensics. Forensic techniques are employed by investigators to detect abnormalities in transaction histories and database logs, as well as suspicious searches or unlawful modifications to database entries. Investigating data breaches, insider threats, and cyberattacks that target confidential information kept in databases requires the use of database forensics.
• With cloud computing environments, such as infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS), researchers examine cloud user activity, access logs, and cloud service logs to ascertain the origin and extent of security events, data breaches, or unapproved access. Investigating cyber crimes utilizing cloud-based services and data requires the use of cloud forensics.
For each type of Digital Forensics to properly examine and evaluate digital evidence, certain knowledge, abilities, and resources are needed. In the digital age, forensic investigators can find important information and proof to help court cases, law enforcement investigations, and corporate security initiatives by utilizing these categories.
TRAITS OF FORENSIC INVESTIGATORS
Digital Forensic work comprises three distinct roles: that of a lawyer, knowledgeable about court procedures and legislation, a detective experienced in conducting criminal investigations, and an analyst acquainted with the operation of digital devices, OS, Apps, and networks. Self-trained experts confound the judicial process, seldom face opposition and rarely have their evidence's veracity investigated. However, the courts, governments, businesses, and computer and information security organizations all have fundamental requirements for the expertise and experience of practitioners.
When examining digital crime scenes, forensic professionals need to search and analyse all relevant evidence and be in charge of the scenario. This information must be gathered and professionally reported so that the attorneys and the courts can see it. It is crucial that a digital forensic investigation be both compelling in the real world and legally sound to satisfy a court of law. When restoring data from computer storage media, the practitioner must use safe, tried-and-true procedures that verify the data's dependability and correctness.
Digital Investigations Use Case Examples
Digital forensics has always played a crucial role in uncovering digital evidence and solving cybercrime and attacks. Few real-world examples are listed below.
Financial Fraud
In 2016, the Bangladesh Bank heist [14] involved hackers infiltrating the bank's systems and transferring millions through fraudulent SWIFT (Society for Worldwide Interbank Financial Telecommunication) messages, which is a global messaging network used by financial institutions to securely transmit instructions for financial transactions. This heist highlighted vulnerabilities in the worldwide financial ecosystems and raised security concerns on SWIFT messaging used by global banks. It also underscored the significance of robust cybersecurity controls and need for collaboration between financial institutions and the law enforcement agencies to prevent and mitigate such attacks in the future. Digital forensic investigations on the bank servers helped track the stolen funds and identify the perpetrators as illustrated in Fig. (1).
The steps involved in this breach are listed below.
• Initial Compromise: The attackers accessed the banking system using malware that was designed to infiltrate the bank's network and gain access to the SWIFT messaging system.
Fig. (1)) Bangladesh bank heist [14].• SWIFT Messages: After breaking into the system, the attackers requested that money be transferred from Bangladesh Bank's New York Fed account to accounts in the Philippines and Sri Lanka via fictitious SWIFT messages sent to the Federal Reserve Bank of New York. The messages appeared legitimate, as they were authenticated using valid SWIFT credentials stolen from the bank as illustrated in Fig. (2).
Fig. (2)) Swift messaging via malware [14].• Execution of Transfers: The Federal Reserve Bank of New York processed the transfer requests, totalling approximately $81 million, and sent the funds to accounts in the Philippines and Sri Lanka as instructed in the fraudulent SWIFT messages.
• Detection: The heist was detected when a typo in one of the fraudulent transfer requests raised suspicion at the Federal Reserve Bank of New York. The word “foundation” was misspelled as ‘fandation’ in one of the transfer instructions, leading bank officials to seek clarification from Bangladesh Bank. This prompted an investigation, revealing the fraudulent transactions.
• Recovery Efforts: Although some of the stolen funds were recovered, a significant portion remains unrecovered. Investigations by various authorities, including the Bangladesh government, the FBI, and other international law enforcement agencies, were launched to identify the perpetrators and recover the stolen funds.
• Attribution: While the exact identity of the hackers remains unclear, cybersecurity experts and investigators have linked the heist to a sophisticated cybercrime group, possibly based in North Korea. However, no definitive attribution has been made.
The timeline of this attack is as follows: Enrico Teodoro Vasquez, Alfred Santos Vergara, Michael Francisco Cruz, and Jessie Christopher Lagrosas established three US$ bank accounts in the Jupiter, Makati branch of the Rizal Commercial Banking Corporation (RCBC) on May 15, 2015, each with a 500 US$ initial deposit. These accounts were inactive until February 4, 2016, when it was discovered that they were fraudulent. Shortly before they started the fraudulent money transfers on February 4, the hackers planted the virus on the bank's system in January 2016. This was also quite clever because if it had been installed too late, they might not have been able to evaluate its behavior, and if it had been installed too soon, it might have been discovered prior to the theft.
By February 4, 2016, the virus had taken over the hackers' account and had gained access to Bangladesh Bank's VOSTRO account with the Federal Reserve Bank of New York. The hackers ordered 35 payments of 951 million USD, the majority of which were to be sent to the RCBC Jupiter branch. Thirty fraudulent transactions were found and stopped by the Fed; however, five transfers one hundred and one million dollars were not stopped. The feds attempted to get in touch with Bangladesh Bank on February 5, 2016, to obtain an explanation regarding these payments, including the five that were not banned. However, February 5th was a bank holiday in Bangladesh, so no one could respond. The five transfers are carried out by the routing banks and correspondent banks between February 5 and February 8, 2016. Twenty million USD worth of transactions have been recovered. This came after Deutsche Bank, one of the routing banks, suspended an instruction to a fictitious Sri Lankan organization due to an error. However, the remaining 81 million USD in pilfered money ended up in four RCBC fictitious bank accounts. Bangladesh Bank issued a ‘stop payment’ directive to RCBC on February 8, 2016. The request indicates that the central bank wanted the monies that were stolen to be returned or, if they had not been transferred yet, frozen.
In the Philippines, February 8 was a non-working holiday observed in honour of the Chinese New Year. Bangladesh Bank sent RCBC their SWIFT code on February 9, asking for a return, to freeze the funds until further investigation could be conducted, or to put them on hold if they had already been transferred. The RCBC Jupiter branch continued to permit withdrawals from the accounts in defiance of the ‘stop payment’ order. The funds were then combined and placed into William So Go's dollar account, which was opened that same day by DBA Centurytex Trading. The money was laundered in the casinos for the next few days. The time was ideal. An exceptional weekend that was perfectly timed to coincide with Bangladesh's business holiday and the Philippines' Chinese New Year holiday. The Fed failed to attempt to retrieve the five orders that passed right away since they were unable to obtain the necessary clarity from Bangladesh Bank the next day. Because Monday being a Philippine banking holiday, the RCBC was unable to process the stop orders that the Bangladesh bank had submitted to freeze the funds. In addition, the money was easily laundered due to the Chinese New Year and the volume of transactions that occur in casinos during this time, as well as the Philippines' lax AML regulations and procedures.
Data Breaches
Equifax, a credit bureau, suffered a massive data breach in 2017 [15] that compromised the personal information of approximately 147 million people in the United States. Digital forensics helped determine the attackers' point of entry, the data accessed, and the timeline of the breach, aiding future security measures.
Technical details of the breach are:
• Exploiting Vulnerability: By taking advantage of a flaw in the Apache Struts web application framework, the breach was started. To enable consumers to contest errors in their credit reports, Equifax included Apache Struts into its online dispute portal. The attackers took use of CVE-2017-5638, a known vulnerability in Apache Struts that permitted remote code execution.
• Infiltration and Persistence: The attackers were able to obtain unauthorized access to Equifax's network after taking advantage of the vulnerability and established persistence within the network by deploying various tools and mal-
ware to maintain access and escalate privileges. This likely involved lateral movement across the network to locate valuable data repositories.
• Exfiltration of Data: After entering the network, the attackers went after sensitive databases holding personally identifiable information (PII), such as names, birth dates, addresses, Social Security numbers, and, in certain situations, driver's license numbers. They exfiltrated this data over an extended period, potentially going undetected for months.
• Obfuscation and Cover-up Attempts: During the breach, the attackers took steps to obfuscate their activities and cover their tracks. This included deleting log files and using encryption to mask data exfiltration, making it more challenging for Equifax's security team to detect the intrusion.
• Detection and Response: Equifax detected suspicious network activity in late July 2017 and subsequently launched an investigation. However, it wasn't until August 2017 that Equifax discovered the full extent of the breach. The bank contacted law police right away and hired cybersecurity companies to help with the investigation and clean-up procedures.
• Public Disclosure and Fallout: The extent of the issue and the sensitive nature of the exposed data led to significant worry and indignation, which Equifax publicly reported on September 7, 2017. The breach led to congressional hearings, regulatory scrutiny, lawsuits, and significant reputational damage for Equifax.
• Post-Breach Remediation: In the aftermath of the breach, Equifax implemented various measures to improve its cybersecurity posture and enhance data protection practices. This included patching the Apache Struts vulnerability, enhancing network monitoring and intrusion detection capabilities, and implementing stronger access controls and encryption measures.
Child Exploitation
In investigations involving child pornography or online solicitation, digital forensics on seized devices helps identify victims, trace the source of abuse material, and build a strong case against perpetrators.
Digital forensics has been utilized for such work in recent times as follows.
• Image and Video Analysis: Digital forensics experts use specialized software tools to analyse digital images and videos for signs of child pornography. These tools can identify, and flag explicit content based on predefined criteria such as nudity, age of individuals depicted, and context. Forensic examiners meticulously
examine file metadata, including timestamps and geolocation data, to establish the origin and authenticity of illicit content.
• Keyword and File Hash Analysis: Investigators utilize keyword searches and file hash analysis to identify known child pornography images and videos. Law enforcement agencies maintain databases of known illicit files and their unique cryptographic hashes. Digital forensics tools can quickly compare file hashes found on suspect devices against these databases to identify matches and prioritize evidence collection.
• Internet History and Chat Logs Examination: Digital forensics experts analyse internet browsing history and chat logs from computers and mobile devices to uncover evidence of online solicitation and communication with minors. They examine chat transcripts, emails, and social media messages for inappropriate language, grooming behavior, and explicit content exchanged between suspects and victims.
• Metadata Examination: Digital file metadata, such as the EXIF data found in photos and movies, can offer important hints regarding the production, alteration, and distribution of illegal content. Digital forensics specialists analyse metadata to establish timelines, identify devices used in the production and distribution of child pornography, and track the online activities of suspects.
• Network Traffic Analysis: Law enforcement agencies monitor network traffic to identify and track individuals engaging in the distribution and sharing of child pornography through peer-to-peer networks, file-sharing platforms, and online forums. Digital forensics tools can capture and analyse network traffic to identify IP addresses, file transfers, and communication patterns associated with illegal activities.
• Steganography Detection: Perpetrators of child pornography often use steganography techniques to conceal illicit images and videos within seemingly innocent files, such as digital photographs or documents. Digital forensics experts employ specialized software tools to detect and extract hidden content from files, revealing hidden layers of illicit imagery and aiding in the identification of perpetrators.
• Cloud Forensics: With the increasing use of cloud storage and online platforms for sharing illicit content, digital forensics has expanded to include cloud forensics techniques. Investigators analyse data stored on cloud servers, including file metadata, access logs, and user account activity, to identify individuals involved in the production, distribution, and consumption of child pornography.
