CYB 205

INTRODUCTION TO DIGITAL FORENSICS

Topics to be covered

Definition of Digital forensics

Definition of Computer forensics

Computer crime

Computer based crime

Computer facilitated crime

Evidence & Its Types

Real / tangible evidence

Original evidence

Hearsay evidence

Testimony

Characteristics of Digital Evidence

Rules of Evidence

Admissible

Authentic

Complete or Whole

Reliable

Believable or Acceptable

Chain of Custody

Sources of Evidence

Hard-drive, Firewall logs, System logs, Social networking websites, Website that was
visited, Email, GPS devices, Security camera's etc.

Computer Forensics Timeline

Objectives of Computer Forensics

Importance of Computer Forensics

Uses of Computer Forensics

Challenges of Digital Forensics

Computer Forensics Team

Rules of Computer Forensics

Different Types of Digital Forensics

Computer Forensics Process or Stages

Techniques of Digital Forensic Analysis

• Data Acquisition of physical storage devices

• Study of file systems with a main focus on Microsoft Windows

• File System Analysis & file recovery

• Information hiding & steganography

• Windows and Network Forensics

• Email forensics

• Malware Analysis

• Web Attack Forensics

Computer Forensics Tools

Forensics Readiness

Benefits of Forensic Readiness

Steps For Forensic Readiness Planning

FILE SYSTEM

Even though hard drives can be very small, they still contain millions of bits and therefore need
to be organized so that information can be located. This is the purpose of the file system.
Remember that a hard drive is made up of several circular platters rotating around an axis. The
tracks (concentric areas written to on either side of the platter) are divided into pieces called
sectors (each 512 bytes in size). Logical formatting of a disk allows a file system to be created on
the disk, which in turn will allow an operating system (DOS, Windows 9x, UNIX, etc) to use the
disk space to store and use files. The file system is based on management of clusters, the smallest
disk unit that the operating system is able to manage. A cluster consists of one or more sectors,
so the larger the cluster size, the fewer entities the operating system will have to manage. On the
other hand, since an operating system only knows how to manage whole allocation units (i.e. a
file occupies a whole number of clusters), the more sectors per cluster, the more wasted space
there will be. This is why the choice of file system is important.

Files systems and the operating system: In reality, the choice of file system depends first of all on
the operating system that you are using. In general, the more recent the operating system, the
greater the number of files it will support. So, under DOS and on the first versions of Windows
95, FAT16 is required. Starting with Windows 95 OSR2, you have the choice between FAT16
and FAT32 file systems. If the partition size is greater than 2GB, then FAT file systems are
excluded and you need to use the FAT32 system (or modify the size of the partition). Below this
limit, FAT16 is recommended for partitions with a capacity of less than 500Mb, otherwise it is
preferable to use FAT32.

In the case of Windows NT (up until version 4) you have the choice between the FAT16 system
and NTFS, FAT32 is not supported. In general, the NTFS system is recommended as it provides
higher security and better performance than the FAT system. Microsoft actually recommends
using a small FAT-type partition (of between 250 and 500MB) for the operating system, so as to
be able to boot from a bootable DOS floppy disk in case of a catastrophe, and to use a second
partition for storing your data.

Operation system File system types supported

Dos FAT16
Windows 95 FAT16
Windows 95 OSR2 FAT16, FAT32
Windows 98 FAT16, FAT32
Windows NT4 FAT, NTFS (version 4)
Windows 2000/XP FAT, FAT16, FAT32, NTFS (versions 4 and 5)
Linux Ext2, Ext3, ReiserFS, Linux Swap(FAT16, FAT32,
NTFS)
MacOS HFS (Hierarchical File System), MFS (Macintosh
File System)
OS/2 HPFS (High Performance File System

SOME COMMON FILE SYSTEMS

File systems are your interface to store your data. Modern file systems offer a hierarchical view
of your data, though historical file systems have been flat.
1. FAT

FAT stands for File Allocation Table, it is a relatively old file system, files are limited to 4GB in
size. It has the benefit of being widely portable, being available on many platforms. For this
reason storage devices are often pre-formatted as FAT, just so less technical users don't assume
the device is broken and return it. Its portability makes it useful for USB flash drives and the
partition you use for /boot. It would be a poor choice for your root file system.

2. NTFS

This is Microsoft's primary file system. Its data structures don't limit the maximum file size to
4GB. On Windows it is case preserving, so if you create a file called "Foo", you can read it as
"foo", but when you list the contents of the directory, it is shown as "Foo", rather than "FOO", as
FAT traditionally does. This makes it a better choice for storage media, as Linux is also able to
read it. It is still inadvisable to use NTFS as your root file system on Linux, since it's primary use
is reading disks that are also used by Windows machines, rather than being an installation's root
file system.

3. ext2, ext3 and ext4

The ext file systems are Linux's primary file systems and are usually the default option when
installing Linux distributions. Despite having a similar name, they are different beasts. ext2 is
rather primitive, only really useful with old bootloaders. ext3 is more advanced, though active
development has moved on to ext4. ext4 supports journalling, uses extents for its storage and
supports extended attributes, where additional metadata can be assigned to a file. There are third-
party tools to read ext file systems from Windows, but NTFS support in Linux is better than ext
support in Windows.

4. XFS

XFS is a development from Silicon Graphics. It exceeds ext4's features, including the ability to
take snapshots of the logical state of the file system, and was the source of extended attributes. It
is available on IRIX and Linux, so portability is not its strong point, hence would not be useful
on a USB flash drive, but it is an excellent choice for your root file system.

5. ZFS

ZFS is a product of Sun Microsystems, later bought by Oracle. It is a very advanced file system,
offering all the features mentioned above plus more. This is a copy-on-write file system, unlike
the above, which were either journalling, or wrote to the blocks directly.

CATEGORIES OF FILE SYSTEMS

File system types can be classified into disk/tape file systems, network file systems and special
purpose file system

1. Disk file systems

A disk file system takes advantages of the ability of disk storage media to randomly address data
in a short amount of time. Additional considerations include the speed of accessing data
following that initially requested and the anticipation that the following data may also be
requested. This permits multiple users (or processes) access to various data on the disk without
regard to the sequential location of the data. Examples include FAT (FAT12, FAT16, FAT32),
exFAT, NTFS,HFS and HFS+, HPFS, UFS, ext2, ext3, ext4, XFS, btrfs, ISO 9660, Files-
11,Veritas File System, VMFS, ZFS, ReiserFS and UDF.

2. Flash file systems

A flash file system considers the special abilities, performance and restrictions of flash memory
devices. Frequently a disk file system can use a flash memory device as the underlying storage
media but it is much better to use a file system specifically designed for a flash device.

3. Tape file systems

A tape file system is a file system and tape format designed to store files on tape in a self
describing form. Magnetic tapes are sequential storage media with significantly longer random
data access times than disks, posing challenges to the creation and efficient management of a
general-purpose file system.

4. Database file systems

Another concept for file management is the idea of a database-based file system. Instead of, or in
addition to, hierarchical structured management, files are identified by their characteristics, like
type of file, topic, author, or similar rich metadata. IBM DB2 for i (formerly known as DB2/400
and DB2 for i5/OS) is a database file system as part of the object based IBM i operating system
(formerly known as OS/400 and i5/OS), incorporating a single level store and running on IBM
Power Systems (formerly known as AS/400 and iSeries), designed by Frank G. Soltis IBM's
former chief scientist for IBM.

5. Transactional file systems

Transaction processing introduces the isolation guarantee, which states that operations within a
transaction are hidden from other threads on the system until the transaction commits, and that
interfering operations on the system will be properly serialized with the transaction. Transactions
also provide the atomicity guarantee, ensuring that operations inside of a transaction are either all
committed or the transaction can be aborted and the system discards all of its partial results. This
means that if there is a crash or power failure, after recovery, the stored state will be consistent.
Either the software will be completely installed or the failed installation will be completely rolled
back, but an unusable partial install will not be left on the system.

6. Network file systems

A network file system is a file system that acts as a client for a remote file access protocol,
providing access to files on a server. Programs using local interfaces can transparently create,
manage and access hierarchical directories and files in remote network-connected computers.
Examples of network file systems include clients for the NFS, AFS, SMB protocols, and
filesystem-like clients for FTP and WebDA.
Anti-Forensics: tools and techniques that frustrate forensic tools, investigations and
investigators

Goals of Anti-Forensics:

• Avoiding detection

• Disrupting information collection

• Increasing the examiner’s time

• Casting doubt on a forensic report or testimony

• Subverting the tool — using it to attack the examiner or organization

• Leaving no evidence

One traditional Anti-Forensic technique is to overwrite or otherwise destroy data.

Disk Sanitizers; Free Space Sanitizers; File Shredders

• Microsoft Remove Hidden Data Tool; cipher.exe; ccleaner

Metadata Erasers

• Example: timestomp

Anti-Forensic tools can hide data with cryptography or steganography.

• Cryptographic File Systems (EFS, TrueCrypt)

• Encrypted Network Protocols (SSL, SSH, Onion Routing*)

• Program Packers (PECompact, Burneye) & Rootkits

• Steganography

• Data Hiding in File System Structures

• Slacker — Hides data in slack space

• FragFS — Hides in NTFS Master File Table

• RuneFS — Stores data in “bad blocks”

• KY FS — Stores data in directories

• Host Protected Areas & Device Configuration Overlay

*Onion routing also protects from traffic analysis

WINDOWS FORENSICS

Windows forensics involves analysing various aspects of windows for malicious or suspicious
traces of data in order to reach an evidential conclusion of any case. Windows forensics process
is to analyse gathered information from activities that took place in a windows system. Aspects
of windows like the registry, files, cookies, bins, memory status etc. contains initial information
that can be used to promise a conclusion.

Major forensic areas in windows

More generally an investigator likes to access and analyse following areas in windows:

a) Volatile information like, system time, logged users, open files, network information and
drives that are mapped shared folders etc. These and many more aspects will be discovered in the
next section under the windows volatile information head.

b) Non-volatile information like file systems, logs, devices, slack space, swap file, indexes,
partitions etc. these and many more will be discovered in coming section under the heading non-
volatile information.

c) Windows memory like memory dumps and analysing dumps and other aspects.

d) Caches, cookies and history analysis.

e) Other aspects like recycle bins, documents, short cut files, graphics file, executable files etc.

Table 1:Information from Registry Hive

NETWORK FORENSICS

The network forensics adds vital information to investigations. Tools can be used to do time line
analysis, email reconstruction, Metadata analysis, packet frame analysis or checksum on data
exchanged. Another aspect of network forensics is to make/ get capabilities of capturing and
investigating a suspect’s computer over network. There are methods of making an image of a
suspect/ victims computer over network connection form the forensics lab itself. However, legal
aspects must be considered before capturing/ intruding over other system. Network forensics is a
sub-branch of digital forensics relating to the monitoring and analysis of computer network
traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike
other areas of digital forensics, network investigations deal with volatile and dynamic
information. Network traffic is transmitted and then lost, so network forensics is often a pro-
active investigation. Network forensics generally has two uses. The first, relating to security,
involves monitoring a network for anomalous traffic and identifying intrusions. An attacker
might be able to erase all log files on a compromised host; network-based evidence might
therefore be the only evidence available for forensic analysis. The second form relates to law
enforcement. In this case analysis of captured network traffic can include tasks such as
reassembling transferred files, searching for keywords and parsing human communication such
as emails or chat sessions.

NETWORK COMPONENTS AND THEIR FORENSICS IMPORTANCE

1. Host

A network host is a computer or other device connected to a computer network. A network host
may offer information resources, services, and applications to users or other nodes on the
network. A network host is a network node that is assigned a network layer host address.
Computers participating in networks that use the Internet Protocol Suite may also be called IP
hosts.

2. Node

In data communication, a physical network node may either be a data communication equipment
(DCE) such as a modem, hub, bridge or switch; or a data terminal equipment(DTE) such as a
digital telephone handset, a printer or a host computer, for example a router, a workstation or a
server.

3. Router

A router is a networking device that forwards data packets between computer networks. Routers
perform the "traffic directing" functions on the Internet. A data packet is typically forwarded
from one router to another through the networks that constitute the internetwork until it reaches
its destination node.

4. Switch

A network switch (also called switching hub, bridging hub, officially MAC Bridge) is a
computer networking device that connects devices together on a computer network, by using
packet switching to receive, process and forward data to the destination device. Unlike less
advanced network hubs, a network switch forwards data only to one or multiple devices that
need to receive it, rather than broadcasting the same data out of each of its ports.

FORENSICS INFORMATION FROM NETWORK

Major information sources in network are: Host, router, fireworks, switches, and intrusion
detection and prevention systems, network printers/copiers etc. wireless access points. An
investigator needs to collect data from these sources. The categorization of these data as well as
way these needs to be collected and analysed is of utmost importance.

1. Hosts: Generally, forensics makes use of agents (Software) to gather and send Host data
to remote forensic server. The agents collect real time data stream passing through the network
interface card (NIC) and send for analysis study.

2. Routers: Mostly router logs can be useful in many cases. Information of status details,
errors, IP and MAC addresses getting resolved to other networks or hosts can be used to trace a
suspect as well as can be helpful in getting to the chain of events while restructuring the crime.

3. Firewalls: Firewalls also very importantly maintain logs of every internet/ network access
by the host user. These logs can be like dropped packets, un allowed application, filtered
websites, recognised attacks, etc. at many times the logs of the host firewall or the network
firewall is enough to trace the logs of the host firewall.

4. Switch: Switches have a CAM (context addressable memory) which keeps information
about mappings of MAC address to ports. Also, CAM is used to keep information about VLAN.

A Popular method that is specifically designed to allow a network analyst to monitor traffic is:

Port mirroring – the switch sends a copy of network packets to a monitoring network connection.

5. Intrusion detection/ prevention system

An intrusion detection system (IDS) is a device or software application that monitors network or
system activities for malicious activities or policy violations and produces reports to a
management station. IDS come in a variety of “flavors” and approach the goal of detecting
suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS)
intrusion detection systems. NIDS is a network security system focusing on the attacks that come
from the inside of the network (authorized users). Some systems may attempt to stop an intrusion
attempt but this is neither required nor expected of a monitoring system. Intrusion detection and
prevention systems (IDPS) are primarily focused on identifying possible incidents, logging
information about them, and reporting attempts.

6. Wireless Access Points

At times WAP can also come into play as it also maintains logs of almost all routing type
activities that it does like SSIDs and incoming connections etc. It is to be noted, looking at the
amount of traffic that follows in and out of a network it is important to understand the storage
aspects also. That is, how we will be storing these logs etc. for future analysis as well as
evidence building. The investigators can use one or more of the available bilk storage
technologies like SAN (storage area network), network attached storage (NAS), direct attached
storage (DAS) etc. for the purpose. Also, tape drives are in use since older days and still play a
vital role in mass storages.

7. Log Analysis

The analysis of large volumes of data collected during IDPS is typically performed in a separate
database system run by the analysis team. Live systems are usually not dimensioned to run
extensive individual analysis without affecting the regular users. On the other hand, it is
methodically preferable to analyse data copies on separate systems and protect the analysis teams
against the accusation of altering original data.

FORENSICS TOOLS

Forensic tools that are used for forensic activities like seizure, capture, analysis etc. in network
can be categorized in two forms:

a. Technology tools

b. Software tools

Technology tools are like methodologies to track, trace or identify hidden artifacts in any
network system. The software tools are software solutions which can specifically assist forensic
collection etc.

Network tools used for forensics

Network tap

A network tap is a hardware device which provides a way to access the data flowing across a
computer network. In many cases, it is desirable for a third party to monitor the traffic between
two points in the network. If the network between points A and B consists of a physical cable, a
"network tap" may be the best way to accomplish this monitoring. The network tap has (at least)
three ports: an A port, a B port, and a monitor port. A tap inserted between A and B passes all
traffic through unimpeded, but also copies that same data to its monitor port, enabling a third
party to listen.

Port Mirroring

Port mirroring is used on a network switch to send a copy of network packets seen on one switch
port (or an entire VLAN) to a network monitoring connection on another switch port.

Software tools used for network forensics

Wire shark

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting,
analysis, software and communications protocol development, and education. Originally named
Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues.

Wireshark lets the user put network interface controllers that support promiscuous mode into that
mode, so they can see all traffic visible on that interface, not just traffic addressed to one of the
interface's configured addresses and broadcast/multicast traffic. However, when capturing with a
packet analyser in promiscuous mode on a port on a network switch, not all traffic through the
switch is necessarily sent to the port where the capture is done, so capturing in promiscuous
mode is not necessarily sufficient to see all network traffic. Port mirroring or various network
taps extend capture to any point on the network.

Wireshark uses pcap to capture packets, so it can only capture packets on the types of networks
that pcap supports.

• Data can be captured "from the wire" from a live network connection or read from a file of
already-captured packets.

• Live data can be read from a number of types of networks, including Ethernet, IEEE 802.11,
PPP, and loopback.

• Captured network data can be browsed via a GUI, or via the terminal (command line) version
of the utility, TShark.

• Captured files can be programmatically edited or converted via command-line switches to the
"editcap" program.

• Data display can be refined using a display filter.

• VoIP calls in the captured traffic can be detected. If encoded in a compatible encoding, the
media flow can even be played.

• Raw USB traffic can be captured.

Digital Forensics:

1. Data is static and preserved even if power is cut.

2. Evidence is contained within the file system.

3. Making a forensically sound image is straightforward.

4. Seizing a computer to obtain evidence might involve disruption to the existing file, storage
and logs.

5. Legal precedence in place and derived evidence is routinely admitted into court.

Network Forensics:

1. Data is changing constantly (dynamic).

2. Pinpointing exact location of required evidence is problematic since this may involve direct
evidence that can be obtained directly from single network device and some evidences can
indirectly obtained from several network devices.

3. Physical access to network devices can be difficult to obtain due to some geographical and
legal constraints.

4. Most network devices do not have persistent data storage.

5. Conflicting precedence and lack of standardization means courtroom admissibility is not
guaranteed.

6. Network Forensics requires deep understanding of network protocols and routing protocols
such as Border Gateway Protocol (BGP), Interior Gateway Routing Protocol (IGRP) Routing
Information Protocol (RIP), Ethernet, ARP, IP, TCP/UDP and a myriad of application layer
protocols.

EMAIL FORENSICS

Forensically important email parts, Basically emails information which will be interesting to the
investigators are:

a) Email header

b) Body of Emails

c) The information hidden in the email packets

d) Attachments

The message header must include at least the following fields:

• From: The email address, and optionally the name of the author(s). In many email clients not
changeable except through changing account settings.

• Date: The local time and date when the message was written. Like the From: field, many email
clients fill this in automatically when sending. The recipient's client may then display the time in
the format and time zone local to him/her. The message header should include at least the
following fields:

• Message-ID: Also an automatically generated field; used to prevent multiple deliveries and for
reference in In-Reply-To.

• In-Reply-To: Message-ID of the message that this is a reply to. Used to link related messages
together. This field only applies for reply messages.

RFC 3864 describes registration procedures for message header fields at the IANA; it provides
for permanent and provisional message header field names, including also fields defined for
MIME, netnews, and http, and referencing relevant RFCs. Common header fields for email
include:

• To: The email address(es), and optionally name(s) of the message's recipient(s). Indicates
primary recipients (multiple allowed), for secondary recipients see Cc: and Bcc:.

• Subject: A brief summary of the topic of the message. Certain abbreviations are commonly
used in the subject, including "RE:" and "FW:".

• Bcc: Blind carbon copy; addresses added to the SMTP delivery list but not (usually) listed in
the message data, remaining invisible to other recipients.
• Cc: Carbon copy; Many email clients will mark email in one's inbox differently depending on
whether they are in the To: or Cc: list.

EMAIL FORENSICS INVESTIGATION

Email forensics involves capturing, securing and analysing and reporting the email evidences. E-
mail forensics aims to study the source and contents of e-mail messages for evidence, this
included identification of the actual sender, recipient, date and time when it was sent, etc. Email
Forensic analysis aims at discovering the history of a message and confirming identity of all
involved entities.

MALWARE ANALYSIS

Static Analysis

Static analysis involves analyzing the malware without executing it. Cyber Forensic Experts
examine the program file’s disassembled code, printable settings, graphical files, and other
resources. Breaking the malware down to its components helps the cyber forensic experts
understand its contents. The cyber forensic expert’s goal is to reverse engineer the malware
binary to obtain the source code from the machine – executable code. Steps include:

• File type determination

• Strings encoded in binary file

• Hash comparison

• Checking against database

1. Antivirus Scanning: A Useful First Step

At the first stage of analysing the malware, the best step to take is to run it through various
antivirus programs, which may have already identified it. However, antivirus tools are certainly
not the perfect tools for the detection of malware. It relies solely on a database of recognisable
pieces of known suspecting code (file signatures), with a behavioural and pattern-matching
analysis (heuristics) to recognise suspected files. The most unfortunate thing is that malware
writers can conveniently modify their code, as a result of this changing their program‘s signature
and boycotting virus scanners becomes easy. Hence, all uncommon malware often goes
unfiltered by antivirus software as it‘s simply recognised in the database. Lastly, heuristics,
mostly successful in detecting any unknown malicious code, can as well be bypassed by new and
rare malware.
2. Hashing: A Fingerprint for Malware

Hashing is one of the most common methods used in detecting malware. The malicious detecting
software is run through a hashing program that produces an uncommon hash that detects the
malware (in the form of fingerprint). The Message-Digest Algorithm 5 (MD5) hash function is
agreed to be the most used software for malware analysis. However, the Secure Hash Algorithm
1 (SHA-1) is also believed to be one of the most commonly used software.
3. Finding Strings

A string in a software program is a sequence of characters such as “the”. A software program

contains strings if it can perform the following tasks; prints a message, connects to a URL, or
copies a file to a specified location. Exploring through the strings can be an easy way to get to
know about the functions of a software program. For instance, as long as a software program can
access a URL, the URL accessed will be stored as a string in the program. Then, the Strings in
the program (http://bit.ly/ic4plL), can be used to search an executable for strings, which are
stored commonly as ASCII or Unicode file format.

Dynamic Analysis

Dynamic analysis involves running the malware and studying its behavior. Cyber forensic
experts create a controlled environment to study the malware. Dynamic analysis is done after
static analysis yields no results. It allows cyber forensic experts to find out the true functionality
of the malware. This technique comes with risks as cyber forensic experts run an unknown
malware sample. Here are the three components of analysis:

• System processes

• Registry analysis

• Network analysis

Sandboxing

As mentioned earlier, cyber forensic experts perform dynamic analysis in a controlled

environment; this is possible due to a technology called Sandbox – software that creates a safe
and isolated environment where applications are tested without harming the computer. Dynamic
analysis can never be performed without sandboxing. Sandboxing allows investigators to carry
malware analysis a step further and execute it to study it without the harm of damaging the
forensic workstation.

Behavioral Analysis

This method is referring to how the cyber forensic experts observe the malware’s behavior upon
triggering it. All the details such as how the system files are modified, resource consumption,
and other parameters are observed.

MEMORY FORENSICS

Memory Forensics is a crucial aspect in today’s digital forensics investigations. RAM is a very
useful part of the system, which gives us an insight of all the data that is used by software that
are being operational at the point of time the system was live and running. It is of utmost
importance since it depicts us with the series of events that were incurred when the attack took
place.
TOOLS FOR ANALYSIS

Below are some popular tools and their uses:

• Cuckoo Sandbox – Cuckoo is a very popular sandboxing software that is used in malware
analysis. Cuckoo allows cyber forensic experts to analyze files under Windows, Linux, Mac OS
X, and Android virtualized environments. It also performs memory analysis and network traffic
analysis.

• Yara Rules/Analyzer – A powerful tool that malware researchers use to identify and classify
malware samples.

• REMnux – REMnux is a free Linux toolkit that is used in malware analysis and reverse
engineering malicious software. REMnux provides a clean and feature-rich environment to
analyze malware files with ease.

• Virus total database – an online utility that allows users to upload suspicious files to detect
types of malware.

INVESTIGATING WEB ATTACKS

Cyber-attack

Cyber-attack is any type of offensive fully employed by individuals or whole organizations that
targets computer information systems, infrastructures, computer networks, and/or personal
computer devices by various means of malicious acts usually originating from an anonymous
source that either steals, alters, or destroys a specified target by hacking into a susceptible
system. These can be labelled as either a Cyber campaign, cyber warfare or cyber terrorism in
different context. Cyber-attacks can range from installing spyware on a PC to attempts to destroy
the infrastructure of entire nations. Cyber-attacks have become increasingly sophisticated and
dangerous.

TYPES OF WEB ATTACKS

Firstly, let us have a look into various types of attacks that happen in web arena. Categorizing all
web attacks is quite difficult as more and more different ways of attacking gets introduced and
evolved. While the security is tightened the attacker also evolve to find more new ways to attack
into web. Major types of web attacks are:

i. Spoofing.

ii. Privacy attacks.

iii. Denial of Service.

iv. Privilege escalation.

v. SQL injection attacks.

Spoofing

Email spoofing

Email spoofing is the creation of email messages with a forged sender address. It is easy to do
because the core protocols do not have any mechanism for authentication. It can be
accomplished from within a LAN or from an external environment using Trojan horses. Spam
and phishing emails typically use such spoofing to mislead the recipient about the origin of the
message.

Website spoofing

Website spoofing is the act of creating a website, as a hoax, with the intention of misleading
readers that the website has been created by a different person or organization. Normally, the
spoof website will adopt the design of the target website and sometimes has a similar URL. A
more sophisticated attack results in an attacker creating a "shadow copy" of the World Wide
Web by having all of the victim's traffic go through the attacker's machine, causing the attacker
to obtain the victim's sensitive information.

Denial of Service

In computing, a denial-of-service (DoS) attack is an attempt to make a machine or network

resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or
suspend services of a host connected to the Internet. A distributed denial-of-service(DDoS) is
where the attack source is more than one–and often thousands–of unique IP addresses. Criminal
perpetrators of DoS attacks often target sites or services hosted on high-profile web servers such
as banks, credit card payment gateways; but motives of revenge, blackmail or activism can be
behind other attacks .A denial-of-service attack is characterized by an explicit attempt by
attackers to prevent legitimate users of a service from using that service. There are two general
forms of DoS attacks: those that crash services and those that flood services.

SQL Injection Attacks

Looking at its wide-spread use in every form of above discussed web attacks SQL injection
attack is kept in an altogether separate category of web attacks. SQL injection is a code injection
technique, used to attack data-driven applications, in which malicious SQL statements are
inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
SQL injection must exploit a security vulnerability in an application's software, for example,
when user input is either incorrectly filtered for string literal escape characters embedded in SQL
statements or user input is not strongly typed and unexpectedly executed. SQL injection is
mostly known as an attack vector for websites but can be used to attack any type of SQL
database.

WEB ATTACK FORENSICS

The difficulty in traceability of the hackers/offenders prompts them to do more crimes. The
major objective of web forensics is to trace the attacker and in line collect enough evidence that
can be presented and accepted in the court of law. The aspects of investigation into web attacks
can be viewed in two areas; a) web application forensics and web services forensics.
Web services forensics

The term "Web services" describes a standardized way of integrating Web-based applications
using the XML, SOAP, WSDL and UDDI open standards over an Internet protocol backbone.
XML is used to tag the data, SOAP is used to transfer the data, WSDL is used for describing the
services available and UDDI lists what services are available.

A Web service is a method of communication between two electronic devices over a network. It
is a software function provided at a network address over the Web with the service always on as
in the concept of utility computing. Two conceptual elements underlie current web services:

A. Use of XML (eXtensibleMarkup Language), SOAP (Simple Object Access Protocol), and
WSDL (Web Service Definition Language) as basic building material;

B. Complex applications built upon long-running transactions that are composed of other web
services.

There are many attacks on web services, such as WSDL/UDDI scanning, parameter tampering,
replays, XML rewriting, man-in-the-middle, eavesdropping, routing detours etc.

As in a document by NIST [csrc.nist.gov/publications/nistir/.../nistir-7559_forensics

webservices.pdf] we need to provide two features into web services forensics:

a) Pairwise evidence generation

b) Comprehensive evidence generation

Pair-wise evidence generation: Collect transactional evidence that occur between pairs of
services at service invocation times.

Comprehensive evidence generation: On demand, compose pairs of transactional evidence

collected at service invocation times and reveal global views of complex transactional scenarios
that occurred during specified periods, and provide them for forensic examiners.

Web Application Forensics

The Major tasks an investigator needs to do while performing web application forensics are:

a) Preliminary analysis: where, we need to focus on evidence collection and protection which are
in form of logs. Apart from this the investigator needs to build in confidence by using robust
supporting forensic tools. Above all it all depends upon the abilities of the investigator to procure
and correlate all data for inferences and conclusion.

b) Standard methodology: methodologies that are standard are easily addressable and heard in
the court of law.

WEB APPLICATION FORENSICS TOOLS

It is very important to have supportive tools of forensics in order to have better grasp over
forensics of web applications. Tools that are useful for web application forensics are Microsoft
LogParser, EventLogAnalyzer, Http-analyze, Pyflag, Analog, Open Web Analytics,
Mywebalizer, CORE Wisdom, Logjam, Sawmill, and Lire.