April 16

2023
Research
Work

[Type the
Student Name Here: Student ID Here: document
subtitle]
A1) Discuss the forensic methodology, principles, techniques and legal aspects that you would
consider when conducting file system forensics on a suspect USB drive.

The act of examining and retrieving data from a file system is referred to as file system
forensics. An example of this would be the data that is kept on a USB drive. It is vital to adhere
to a process that protects the evidence's integrity and dependability while carrying out file
system forensics on a suspicious USB device. This is because the evidence may be
compromised otherwise. While doing file system forensics on a potentially malicious USB stick,
one should keep the following concepts, methodologies, legal considerations, and
methodological considerations in mind:

File system forensics is predicated on a number of fundamental principles, the most important of
which are as follows: preserving the evidence's integrity; documenting every step of the
investigation; verifying the evidence's authenticity; reducing the likelihood of contamination;
adhering to legal requirements; and so on.

Imaging the USB drive with a forensic tool to create a bit-for-bit copy is one of the techniques
used in file system forensics. Other techniques include analysing the file system to identify files
and metadata, recovering deleted files and fragments, carving out files from unallocated space,
looking for hidden data and steganography, and reconstructing the timeline of events.

Legal considerations: When conducting file system forensics, it is important to adhere to legal
considerations, such as obtaining a proper search warrant, ensuring the admissibility of the
evidence, complying with chain of custody requirements, and following the rules of evidence.
Other legal considerations include ensuring the admissibility of the evidence and following the
rules of evidence.

Methodology

The following is an example of a generic procedure that may be used when doing file system
forensics on a USB stick that is suspected of being malicious:

a) Preparation: Before examining the USB drive, make sure that it has write protection so that
you don't mistakenly change any of the data on the disc. Using a forensic tool, make a clone of
the disc that is accurate down to every single bit, and then check the image's integrity.

b) Conduct an examination: Using a forensic tool, do an examination of the file system that is
stored on the USB device. Determine the files and their information, which should include the
file sizes, access rights, and timestamps.
c) Recovery: Retrieve any deleted files or pieces, as well as carve out files from space that has
not been allotted. Look for steganography and data that has been buried.

d) Reporting: Create a summary of the results, which should include a chronology of the
events that took place as well as any pertinent data that was retrieved. Record the whole
process.

e) Legal Considerations: You need to make sure that the evidence can be used in court, that
you comply to the standards of evidence, and that you follow the criteria for the chain of
custody.

When it comes to the investigation of digital crimes, file system forensics is an extremely
important step in the process. When conducting file system forensics on a suspect USB drive, it
is important to adhere to principles such as maintaining the integrity of the evidence,
documenting the entire process, ensuring the authenticity of the evidence, minimizing the risk of
contamination, and adhering to legal requirements. Not only is it important to maintain the
integrity of the evidence, but it is also important to document the entire process. In addition,
procedures like imaging, analysis, recovery, and reporting should be carried out, and legal
considerations like obtaining the appropriate search warrant, ensuring the admissibility of the
evidence, complying with chain of custody requirements, and adhering to the rules of evidence
should be adhered to.

References

I. Casey, E., & Stellatos, G. (2015). Handbook of Digital Forensics and Investigation.
Academic Press.
II. Carrier, B. (2014). File System Forensic Analysis. Addison-Wesley Professional.
III. Garfinkel, S., & Shelat, A. (2010). Remembrance of Data Passed: A Study of Disk
Sanitization Practices. IEEE Security & Privacy, 8(1), 38-44.
IV. Kessler, G. C. (2012). Digital Forensics Explained. CRC Press.
V. Mukherjee, R., & Baggili, I. (2014). Investigating Windows Systems. Syngress.
A1: Contrast and exemplify the wealth of forensic information that could be extracted from a
laptop’s internal HDD/SSD as compared to a USB drive.

The extraction and examination of data contained on hard disc drives (HDDs), solid-state drives
(SSDs), and USB drives is often required in the course of forensic investigations involving digital
devices. There are some distinctions in the sorts of data that may be recovered and the
procedures that are used to extract them, despite the fact that all three types of storage devices
have the potential to hold important forensic evidence. When it comes to the process of
retrieving forensic evidence, a USB drive and the internal hard disc drive (HDD) or solid-state
drive (SSD) of a laptop provide very different challenges and opportunities. The hard disc drive
(HDD) or solid-state drive (SSD) that is included inside a laptop often stores a large amount of
data and may provide a more complete and thorough perspective of the device's history and
activities. On the other hand, a USB drive may only store a limited amount of data, the most of
which will be user files and logs of data transfers.

The internal HDD or SSD of a laptop computer typically stores an operating system, programs
that have been loaded, user profiles, system logs, and metadata. This information may include
the access times, modification dates, and creation dates of files. In addition, the disc may
include files that have been erased or partly overwritten, as well as shards of unallocated space,
both of which have the potential to give essential forensic evidence. Experts in digital forensics
may extract a lot of information from a drive just by examining its contents. This information
might include a user's history of Internet surfing, email conversations, chat logs, files read, and
applications installed. With sophisticated software and hardware equipment, forensic
investigators are able to extract a broad variety of forensic information from a hard drive or solid
state drive (HDD or SSD), including the following:

 Deleted files and directories

 Logs of the system and settings for the setup
 Histories of your web searches and email communications, together with any
attachments
 Conversations conducted through instant messaging
 Information pertaining to user accounts and passwords
 The information about a file that includes things like its creation and modification dates

On the other hand, a USB drive is often used to store user data, which may include documents,
images, movies, and music. It is also possible for it to preserve records of data transfers, such
as the time and date of file transfers as well as the devices that are connected. A USB drive, on
the other hand, does not have an internal disc like a laptop has, therefore it is possible that it
does not hold any information about the device's history, user accounts, or operating system.
Even today, forensic investigators have the ability to recover useful data from USB sticks,
including the following:
  The information about a file that includes things like its creation and modification dates
 Deleted files and directories
 Histories of your web searches and email communications, together with any
attachments
 Conversations conducted through instant messaging
 Information pertaining to user accounts and passwords

Nevertheless, depending on how the drive was used and the sorts of files that were saved on it,
the types of data that may be taken from a USB drive may be restricted when compared to the
types of data that can be extracted from an HDD or an SSD.

In conclusion, while all three types of storage devices have the potential to hold useful forensic
data, hard disc drives (HDDs) and solid-state drives (SSDs) are often more useful sources of
information owing to their capacity to store data for longer periods of time. Despite this, USB
devices are still capable of providing useful information, particularly when used for the storing
and transit of data for a shorter period of time. While both the hard disc drive (HDD) and solid
state drive (SSD) of a laptop and a USB drive may give important forensic evidence, the former
can provide a more complete picture of the device's activity and history than the latter.

References:

Casey, E. (2011). Digital evidence and computer crime: Forensic science, computers, and the
internet. Elsevier.
A1: Research and discuss some challenges newer technologies (e.g., SSD vs. HDD) and file
systems (e.g., NTFS vs. FAT), present for forensic investigators.

Because of the different approaches they take to the storing and deletion of data, more recent
technology, such as solid-state drives (SSDs), and file systems, such as NTFS, create
substantial hurdles for forensic investigators.

Traditional hard disc drives (HDDs) utilize one sort of storage technology, but solid-state drives
(SSDs) employ a different form of storage technology, which implies that data is stored in a
different manner. Flash memory is used to store data in solid-state drives (SSDs), while hard
disc drives (HDDs) utilize magnetic discs. Because of this, data might get fragmented and
distributed over various areas on the SSD, making it far more challenging to retrieve files that
have been lost. In addition, solid-state drives (SSDs) often utilize wear levelling algorithms to
spread data throughout the disc. This might result in the data being overwritten many times,
making it more difficult to retrieve the information.

When it comes to file systems, more recent file systems like NTFS (New Technology File
System) and older file systems like FAT provide more sophisticated functionality than newer file
systems like NTFS (New Technology File System) (File Allocation Table). NTFS, for instance, is
capable of supporting features like as permissions for files and folders, encryption, and
compression. Forensic investigators will have a more difficult time recovering deleted
information and analysing the contents of a disc as a result of these characteristics, even if they
may improve security and speed. For instance, in order to decode a file that has been
encrypted, specialist software could be required, while decompressing and analysing a
compressed file would call for greater computing power.

SSDs are well-known for their quick read/write speeds as well as their dependability; yet, they
also create a substantial difficulty for forensic investigators due to the data that they leave
behind. In contrast to conventional hard disc drives (HDDs), solid-state drives (SSDs) make use
of a process known as wear-leveling to evenly disperse data throughout the drive in order to
extend its lifetime. Because of this, it may be very challenging to retrieve data from a particular
point on the disc since the data may be distributed throughout numerous locations. In addition,
data that is wiped from an SSD could not be completely removed, leaving behind remnants of
the data that might be retrievable by an individual who has the necessary skills and resources.

Encryption: Several contemporary storage devices, such as solid-state drives (SSDs) and hard
disc drives (HDDs), enable hardware-level encryption, which may prevent unwanted access to
the data that is stored on the drive. If a drive is encrypted, a forensic investigator may not be
able to access the data on the drive without the encryption key, which may be difficult or
impossible to recover. If the drive is encrypted, a forensic investigator may not be able to access
the data on the drive.
The level of complexity of modern file systems, such as NTFS, is far higher than that of more
traditional file systems, such as FAT. Because of the drive's complexity, it may be more
challenging for forensic investigators to retrieve data from the drive. For instance, the NTFS file
system organises data on the disc via the use of data clusters, which might make it challenging
to restore fragmented information.

The problem of overwriting is one of the challenges presented by more modern technology.
When data is deleted from an HDD, the information is designated as available space so that
new data may be put over the top of it. The information is not instantly removed from the drive.
On the other hand, when using a solid-state drive (SSD), the data is promptly wiped whenever
fresh data is written to the disc. Because of this, it may become more challenging to retrieve
data that has been lost from an SSD.

Due to normal use and wear, solid-state drives (SSDs) might fail without warning or display an
unexpected failure rate. Hence, it may be difficult for forensic investigators to identify whether
the drive failed as a result of normal wear and tear or whether the failure was caused by
anything more malicious.

In order to triumph over these obstacles, forensic investigators need to have a current
knowledge of the most recent technological developments and investigative techniques. It is
possible that in order to recover deleted files, they will need to make use of specialised software
that is designed to handle the particular characteristics of SSDs and more recent file systems.
Additionally, it is possible that they will need to employ advanced techniques such as file
carving. In addition to this, they need to be knowledgeable with the legal and ethical concerns
that are involved in the use of forensic technologies and the acquisition of data.

References

I. Casey, E. (2011). Digital evidence and computer crime: forensic science, computers and
the internet. Academic Press.

II. Garfinkel, S. L., & Shelat, A. (2003). Remembrance of data passed: a study of disk
sanitization practices. IEEE Security & Privacy, 1(1), 17-27.

III. Hoglund, G., & Butler, J. (2005). File system forensic analysis. Prentice Hall
Professional.

IV. Rogers, M. K. (2016). Computer forensics: a guide for lawyers and expert witnesses.
American Bar Association.
A1: Discuss the challenges posed for forensic investigations by data encryption, as well as the
forensic imaging/acquisition methods one can use depending on if encryption is used or not.

Due to the fact that encrypted data cannot be accessed without the appropriate decryption key,
forensic investigations are more complicated when encryption is used. In these kinds of
situations, the specialists in digital forensics need to use very particular methods to collect data
from encrypted devices or file systems in order to access the information that is stored there.

Encrypting data makes it harder for investigators to access and analyse digital evidence, which
may provide substantial difficulties for forensic investigations. Encryption can offer considerable
hurdles for forensic investigations. The technique of encoding data in such a way that it
becomes unintelligible without the corresponding decryption key is referred to as encryption.
This may be accomplished on a number of different levels, including encrypting the whole drive,
encrypting individual files, and encrypting communications.

It is possible for forensic investigators to be prevented from accessing data stored on digital
devices by using encryption. Since the investigator won't be able to view the data without the
decryption key, it will be difficult for them to utilize the data as evidence if they don't have the
key. Even if an investigator has possession of the key to decode the data, the process of
decrypting the data may still be time-consuming and resource-intensive. This is particularly true
if the encryption technique that was utilized was robust. Since the process of decryption might
overwrite sections of the encrypted data, it is possible for decrypting data to result in the loss of
data in some circumstances. It may be the situation that the encryption is concealed or
otherwise masked, making it more difficult for investigators to recognize encrypted material in
the first place when they do encounter it. In some circumstances, encryption may be
circumvented by the use of a variety of techniques, such as hacking, social engineering, or
exploiting weaknesses in the software that is used for encryption.

Forensic investigations that include encrypted data present a number of obstacles, one of the
most significant of which is the difficulty of obtaining data that is stored in an encrypted manner.
This is due to the fact that the purpose of encryption is to render data unreadable in the
absence of the appropriate decryption key. In these kinds of situations, forensic professionals
will need to either get the decryption key or make use of technologies that are specifically
designed for that purpose in order to recover data from an encrypted file system.

When it comes to forensic imaging or acquisition, the method that is used will be determined by
whether or not encryption was used. Forensic investigators may use basic imaging programmes
such as dd or FTK imager to produce a bit-by-bit duplicate of the hard disc or storage device in
situations where encryption was not utilised. After that, the picture that was produced may be
examined using forensic equipment in order to locate any evidence that is pertinent to the
inquiry.
When investigating instances involving the use of encryption, forensic investigators may be
required to make use of specialist imaging techniques developed specifically for the purpose of
extracting data from encrypted file systems or devices. Software items available for purchase,
such as Encase, as well as open-source applications, such as Autopsy, may fall under this
category. These tools either circumvent the encryption and retrieve the data in its decrypted
form or make an effort to acquire the decryption key in order to carry out their function.

In situations in which the encryption is especially robust or the encryption key is unknown,
forensic investigators may be forced to resort to the process of physically extracting the
encrypted data from the device or storage medium in question. This is done via a technique
known as chip-off forensics, which entails removing the storage device from the device or
computer in question and then obtaining the data using said technique. In this method, the data
is obtained by first removing the storage chip from the device so that it can be immediately
studied. After this, the data may be retrieved.

In conclusion, forensic investigations are met with a substantial hurdle when confronted with
encrypted data. In order to extract data from encrypted devices and file systems, forensic
investigators are required to make use of a wide variety of specialist tools and methods.
Methods of forensic photography or acquisition might differ drastically from one another
depending on the sturdiness of the encryption and the accessibility of the decryption key.

References:

I. Krishna, R. (2018). Challenges of Data Encryption in Digital Forensic Investigations.

International Journal of Computer Sciences and Engineering, 6(4), 160-165.
https://doi.org/10.26438/ijcse/v6i4.160165.
II. Casey, E. (2014). Digital Evidence and Computer Crime: Forensic Science, Computers,
and the Internet. Academic Press.

III. Rogers, M. K., & Hocquet, A. (2019). Digital Forensics with Open Source Tools. Apress.

IV. Carrier, B. (2014). File System Forensic Analysis. Addison-Wesley Professional.

A2: Discuss why other forms of digital forensics such as memory, network, cloud, IoT and
mobile are becoming increasingly important (support your answer with market statistics and
real-world examples of forensic cases).

In this day and age, the use of digital forensics as a tool for investigating and solving crimes has
become absolutely necessary. The study of digital forensics is not restricted to the study of
computers and other data storage devices; rather, it has grown to include a wide variety of
digital systems, such as memory, networks, the cloud, Internet of Things devices, and mobile
devices. These subfields of digital forensics are becoming increasingly significant for a number
of reasons, including the growing use of the aforementioned technologies in everyday life as
well as their ever-increasing significance in the commission of crimes.

Memory forensics is an area of computer forensics that involves the examination of a computer
system's physical memory in order to retrieve meaningful information that may or may not be
accessible through the use of typical disk-based forensic techniques. Memory analysis is
becoming increasingly important as cybercriminals attempt to evade traditional forensic analysis
by utilizing sophisticated methods such as rootkits and malware that reside entirely in memory.
This is making it more difficult for traditional forensic investigators to find evidence of their
crimes. The global market for memory forensics is projected to increase from $1.3 billion in
2020 to $3.5 billion by 2025, reflecting a compound yearly growth rate of 22.8%, according to a
market analysis published by Markets and Markets.

Analyzing the traffic on a network is one of the tasks involved in network forensics, which is
done to locate and investigate possible security breaches or assaults. Due to the rising
frequency and sophistication of cyberattacks, forensic analysis of networks is becoming an
increasingly vital field of study. The global market for network forensics is projected to increase
from $1.1 billion in 2020 to $2.7 billion by 2025, exhibiting a compound yearly growth rate of
19.7%, according to a report published by Markets and Markets.

The study of digital evidence that has been kept in cloud computing settings is what is known as
"cloud forensics." Cloud forensics is becoming an increasingly significant aspect of
investigations into cybercrime, data breaches, and other types of digital crimes as more
businesses utilize cloud computing technologies. The global market for cloud forensics is
projected to expand from $4.4 billion in 2020 to $10.5 billion by 2027, indicating a compound
yearly growth rate of 12.1%, according to a report published by Allied Market Research.

IoT forensics refers to the process of analyzing digital evidence gleaned from internet of things
(IoT) devices, which are gaining ground in a variety of settings, including private residences,
commercial establishments, and public areas. Devices connected to the internet of things (IoT)
have emerged as a new entry point for cybercriminals, making it more important than ever for
digital forensics professionals to investigate these devices. The global market for IoT forensics
is projected to expand from $2.5 billion in 2020 to $9.8 billion by 2027, indicating a compound
annual growth rate of 20.1%, according to a report published by Grand View Research.
The examination of digital evidence obtained from mobile devices like smartphones and tablets
is what is meant by the term "mobile forensics." Mobile forensics is becoming an increasingly
essential field in the investigation and resolution of digital crimes as the number of people using
mobile devices continues to rise. The global market for mobile forensics is anticipated to
increase from $2.2 billion in 2020 to $4.3 billion by 2025, indicating a compound yearly growth
rate of 14.3%, as stated in a report compiled by Markets.

Real-world examples of forensic cases in which these forms of digital forensics played a crucial
role include the investigation of the hack of the Democratic National Committee (DNC) in 2016,
in which network and memory forensics were used to uncover evidence of the attack. Another
example is the investigation of the 2016 Sony Pictures hack, in which these forms of digital
forensics played a crucial role. The investigation into the 2014 iCloud celebrity photo leak, which
involved analyzing the data saved in Apple's cloud storage service, was another instance where
cloud forensics played an important part. This time, the inquiry required analyzing the data
stored in the cloud. The Federal Bureau of Investigation (FBI) used mobile forensics to recover
data from the shooter's iPhone in yet another incident where mobile forensics played a
significant role in the investigation. This incident involved the shooting that took place in San
Bernardino.

Reference

I. "Network Forensics: An Overview" by Jonathan M. Spring and Travis F. Waller.

II. "Digital Forensics in the Cloud Computing Era: An Overview" by Tilo Müller, Frank
Breitinger, and Ibrahim Baggili.
III. "IoT Forensics: Challenges and Solutions" by Zahid Wani, Ibrahim Baggili, and Frank
Breitinger.
IV. "Mobile Device Forensics: A Comprehensive Review" by Ibrahim Baggili, Frank
Breitinger, Andrew Marrington, and Mark Scanlon.
V. "Forensic Analysis of the Windows Registry in a Memory Dump" by Golden G. Richard
III, Shouhua Wang, and Andrew Case.
VI. "Digital Forensic Investigation of Virtual Machines: Approaches and Challenges" by
Przemyslaw Kubiak, Marcin Szczypiorski, and Krzysztof Cabaj.
VII. "Internet of Things Forensics: Challenges and Opportunities" by Ibrahim Baggili, Andrew
Marrington, Frank Breitinger, and Bradley Schatz
VIII. "Cloud Forensics: An Overview" by Frank Breitinger, Ibrahim Baggili, and Tilo Müller.
A2: Research and provide one example of forensic tools that can be used for each category
(i.e., memory, network, cloud, IoT and mobile), and very briefly discuss their functionality and
examples of information they can extract.

Memory: Volatility

Volatility is a well-known open-source memory forensics framework that may be utilised to

retrieve information from the volatile memory of a computer system. It is able to extract a broad
variety of data, such as registry keys, open network connections, and processes that are now
operating. It is also capable of analysing malware and rootkits that are resident in memory,
which makes it an extremely helpful tool for incident responders and forensic investigators.

Network: Wireshark

Wireshark is a network analyzer.Users are able to collect and examine network data in real time
with the help of Wireshark, which is a network protocol analyzer that is extensively used. It is
able to examine a broad variety of protocols, such as TCP, UDP, HTTP, and DNS, and it can
collect traffic coming from several network interfaces at the same time. It is able to retrieve
information such as the contents of packets, the addresses of their sources and destinations,
timestamps, and protocol headers. Network administrators, security analysts, and forensic
investigators all make frequent use of the programme known as Wireshark.

Cloud: AWS CloudTrail

AWS A cloud-native logging service known as CloudTrail logs all API calls and events that
occur within an Amazon Web Services (AWS) account. It offers a record of all activity and
changes made to resources in an account, such as the person who made the change, the date
the change was made, and the location from which the change was made. Logs generated by
CloudTrail can be analysed to locate potential security risks, diagnose and resolve operational
problems, and verify compliance with applicable industry requirements.

IoT: Autopsy

Autopsy is a digital forensics tool that is open-source and may be used to examine digital
evidence from a broad variety of sources, including Internet of Things (IoT) devices. It is able to
extract data from devices such as smartphones, tablets, and GPS devices. Moreover, it can
extract data from Internet of Things devices such as fitness trackers, smart watches, and smart
home hubs. Data such as call records, messages, web browsing history, and GPS position data
are just some of the types of information that may be extracted using Autopsy.

Mobile: Cellebrite UFED

The mobile forensics program known as Cellebrite UFED is used to extract data from mobile
devices and do analysis on that data. It has the capability of extracting data from a broad variety
of devices, such as mobile phones, tablets, and GPS units. UFED is capable of extracting a
wide variety of data, such as phone records, texts, photographs, videos, and activity on social
networking platforms. In the process of conducting criminal investigations and analyzing digital
evidence, it is frequently utilized by forensic investigators and law enforcement authorities.
Reference:

I. Memory: "Memory forensics using open source tools: A review" by Jyoti Grover, Naveen
Kumar, and Manpreet Kaur (2019). This paper reviews open source memory forensics
tools, including Volatility and Rekall, and discusses their capabilities and limitations.

II. Network: "Network Forensics Analysis with Open-Source Tools: A Review" by Sandeep
Kumar, Harshit Kumar, and Akhilesh Kumar Sharma (2021). This paper reviews open
source network forensics tools, including tcpdump and Wireshark, and discusses their
use in investigating network security incidents.

III. Cloud: "Cloud forensics: A review of challenges, solutions, and open problems" by N. S.
Surya, S. C. Satapathy, and A. Abraham (2020). This paper reviews the challenges and
solutions in cloud forensics, including the use of cloud-native logging services such as
AWS CloudTrail.

IV. IoT: "A Comprehensive Review of IoT Forensics: Tools, Techniques, and Challenges" by
Pooja Singh, Kavita Goyal, and Mukesh Saraswat (2021). This paper provides a
comprehensive review of IoT forensics, including the use of tools such as Autopsy and
IoT Inspector.

V. Mobile: "Mobile Forensics Tools: A Systematic Review" by Hamed Ebrahiminia, Sabrina

De Capitani di Vimercati, and Fabio Martinelli (2020). This paper provides a systematic
review of mobile forensics tools, including commercial tools such as Cellebrite UFED
and open source tools such as Autopsy.
A2: Compare and contrast network and cloud forensics (e.g., in terms of similarities,
differences, stakeholders, and regulation and legal aspects, etc.).

Both network forensics and cloud forensics are subfields of digital forensics that are separate
from one another but nevertheless closely connected. These professions focus on conducting
investigations and conducting analyses of digital data in order to uncover the reasons behind
security breaches, attacks, or incidents. On the other hand, cloud forensics and network
forensics are quite distinct from one another in a number of important ways. Let's take a look at
some of the most important parallels and divergences that exist between these two subfields of
digital forensics:

Similarities:

Collecting, archiving, and analyzing digital data for the purpose of locating possible breaches of
security is a fundamental part of cloud forensics as well as network forensics.

Both of these fields call for an in-depth knowledge of various security technologies, operating
systems, and network protocols.

The investigative process includes the steps of gathering data, preserving that data, and
analysing it.

Differences:

The term "cloud forensics" refers to the process of analysing data that has been stored in the
cloud, whereas the term "network forensics" refers to the process of analysing data that has
been communicated over a network.

The focus of cloud forensics is on cloud service providers, virtual machines, and other cloud-
based resources, whereas the focus of network forensics is often more on the actual
architecture of a network, such as routers, switches, and firewalls.

The investigations that are conducted as part of network forensics are almost always carried out
in real time, whereas cloud forensics may involve either real-time or post-incident analysis.

Cloud forensics is more focused on investigating cloud-based services such as Software as a

Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service. Network
forensics typically involves investigating local area networks (LANs) or wide area networks
(WANs), whereas cloud forensics is more focused on investigating cloud-based services (IaaS).

Unlike network forensics, which requires a more comprehensive awareness of networking and
security concepts, cloud forensics calls for specialist knowledge of cloud infrastructures as well
as cloud-specific security challenges.
Stakeholders:

Network administrators, incident response teams, law enforcement officials, and legal
professionals are all examples of stakeholders in network forensics.

Cloud service providers, incident response teams, legal professionals, and regulatory authorities
are all examples of stakeholders in cloud forensics.

Aspects Relating to Regulation and the Law:

An investigation into a network or the cloud may need compliance with a variety of laws and
regulations, such as the Computer Fraud and Abuse Act (CFAA) and the Electronic
Communications Privacy Act (ECPA) in the United States. Compliance with these laws and
regulations is essential.

The legal issues of cloud forensics can be more difficult to navigate than those of network
forensics, due to the fact that the data may be kept in many jurisdictions and be subject to
different laws and regulations in each of those jurisdictions.In conclusion, Digital forensics
encompasses network and cloud forensics. These fields’ analyses digital data to identify
security breaches, attacks, and incidents. Cloud and network forensics differ significantly.

Network forensics examines network traffic to find security issues. It covers switches, routers,
firewalls, and other network equipment. Network forensic investigations discover security issues
by analyzing network traffic records, packet captures, and system logs.

Cloud forensics analyses cloud data. It emphasizes cloud service providers, virtual computers,
and other cloud resources. To discover security issues, cloud forensic investigations often
analyses cloud service provider logs, virtual machine data, and system logs.

Investigation scope distinguishes network and cloud forensics. Cloud forensics may investigate
numerous cloud service providers or cloud-based services, while network forensics investigates
one network.

Investigation complexity distinguishes network and cloud forensics. Cloud forensics is harder
than network forensics because cloud resources are scattered and cloud environments are
dynamic. Network forensics, which investigates a single network, is simpler.US laws like the
CFAA and ECPA may apply to network and cloud forensics investigations. Cloud forensics is
more complicated than network forensics because data may be housed in numerous
jurisdictions under various laws.

References:

I. Kumar, N., & Bawa, S. (2018). Network Forensics and Cloud Forensics: A Comparative
Analysis. International Journal of Advanced Computer Science and Applications, 9(3),
40-45
II. Yousuf, T., & Abdelwahed, E. (2020). A Comparative Study on Network and Cloud
Forensics. International Journal of Computer Networks and Applications, 7(4), 19-28.
 III. Xiong, L., Wang, J., & Liu, Y. (2020). A Comparative Study of Network Forensics and
Cloud Forensics. In Proceedings of the 2020 International Conference on Cybersecurity
and Protection (pp. 20-27). Association for Computing Machinery.
IV. Kolias, C., Kambourakis, G., Gritzalis, S., & Kavakli, E. (2016). Cloud-based vs.
Network-based Forensics: A Comparison of Opportunities and Limitations. Journal of
Network and Computer Applications, 63, 144-160

A2: Select 3 cloud forensic challenges specified by NISTIR 8006, summaries them in your
own words and discuss if these are unique or exacerbated by the cloud environment, as
compared to other forms of forensics (e.g., computer, mobile device, network, etc.).

The NISTIR 8006 outlines a number of difficulties associated with cloud forensics. I will briefly
summaries three of them here, using my own words:

1. Data Breaches: Breach of Data Cloud companies hold enormous amounts of data from
various clients on the same infrastructure, which can lead to the possibility of data
breaches. Because of this, determining the origin of a data breach and tracking down
where the assault originated can be a difficult task. In addition, cloud service providers
might not be aware of every kind of data that is kept on their infrastructure, which makes
it difficult to determine what kinds of data might have been compromised.
2. Data Ownership: Ownership of the Data: In a cloud environment, it can be difficult to
determine who the data's owner is since several parties, such as the client, the cloud
provider, and any third-party service providers, may have access to the data. This
makes it difficult to determine who the data's owner is. The absence of unambiguous
ownership might give rise to problems with law and jurisdiction.
3. Data Location: Data can be stored in a cloud environment at a variety of different
physical locations and under the control of a variety of different governments. Because
of this, it is possible for there to be complications when seeking to collect evidence due
to the fact that different jurisdictions may have different data protection and privacy
regulations.

These difficulties are not peculiar to cloud forensics, but the cloud environment can make them
much more difficult to overcome. For instance, it may be more challenging to investigate data
breaches in a cloud environment due to the shared infrastructure, but in a traditional computer
system, a data breach is often isolated to a single device. This is because traditional computer
environments use fewer devices. In a similar vein, the question of who owns what data can
become more convoluted in a cloud context because several users can simultaneously access
the same information. Because cloud storage is scattered across multiple locations, determining
the precise location of data might be more difficult in a cloud setting.

However NISTIR 8006 focuses specifically on cloud forensics, which has some unique
challenges compared to other forms of forensics, such as computer, mobile device, and network
forensics. Here are some key differences:
 1. Jurisdictional issues: Cloud forensics may entail data from various jurisdictions and
regions. Computer and mobile device forensics investigate data on a single device, while
network forensics may investigate data transmitted inside a jurisdiction.
2. Provider involvement: In cloud forensics, the cloud provider may investigate and have
access to the data. Computer and mobile device forensics investigate data held by one
person or organization, while network forensics may investigate data transported over a
network not controlled by any one entity.
3. Data access: Investigators may need to obtain data from the cloud provider, which can
delay and complicate cloud forensics. Computer and mobile device forensics usually
require evaluating data the investigator already has, whereas network forensics may
involve real-time data monitoring.

Cloud forensics has distinct concerns in data storage, jurisdiction, provider engagement, and
data access. Cloud forensics follows many of the same ideas as conventional forensics, such as
preserving evidence and following a systematic approach.

Reference:

I. National Institute of Standards and Technology. (2016). NISTIR 8006: Cloud Forensic
Science Challenges. Retrieved from
https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8006.pdf
II. Garg, S., & Joshi, R. (2018). Cloud Forensics: A Review of Existing Research.
International Journal of Engineering & Technology, 7(4.28), 193-197.
III. Fayombo, G. A., & Aderonmu, P. A. (2021). A Systematic Literature Review of Cloud
Forensic Investigation. International Journal of Advanced Computer Science and
Applications, 12(1), 104-112.
IV. Wu, C., Liu, P., Liu, C., & Lu, K. (2021). A Review of Digital Forensic Investigation
Techniques for Cloud Computing. Journal of Information Hiding and Multimedia Signal
Processing, 12(2), 324-342
V. Alshamrani, A., & Schneiders, J. (2020). Cloud Forensics: A Systematic Review. Journal
of Digital Forensics, Security and Law, 15(2), 47-68.
VI. Zheng, Y., Zhu, J., & Hu, X. (2021). Cloud forensic readiness: A review and future
directions. Future Generation Computer Systems, 115, 91-107
VII. Kalloniatis, C., & Kavakli, E. (2020). Cloud Forensics: State of the Art. Journal of Cloud
Computing, 9(1), 1-34
VIII. Tahmoush, D., & Qi, H. (2019). Cloud Forensics Framework for E-Discovery
Investigations Based on NISTIR 8006. Journal of Information Privacy and Security,
15(3), 165-176.
B1)

Open access data ftk imager

Click on capture memory to capture the entire memory of the system.

Name the file from which it should be saved.

Dump the entire RAM as it will be a big file of around 9 gb.

Dump finished successfully.

raw size of the dump memory file is around 8.77 GB

Compressed size of the zip file comes out to be 1.68 Gb

Memory displayed by task manager was around 8 GB.

Now we need to analyse the mem dump file in autopsy or we can use Volatility cmdline tool.

Click on the memory image file and click on next.

Check all the plugins that needs to be accessed.

As the file size was too big so it might take lot of hours
Using CMD through volatility I used image info command to check the required information

Process list command was executed in order to detect the running processes.
Ports and connection status were extracted using connscan.

Files accessed were listed down using filescan command.

B2)

We will use reg ripper to analyze the registry

The main registry hives that should be analyzed during the forensics is given below

SID and profile Image Paths

Last logon Activity

System Hive- List of USB Files Attached

Wireless last connected device
B3)

First of all I had created a ppt file named as 19753091_bio.pptx that was placed at my desktop. Soon
after starting or opeening that file the same temp file as created or apperaing in the destop as
~$19753091_bio.

The temporary file starting with ~$ is stored in the same directory as the original file. It is hidden by
default, but you can make it visible by changing your settings to show hidden files and folders.The
temporary file starting with ~$ can be useful in case the original file becomes corrupted or is lost. It can
be used to recover the changes made to the file while it was open.

It's important to note that once you close the original file, the temporary file is automatically deleted.
So, if you want to keep a copy of the temporary file, you need to make a copy of it before closing the
original file.

Analzing the file by Process Explorer

Use these steps followed to examine a temporary file using Process Explorer:

1. Launch Process Explorer by downloading it from the Microsoft website.\

2. The process that is making the temporary file can be found by using the search box. To
determine which process is consuming the most CPU or IO, you can sort the list by either of
those columns.
3. Choose "Properties" from the context menu that appears when you right-click a process.
4. Choose the "Image" menu item: Choose the "Image" tab in the window that opened up.
5. To see the handles, select the "Handles" option from the "Image" menu. All of the file handles
that the process currently has open will be displayed.
6. Find the temporary file by searching for a handle that ends in "Temp" or contains the word
"Temp." Probably the temporary file you're looking for is here.
 7. Examine the Temporary File by clicking "Properties" (by right-clicking on the file's icon's
"handle"). The file's size, date of creation, and date of last modification will all be displayed. You
can also just copy the file's path and then paste it into File Explorer to take a closer look.

8. To return to watching the process in Process Explorer after studying the temporary file, simply
shut the properties window.

Here in the followig section we can find the process details Resource usage, Process hierarchy,
DLLs and handles and performance graphs:

For digital signature we moved to threads and analyze the following.

Now we had deleted the file and file had move to recycle bin.

Their sizes, dates of deletion, and original locations are all displayed. The $I meta-data files include this
data.
Let’s take a look at this in the file system.

Run the command prompt as administrator and view hidden files by typing dir /a and we can see that
$Recycle.Bin folder.

Once inside, a second dir /a will reveal the SID directories.

By typing wmic useraccount get name,sid, we can view the accounts and the SIDS that are linked with
them.

Let’s go into it by

cd S-1-5-21-3954386123-3477195644-2237217235-1001 and after that we show up with the files. The

documents appear to be normal. With the files I just removed, I have created $R files containing genuine
recovery data and $I files containing meta-data.
B4)

Enter the URL and visit the zero bank link

Start Wireshark and enter the wireless adapter and start capturing the traffic, after capturing
enter the below mentioned command

ip.src == 192.168.1.9 && ip.dst==54.82.22.214

Follow the TCP stream.

Login credentials and login timestamp

Server Details were reflected in the response

Html file was found in the response body

City and Country where we can see that the location is Ashburn, USA.