Today we are living in the information age, all the information which is transferred over the internet is through the digital devices. With the advent of world-wide web, advanced forms of digital crimes came into picture. Criminal uses the Digital devices to commit Digital crime, so for the investigation forensic Experts have to adopt practical frameworks and methods to recover data for analysis which can comprise as evidence. Investigation of Digital forensics adopts three essential processes: Data Generation, Data Preparation and Data warehousing. Data Mining has unlimited potential in the field of Digital Forensics. Computer forensics is an emerging discipline investigating the computer crime. In this paper we are introducing the cyberForensics using Sequence Mining algorithm, by comparing it with association rule mining algorithm parameters.
cyberforensics also use these proprietary tools. These commercial tools are very expensive and can be purchased on license for particular duration. After expiry you again have to renew the license. They are easy to use and proper documentation and support is available for these commercial tools usage. On the other hand open source cyber forensic tools are also available which also equally efficient  but the disadvantage of using an open source tools is lack of support and proper documentation. It is also finding difficult to use these tools. First, most Open Source Solutions (OSS) framework were adopted from system utilities such as disk backup, file system detection and system check that were not designed for computer forensics usage. Second. Investigator must have high-level information about computer architecture which posed serious risk for novice or intermediate level investigator. Third, no GUI and, output provided by open source tools is text based and usually very hard to understand. Fourth in many cases, an expert has to use more than one tool to obtain evidence .
Domain Name System (DNS) cache poisoning is a stepping stone towards advanced (cyber) attacks. DNS cache poisoning can be used to monitor users’ activities for censorship, to distribute malware and spam and to subvert correctness and availability of Internet clients and services. Currently, the DNS infrastructure relies on challenge- response defences against attacks by (the common) off-path adversaries. Such defences do not suffice against stronger, man-in-the-middle (MitM), adversaries. However, MitM is not believed to be common; hence, there seems to be little motivation to adopt systematic, cryptographic mechanisms. We show that challenge-response do not protect against cache poisoning. In particular, we review common situations where (1) attackers can frequently obtain MitM capabilities and (2) even weaker attackers can subvert DNS security. We also experimentally study dependencies in the DNS infrastructure, in particular, dependencies within domain registrars and within domains, and show that multiple dependencies result in more vulnerable DNS. We review domain name system security extensions (DNSSEC), the defence against DNS cache poisoning, and argue that not only it is the most suitable mechanism for preventing cache poisoning but it is also the only proposed defence that enables a posteriori forensic analysis of attacks.
tests. Similarly concluding a bullet came from a gun by observing the gun when it is shot is a conclusion not derived from forensics. Matching the microscopic groves on a bullet to the barrel of the gun does employ forensic principles. In both the above cases the latter comprises evidence found on the most elementary level while the former does not. It follows that standard file copy programs or routines that search for text do not operate as forensic tools. In the case of programs designed to move data from one place to another, new evidence is not uncovered. Procedures executing a text search are also disqualified since they can be accomplished by standard observation. The reconstruction of files by uncovering patterns of bytes, or obtaining data from a microscopic view of a medium’s magnetic domains does serve as suitable candidates for forensic research. Similarly, data manipulation along with other processes that transform information in some fashion cannot be considered as forensic operations. Examples include encryption, data compression and other types of encoding. These methods are only used to transform the same evidence into a different form and do not serve to uncover new evidence. Despite the fact that in a transformed format this type of evidence is not readily understood, it is readily observable and hence does not qualify. Furthermore, the operations on this evidence are not performed on an elementary level but rather on a higher level comprised of characters and text files. These endeavors more appropriately belong to the field of cryptology. An individual skilled in the field of cryptology need not employ an understanding of computer fundamentals in order to perform these operations. A working definition of Computer Forensics can be formulated as the pursuit of knowledge by uncovering elemental evidence extracted from a computer in a manner suitable for court proceedings .The term elemental implies operations on a fundamental level; such as the microscopic elements of the medium or the bits and bytes of an individual sector. The term uncover refers to the presentation of some aspect of evidence not available through simple observation.
When you make a backup, use a product that does a bitstream backup. Standard file copy or file backup programs will not perform these kinds of backups. It is critical that a bitstream backup be used so that data hidden in places on the hard drive can be preserved. A clever perpetrator may actually try to hide files in areas on the hard drive marked as bad when they are not. Files can also be encrypted, and you may only have ghosts of the original file in areas of the computer's file system that are marked as deleted, when in fact they still physically exist. A bitstream backup will make an exact 100 percent mirror−image copy. Tools to do this were originally made for network administrators for the purposes of creating online backups and for distribution of mass installations of software throughout a corporate enterprise. These tools have been vastly improved over the years, and one of the standard tools in use by the FBI and other law enforcement agencies is called SafeBack; it is available from New Technologies, Inc. (http://www.forensics−intl.com/) to authorized personnel. Other tools for making image backups exist from well−known companies such as PowerQuest Corporation (http://www.powerquest.com/), which makes DriveImage Pro. This utility can make exact partition backups as well. Regardless of the product selected, and there are many other products from various vendors out there, you should learn how to use them long before you ever have to use them. The time to learn is not when you have a crisis and need to employ the tool. Always practice making backups with the tool and know its features. Questions about a product should not go unanswered. The only stupid question is an unasked one. Do not be afraid of asking anything of the appropriate support people. Some companies offer training in the use of their products, and even provide consulting services. While this book is a guide for the auditor wanting to investigate issues of compliance forensically, it is not a substitute for training and the use of experienced individuals, especially if criminal activity is involved. You may wish to bring in a forensics expert and work side−by−side with him or her through your first few incidents. In the corporate environment, you should not work in isolation if at all possible. This gives you the support you will need at first, and it will add to the verifiability of activities performed.
In forensic identification, investigators must use any available information to facilitate multimedia in Forensics, Security, and Intelligence subject identification. Typically, the sources of face images are surveillance cameras, mobile device cameras, forensic sketches, and images from social media sites. These face images are difficult to match because they are often captured under non-ideal conditions (see Table 1). Non-forensic, fully automated scenarios are not severely impacted by these performance degrading factors. As a result, forensic face recognition often requires a pre-processing stage of image enhancement or a specialized matcher to perform recognition.
⬎$870,000 for the first bacterial genome to be sequenced and assembled by the Institute of Genome Research (Rockville, MD) (5, 6). Seven years later for about the same amount of time and a lesser cost (approximately $200,000 to $300,000 for the first ge- nome), genomic sequences of the Bacillus anthracis Ames strains were obtained from the evidence in the letter attacks and pur- ported reference samples (7–9). Technical advancements in recent years, through the advent of massively parallel sequencing (MPS) (which also has been referred to as next-generation sequencing [NGS] and high-throughput sequencing [HTS]), allow analysis of microbes with a throughput and speed that were not thought pos- sible a short time ago. MPS, a disruptive technology and a boon to microbial forensics, may overcome the challenge of identifying unknown pathogens, hoax microorganisms, and low-abundance microorganisms even in complex mixture samples. With its sub- stantially increased throughput and continued development of powerful bioinformatics pipelines, MPS may be used to charac- terize any microbe, abundant or trace, degraded or intact, and even genetically engineered genomes with one unifying approach. MPS provides the ability to rapidly diagnose and monitor infec- tions using culture-independent methods (thereby reducing cost and turnaround time) and track disease outbreaks in real-time using whole-genome comparisons (10–12). Indeed, Cummings et al. (13) showed several years ago the forensic capability of MPS to rapidly and reliably sequence multiple whole genomes. Since then, epidemiologists have applied MPS to several outbreak investiga- tions (10–12, 14–17), and it is anticipated that MPS eventually will become the routine method for genetic analysis. In addition, MPS provides a methodology for human microbiome studies, which provide inference into different health and disease states and im- pact conditions, such as obesity, inflammatory bowel syndrome, effects from antibiotic use, and cancer (18–20). These same tools
Arguably, the two most widely used, and accepted tools within digital forensics, are EnCase by Guidance Software (Guidance Software, n.d.) and Forensic Toolkit (FTK) by AccessData (AccessData, n.d.). These two tools offer a range of support for the analysis of computers and digital devices; with a relatively recent extension into mobile device forensics. Although these tools are widely used and accepted it does not mean they are the most appropriate tool for a particular investigation. Ayers (2009) refers to such tools as first generation computer forensic tools and Garfinkel (2010) suggests that many of the tools used today are actually designed for the investigation of child pornography; which is a throwback to the early years of digital investigations where the main workload came from international law enforcement operations such as Operation ORE (Palmer, 2009). Nowadays, child pornography still accounts for a large percentage of digital forensics investigations but the scope has increased to include any and all digital based crimes: including hacking and intellectual property theft. Specifically the tools are designed, in the main, to identify single pieces of evidence and not to explicitly assist in the investigation side. Guidance Software and AccessData are attempting to expand their tool’s abilities through the integration with secondary tools, such as Passware Kit Forensic (Guidance Software, n.d.), and the incorporation of additional functionality that can be programmed by users through an integrated scripting environment.
Today computer forensics has become an important and sharp way to catch criminal in short duration of time. It depends on computer forensic specialist to find important facts about crime and present them in court of law. Although software‟s are much effective but there are some shortcomings also present in these software. If we make required improvement in these tools, the prosecution of cyber-crime will surely increase. As FBI told “in the year 2000 there was 2032 cases opened involving cyber-crime. Of those cases only 921 were closed. Of those closed cases only 54 convictions were handed down in court” (Insert 2003)
In order to ensure accountability, the number of independent instances must be anticipated. Names, credentials and end points must be assigned for their use. The attribute stores and HSMs must be provisioned with properties and key to be used. The simple re-direct must be changed to a re-post loop as in Figure 2. The requester will then have a credentialed application to authenticate with bi- laterally and an end point for end-to-end message encryption. Key management is complex and essential. When a new independent instance is required, it must be built and activated (credentials and properties in the attribute store, as well as end point assignment). All of these activities must be logged in a standard format with reference values that make it easy to reassemble the chain of events for forensics. When a current independent instance is retired, it must be disassembled, and de-activated (credentials and properties in the attribute store, as well as end point assignment).
One vital element of digital forensics is the credibility of the digital evidence. Forensic imaging is becoming more diverse. The areas in which imaging is being used include fingerprints, footwear and tire impressions, ballistics, tool marks, accident scenes, crime scene reconstruction, documentation of wounds or injuries, surveillance videos, and many others. Anyone can snap a picture or record an event with a digital camera and produce an image rather easily using the available software. Being able to analyse contents of digital devices especially images, whether they depict accurately what they are intended to portray is a whole different responsibility. A number of complex tools must be used to analyse an image and testify that it has not been tampered with or the image distorted in a way that can skew the interpretation of the image. The expert must then be able to explain the basis for selecting the tools used, the order in which they were used and why the judge or jury should believe that these tools were the best and most appropriate to use in the analysis in question. The use of digital evidence has accrued in the past few decades as courts have allowed the use of digital artefacts such as e- mails, digital photographs, ATM transaction logs, word processing, documents, deleted files, instant message histories, files saved from accounting programs, spreadsheets, internet browser histories, databases, the contents of computer memory, computer backups, computer printouts, Global Positioning System tracks, logs from a hotel’s electronic door locks, digital video and audio files.
Herbal drugs are the drugs which are obtained from natural resources. Today there is an exorbitant demand of herbal drugs in the market that promises to cure ailments naturally, but due to scarcity of medicinal plants, indiscriminate deforestation and illegal trade, there is an excessive gap between the availability of medicinal plants and drugs obtained from them which have paved the way for inundate adulteration in herbal drugs. Asparagus racemosus commonly called as Shatavari is indeed a highly rejuvenating herb for both male and female, a revitalizing tonic for most of the problems related to hormonal changes and reproductive system. Thus there is an elevated level of adulteration and substitution in the form of synthetic drugs (eg: sildenafil citrate), similar looking parts of the plant (Safed Musli), plants inducing similar properties to the herbal drugs, etc. Present case study underlines how herbal drug forensics can help in untangling the hidden harms in adulterated commercial A. racemosus root powder samples as compared to standard root powder and the need to develop this undermined area of forensic science towards a better future.
Generally, the information collected comes from internal memory (flash memory) or external memory (subscriber identity module [SIM], Secure Digital [SD], MultiMediaCard [MMC], CompactFlash [CF] cards or memory sticks). Call records and mobile backups can also be obtained through carriers, which provide other information that is useful in developing evidence, especially in cases of encryption. For a more complete understanding of techniques for handling mobile devices, NIST SP 800-101, Guidelines on Mobile Device Forensics 27 and the SWGDE “Best Practices
Before we end this chapter, let’s discuss some proactive steps that can occur to make the process easier. As we have seen in this chapter, computer forensics of a UNIX honeynet deals with identifying what has changed since the baseline of the deployment date. Making an accurate baseline can make the investigation easier. The most common method of improving the baseline is to create hashes of all files before the system is deployed. It is easier to maintain a hash database of a honeynet system than a real system because patch updates are less frequent. To make the forensic analysis process less painful, hashes of all files should be cal- culated. The MD5 values can be easily calculated for a directory and its subdirec- tories using md5deep , as was discussed in the File Integrity section. Other useful baselines include saving a list of the files in /dev/ by using ls –lR , a list of all files that begin with a dot, and a list of files that are SUID. See the Quick Hits section for command line details.
A threat could be anything that leads to interruption, meddling or destruction of any valuable service or item existing in the firm’s repertoire. Whether of “human” or “nonhuman” origin, the analysis must scrutinize each element that may bring about conceivable security risk. Cyber threat analysis is a process in which the knowledge of internal and external information vulnerabilities pertinent to a particular organization is matched against real-world cyber attacks. With respect to cyber security, this threat-oriented approach to combating cyber attacks represents a smooth transition from a state of reactive security to a state of proactive one. Moreover, the desired result of a threat assessment is to give best practices on how to maximize the protective instruments with respect to availability, confidentiality and integrity, without turning back to usability and functionality conditions.
The third step of the digital forensic process is analysis. It is the process of locating and collecting evidentiary items from digital evidence collected (Daniel). In this step, the nature of the analysis will dictate the approach and techniques used, and this differs under each type of investigation. The forensic professional’s training and individual skill will have a large impact for this process. Electronic evidence and data comes in many different forms so the use of tools and techniques to analyze them will differ. Popular tools used for digital forensics will be discussed later in this report. This stage is important because it identifies the evidence and creates the outcome for the entire investigation (Carrier).