Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

Ethical Hacking and
Countermeasures
Version 6

Module LVII
Computer Forensics
and Incident Handling

Ethical Hacking and Countermeasures v6
Module LVII: Computer Forensics and Incident handling
Exam 312-50

Module LVII Page | 3969

Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

Scenario
OrientRecruitmentInc is an online human resource recruitment firm.
The web server of the firm is a critical link.

Neo, the network administrator sees some unusual activity that is
targeted towards the web server. The web server is overloaded with
connection requests from huge number of different sources.
Before he could realize the potential of the attack, the website of
OrientRecruitmentInc falls prey to the much famous Denial of
Service Attack.
The company management calls up the local Incident Response
Team to look into the matter and solve the DoS issue.
What steps will the incident response team take to investigate the
attack?

EC-Council



Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Scenario

Orient Recruitment Inc. is an online human resource recruitment firm. The web server of the firm
is a critical link.
Neo, the network administrator, sees some unusual activity that is targeted towards the web
server. The web server is overloaded with connection requests from huge number of different
sources.
Before he could realize the potential of the attack, the website of Orient Recruitment Inc. falls to
the famous Denial-of-Service attack.
The company management calls up the local Incident Response Team to look into the matter and
solve the DoS issue.
What steps will the incident response team take to investigate the attack?


Module LVII Page | 3970

Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

Module Objective
This module will familiarize you with:
•
•
•
•
•
•
•
•
•
•
•
•

Computer Forensics
What is an Incident
Categories of Incidents

Incident Response Checklist
Procedure for Handling Incident
Incident Management
Incident Reporting
What is CSIRT
Types of Incidents and Level of Support
Incident Specific Procedures
Best Practices for Creating a CSIRT
World CERTs
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

EC-Council

Module Objective
This module will familiarize you with:


Computer Forensics



What is an Incident?



Categories of Incidents




Incident Response Checklist



Handling Incidents



Procedure for Handling Incident



Incident Management



Incident Reporting



What is CSIRT?



Types of Incidents and Level of Support



Incident Specific Procedures




Best Practices for Creating a CSIRT



World CERTs

Module LVII Page | 3971

Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

Module Flow
Computer Forensics

Incident Reporting

What is an Incident

What is CSIRT

Categories of Incidents


Types of Incidents and
Level of Support

Incident Response Checklist

Incident Specific Procedures

Procedure for
Handling Incident

Best Practices for Creating a CSIRT

Incident Management

World CERTs

EC-Council

Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Module Flow

Module LVII Page | 3972

Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Ethical Hacking and Countermeasures v6

Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

To Know More About
Computer Forensics,
Attend EC-Council’s CHFI
Program

EC-Council

Module LVII Page | 3973

Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

Computer Forensics

EC-Council

Module LVII Page | 3974


Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

What is Computer Forensics
“The preservation, identification, extraction, interpretation, and
documentation of computer evidence, to include the rules of evidence,
legal processes, integrity of evidence, factual reporting of the
information found, and providing expert opinion in a court of law or
other legal and/or administrative proceeding as to what was found.”

"Forensic Computing is the science of capturing, processing and
investigating data from computers using a methodology whereby any
evidence discovered is acceptable in a Court of Law.”

Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

EC-Council

 What is Computer Forensics?

According to Steve Hailey of Cyber Security Institute, computer forensics is:
“The preservation, identification, extraction, interpretation, and documentation of computer
evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting
of the information found, and providing expert opinion in a court of law or other legal and/or
administrative proceeding as to what was found.”
Preservation
The forensic investigator must preserve the integrity of the original evidence. The original
evidence should not be modified or damaged. The forensics examiner must make an image or a
copy of the original evidence and then perform his analysis. He must also compare the copy with
the original evidence to identify any modifications or damages.
Identification
The first and foremost step that a forensics examiner needs to take before starting with his
investigations is that he must identify the evidence and its location. For example, evidence may be
contained in hard disks, other removable media, or even log files. Every forensic examiner must
understand the difference between actual evidence and evidence containers. Locating and
identifying information/data is a challenge for the digital forensics investigator. Various
examination processes such as keyword search, log files analysis, and system check help in
investigation.
Extraction
The immediate step after identifying the evidence is to extract data from them as soon as they are
located. Since volatile data can be lost at any point of time, the forensic investigator must extract
these data from the copy he had made from the original evidence. This extracted data must be
compared with the original evidence and analyzed.
Interpretation
The most important role played by a forensic examiner during investigations is to interpret what
he has actually found. The analysis and inspection of the evidence must be interpreted in a lucid
manner.
Documentation

Module LVII Page | 3975


Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

Documentation relating to evidence must be maintained from the beginning of the investigation
till the end where the evidence is presented before the court of law. The documentation will
comprise the chain of custody form and documents relating to evidence analysis.

Computer Forensics Methodologies
The basic methodology consists of what one can think of as the three A’s:


Acquire the evidence without modifying or corrupting the original.



Authenticate that the recovered evidence is the same as the originally seized data.



Analyze the data without any alterations.

Due to the growing misuse of computers in criminal activities, there must be a proper set of
methodologies for investigation. Apart from methodologies, forensic tools also play an important

role during investigations such as enabling the forensic examiner to recover deleted files, hidden
files, and temporary data that the user may not locate. The evidence acquired from computers are
fragile and can be easily erased or altered. There is another possibility where the seized computer
can be compromised if not handled using proper methodologies.
The methodologies involved in computer forensics may differ depending upon the procedures,
resources, and target of the company. Stand-alone computers, workstations, servers and online
channels are some fundamental areas; a forensic investigator must concentrate on. Investigation
of stand-alone computers, workstations and other removable media can be simple, whereas
examination of servers and online channels can be complicated and tricky.
Auditing and logging during investigations are often not executed. They play a key role during
investigations. They must be given due importance, as they will provide leads to the case.

Module LVII Page | 3976

Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

Need for Computer Forensics
“Computer forensics is equivalent of surveying a crime scene or performing an
autopsy on a victim”
{Source: James Borek 2001}
Presence of a majority of electronic documents

Search and identify data in a computer


Digital Evidence can be easily destroyed, if not handled properly

For recovering Deleted, Encrypted, or Corrupted files from a system
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

EC-Council

 Need for Computer Forensics
According to James Borek (2001), “Computer Forensics is the equivalent of surveying a crime
scene or performing an autopsy on a victim.”
The importance of computer forensics has developed in the present day scenario where
computers are vulnerable to malicious purposes. Computers are either used as a tool to commit a
crime or have become a target for these attacks. Computers are used to commit crimes, and
crimes can be recorded on computers, including company policy breaches, fraud records, email
crimes, revealing of valuable proprietary information and even terrorist activities.
Law enforcement officials, network and system administrators of IT firms, attorneys and also
private investigators depend upon qualified computer forensic experts to investigate their
criminal and civil cases.
A majority of documents these days exist in electronic format. Computer evidence is delicate in
nature; therefore they must be recorded to avoid loss of valuable evidence. Computer forensics
includes locating and recovering data that resides in a computer system and also recovering
deleted, encrypted or damaged data. This data will be helpful during presenting testimony before
the court of law.

Module LVII Page | 3977

Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.



Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

Objectives of Computer Forensics

To recover, analyze and present computerbased material in such a way that it can be
presented as evidence in a court of law
To identify the evidence in short time, estimate
potential impact of the malicious activity on
the victim, and assess the intent and identity of
the perpetrator

Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

EC-Council

 Objectives of Computer Forensics
The critical phase of a computer forensic investigation is presenting the inferences of the previous
phases (acquiring and analyzing). The objective is obvious; you must present the discovered
evidence in a way that is accepted by the court of law, which increases your chances of winning
the case.
Other objective is to discover the evidence in short time with accuracy. The impact of the crime on
the victim, such as loss of reputation and data has to be estimated along with intent and identity
of the intruder.


Module LVII Page | 3978

Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

Stages of Forensic Investigation in
Tracking Cyber Criminals
An Incident occurs in
Which, the Company’s
Server is compromised

The Client contacts the
Company’s Advocate
for Legal Advice

The Advocate contracts
an External Forensic
Investigator

The Forensic Investigator
(FI) prepares the
Bit-Stream images of the files

The FI seizes the

evidences in the Crime
scene & transports
them to the Forensics Lab

The Forensic Investigator
Prepares First Response
of Procedures (FRP)

The Forensic Investigator
creates an MD5 #
of the files

The Forensic Investigator
examines the evidence
files for proof of a Crime

The FI prepares Investigation
reports and concludes the
Investigation, enables the
Advocate identify required proofs

The Forensic Investigator
usually destroys
all the evidences

The Advocate studies the
report and might press charges
against the offensive in
the Court of Law


The FI handles the
sensitive Report to the
Client in a secure manner

EC-Council

Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

 Stages of Forensic Investigation in Tracking Cyber Criminals

Module LVII Page | 3979

Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

Key Steps in Forensic
Investigations
1
2
3
4
5
6

7

• Computer crime is suspected

• Collect preliminary evidence

• Obtain court warrant for seizure (if required)

• Perform first responder procedures

• Seize evidence at the crime scene

• Transport them to the forensic laboratory

• Create 2 bit stream copies of the evidence
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

EC-Council

Key Steps in Forensic
Investigations (cont’d)
8
9
10
11
12
13
14


• Generate MD5 checksum on the images
• Prepare chain of custody
• Store the original evidence in a secure location
• Analyze the image copy for evidence
• Prepare a forensic report
• Submit the report to the client
• If required, attend the court and testify as expert witness

Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

EC-Council

 Key Steps in Forensic Investigations
The general procedure in forensic investigation is as follows:
1.

The investigation is initiated at the moment the computer crime is suspected.

2. The immediate response is to collect preliminary evidence. This includes photographing
the scene, and marking the evidence.
3. Obtain court warrant for seizure (if required).
4. Perform first responder procedures.
5.

Seize evidence at the crime scene. After seizure, number the evidence and lock them
safely.

6. Securely transport them to the forensic laboratory.
7.


Create 2-bit stream copies of the evidence. Do not tamper the original disk; it might
change the time stamps.

8. Generate MD5 checksum on the images.
Module LVII Page | 3980

Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

9. Prepare chain of custody. Any change would question the admissibility of the evidence.
10. Store the original evidence in a secure location, preferably away from an easily accessible
location.
11. Analyze the image copy for evidence.
12. Prepare a forensic report that describes the forensic method used, recovery tools used.
13. Submit the report to the client.
14. If required, attend the court and testify as an expert witness.

Module LVII Page | 3981

Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.



Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

List of Computer Forensics Tools
Helix

Process Explorer

Pslist

Autoruns

Fport

Irfan View

Psloggedon

Adapterwatch

RegScanner

Necrosoft Dig

X-Ways Forensics

Visual TimeAnalyzer


Traces Viewer

Evidor

Sleuth Kit

Ontrack

SMART

Forensic Sorter

Penguin Sleuth Kit

Directory Snoop
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

EC-Council

 List of Computer Forensics Tools
The following is a list of forensics tools:


Helix



Pslist




Fport



Psloggedon



RegScanner



X-Ways Forensics



Traces Viewer



Sleuth Kit



SMART




Penguin Sleuth Kit



Process Explorer



Autoruns



Irfan View



Adapterwatch



Necrosoft Dig



Visual TimeAnalyzer



Evidor




Ontrack



Forensic Sorter



Directory Snoop

Module LVII Page | 3982

Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

Incident Handling

EC-Council

Module LVII Page | 3983

Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

Present Networking Scenario
Increase in the number of companies venturing into e-business
coupled with high Internet usage
Decrease in vendor product development cycle and product
testing cycle

Increase in the complexity of Internet as a network

Alarming increase in intruder activities and tools, expertise of
hackers, and sophistication of hacks
Lack of thoroughly trained professionals as compared to the
number and intensity of security breaches
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

EC-Council

 Present Networking Scenario
The network of the present age is growing at somewhat at the rate of growth of the universe,

propounded by the Big Bang theory. The Internet as a world wide web is growing at a very fast
rate, and there are lots of applications running on the Internet growing at a faster rate resulting in
the increase in complexities in the Internet.
Reduction in the product development cycle, coupled with a decreased testing cycle, has given
way to increase in the number of bugs in software. Unchecked vulnerability in a network or
weakness in design paves way to intruder activities.
The learning curve for carrying out network attacks is decreasing rapidly due to easy availability
of hacking tools. The denial-of-service (DoS) attack directed against major websites a few years
ago have brought to light the security flaws.
Until recently, the need for an incident response team within every organization was never given a
serious thought. There is a lack of trained professionals who can respond to incidents and
minimize the effects. Organizations are opting for in-house incident response team. This module
highlights the need for an incident response team, basic procedures in handling incidents, various
CSIRTs present in the world and more.

Module LVII Page | 3984

Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

What is an Incident
Computer security incident is defined as “Any real or suspected adverse
event in relation to the security of computer systems or computer
networks”

• Source: www.cert.org

It also includes external threats such as gaining access to systems,
disrupting their services through malicious spamming, execution of
malicious codes that destroy or corrupt systems

EC-Council

Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

 What is an Incident?
An incident can be an event or set of events that threatens the security in computing systems and
networks in any organization. It also includes system crashes, packet flooding within a network,
and unauthorized use of other user’s account, gaining access to unauthorized network privilege
specially the administrator’s privilege.
There are various types of incidents, which are found out after a comprehensive study of security
attacks and security breaches occurred from time to time in the various organizations. A standard
qualification of the incidents is classified in following forms:


Repudiations



Reconnaissance attacks



Harassment




Extortions



Pornography trafficking



Organized crime activity



Subversion



Hoaxes



Caveats

Repudiation:
Repudiation is an incident process in which a person or software program acting on behalf of any
other person takes some action.
Reconnaissance:
Collecting or discovering information about any individual or an organization that might be

useful in attacking whatever targets a perpetrator has chosen. These types of attacks are better
known as reconnaissance. The DSL and cable modem connections which are gaining popularity
these days are more exposed to reconnaissance attacks because, the connections are usually open,
which gives more time to hackers to attack our systems.
Port scanning or running a program that remotely finds ports opened and closed on remote
systems, represents one of the most common types of reconnaissance attacks.
Module LVII Page | 3985

Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

Harassment:
It is a cyber crime and the hacker or perpetrator can use or send an obnoxious mail messages to a
victim using a chat room or remote screen writing service.
The extreme cases of harassment include cyber stalking in which electronic means are used to
follow or intimidate a victim.
Extortion:
This makes the victim to pay money to the hacker or intruder because he or she has got such
important information about the respective organization, which can lead to severe loss to the
organization whether it is related to data/ information or a financial threat.
These attempts are growing more now in the cyber world.
Pornographic trafficking:
The networks have become a natural source to store and transmit pornographic material. The
Internet governing bodies have banned pornography, and anything that involves this is therefore,

illegal. The electronic pornographic activity is common and is braking in everywhere.
The computer and networks are being used worldwide to store, send, and receive child
pornography also.
The law broker’s embed the pornographic images to other images thus, making it difficult to
track. One famous technology used for this purpose is steganography.
Organized crime activity:
Some of the organized illegal activities are done with the help of computers, such as drug
trafficking making of illegal passports, running prostitution rackets and online smuggling, and
providing unauthentic and illegal visas to people. It also involves the illegal immigration of people
without proper identity proof.
Subversions:
A subversion is an incident in which a system does not behave as it was expected to. It is supposed
that the reason behind this kind of behavior of the system or the network is because of an attack
on the integrity of the system, network, or application, but in reality it is something more.
Example of which can be putting bogus financial server to discover credit card or illegal indexing
of web pages. In the case of subversion, the preparator modifies the web links so that whenever
anyone connects to link he is transferred to any other location, which is unrelated or false.
Hoaxes:
A hoax is an email warning of some virus that may have devastating affect on the system. This will
be posed as a new virus, which is unknown to anyone. These emails provide false information
about the virus and they also mention a company or an institution whose name is known by
public to defame the company.
The hoaxes convince people to send mails to others informing about this virus. The virus does not
exist and hoaxes spread false virus warnings. The panicking user can cause damage to his or her
systems.
Caveat:
It is also a sort of warning, which may be in the form of a legal notice that can lead to the hearing
in the court. The kinds of incidents discussed in this section are by no means mutually exclusive.

Module LVII Page | 3986


Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

Category of Incidents: Low Level
Low level incidents are the least severe kind of incidents

They should be handled within one working day after the event occurs
They can be identified when there is:
Loss of personal password
Suspected sharing of organization’s accounts
Unsuccessful scans and probes
Presence of any computer virus or worms
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

EC-Council

 Category of Incidents: Low Level
All incidents are of different intensity and complexity and occur under different situations or
conditions also known as vulnerability. The incidents are then classified according to the level of
their intensity and affect on the network and systems.
They are classified into three levels; these are low-level incidents, mid-level incidents, and highlevel incidents. The least harmful incidents are low-level incidents and it is better to handle them
within one working day.

The low level incidents can be identified by the following symptoms:


Compromise of system password



Unknown sharing of company account



Misuse of computer peripherals



Unintentional routine computer action



Unsuccessful scans and probes in the network



Presence of computer virus and worms

Module LVII Page | 3987

Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.



Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling

Exam 312-50 Certified Ethical Hacker

Category of Incidents: Mid Level
The incidents at this level are comparatively more serious and thus, should be
handled the same day the event occurs

They can be identified by observing:
• Violation of special access to a computer or computing
facility
• Unfriendly employee termination
• Unauthorized storing and processing data
• Destruction of property related to a computer incident (less
than $100,000)
• Personal theft of data related to computer
incident($100,000)
• Computer virus or worms of comparatively larger intensity
Illegal access to buildings
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

EC-Council

 Category of Incidents: Mid-Level
Mid-level incidents are more serious kind of incidents. They should be handled within the same
day the event occurs, that is normally two to four hours of the event that has occurred.
Medium level incidents are identified by the following symptoms:



Unfriendly employee termination



Violation to the special access to computer or any computing facility in an organization



Illegal access is found to building up in the network of an organization



Systems present in the organization’s network used as unauthorized systems for
processing or storing the organization’s data



Property worth less than $100,000 related to an organization is destroyed



Personal theft of amount less than $100,000



Presence of computer virus and/or worms whose effects are more compared to low-level
incidents


Module LVII Page | 3988

Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.