Chapter 14: Digital Forensics Analysis

Digital forensics

the investigation of any digital or electronic media (e.g., flash drives, webcams, webservers, cell phones, Internet, printers.) for evidence of unethical behavior and financial malfeasance.

What legal authority and methods are used to collect evidence in cybercrime investigations?

Under 18 U.S.C. §1030, federal investigators can use subpoenas, court orders, search warrants, electronic surveillance, and traditional investigative methods. Without legal authority, investigators rely on Internet forensic research before the electronic trail disappears.

Why is timing critical in cybercrime investigations?

The electronic trail disappears quickly, so investigators must identify and preserve evidence before it is lost.

What techniques do cybercriminals use to avoid detection?

They hide behind networks of interconnected systems, disguise IP/location, and alter or delete electronic logs to conceal attacks and system compromises.

Why are international cybercrime investigations difficult?

If the attacker is in another country, the act may not be illegal there, and foreign authorities may not cooperate, limiting enforcement efforts.

What role do forensic investigators and accountants play in cybercrime cases?

They must document the dollar value of damages and provide viable clues about the attacker’s identity to support law enforcement and increase the likelihood of investigation.

What is a key responsibility of auditors when encountering cyber fraud evidence?

Auditors must not alter or destroy electronic evidence before it is properly collected, as doing so can compromise its use in an investigation.

What is the difference between clues and admissible evidence in cybercrime investigations?

Clues collected by forensic investigators may not meet courtroom standards unless obtained under legal authority and controlled conditions. However, these clues can provide preliminary information that helps law enforcement obtain search warrants and collect admissible electronic evidence before it disappears.

Why can improper handling of a computer compromise an investigation?

Turning on a computer can alter or “taint” electronic evidence, making it inadmissible in court, while turning it off can destroy volatile data (e.g., swap files), causing permanent loss of evidence.

Why must forensic accountants understand both technology and legal requirements in cyber investigations?

They need technical knowledge (e.g., Internet protocols) to collect and interpret electronic evidence, and legal understanding to properly respond to subpoenas/log requests. Without this, they risk mishandling evidence or making the company appear involved in the crime instead of a victim.

Why is technological knowledge important for auditors when assessing fraud risk?

Under SAS No. 99 (AU 316), auditors must understand the technology behind electronic data and cybercrime to effectively brainstorm fraud risks and identify potential schemes.

What are Internet protocols and why are they important in forensic investigations?

Rules that allow different systems and devices to communicate over the Internet. Forensic accountants must understand them to trace data, analyze network traffic, and identify cybercriminal activity.

What do HTTP and HTTPS indicate in a web browser?

They indicate the protocol being used to access and browse hypertext documents on the Internet.

What is the purpose of cookies in Internet browsing?

store user information so websites can recognize returning users, reducing the need to repeatedly enter login details.

What is Transmission Control Protocol (TCP) and Internet Protocol (IP) (TCP/IP) and why is it important?

the primary communication protocol used on the Internet. It governs how data is transmitted in packets (datagrams) between systems and allows forensic investigators to trace and analyze digital activity.

How does TCP/IP operate from a user’s perspective?

All TCP/IP communication (data transfer, logging, packet transmission) occurs behind the scenes within browsers, so users are typically unaware of how data is transmitted or how malicious code may be embedded.

What are some other Internet communication protocols besides TCP/IP?

File Transfer Protocol (FTP) and User Datagram Protocol (UDP), although TCP/IP is the most widely used.

What is a datagram and what information does it contain?

a packet of data sent over the Internet that contains layered information used to verify, route, and deliver data from sender to receiver, including path and control information.

What is message encapsulation?

the process where data is organized into layers, and each layer communicates only with the layer above or below it, ensuring proper transmission and interpretation at the destination.

What is the OSI model and why is it important?

a layered framework that explains how data is transmitted across networks, helping organize communication into structured layers for reliable data transfer.

What are the main layers of the TCP/IP (OSI) model and their purpose?

Application: handles user-level processes (e.g., HTTP, email)

Transportation: ensures reliable delivery and connections (TCP)

Network: routes data using IP addresses

Data Link: transfers data between devices and handles errors

Hardware (Physical): transmits data as electrical signals

What is the function of the application layer in the OSI model?

The application layer issues commands for user-level operations (e.g., email, financial transactions) and enables communication between software applications and the network.

What was the PairGain (Hoke) hoax and its impact?

A fake online message claimed PairGain would be acquired, causing its stock price to rise over 31% before the hoax was revealed, resulting in major investor losses.

What is the role of the transportation layer in TCP/IP?

It ensures reliable data delivery, manages connections between sender and receiver, and uses ports and sequence/acknowledgment numbers to track transmitted data.

What role do ports play in the transportation layer?

Ports identify specific services on a server, allowing multiple messages to be received simultaneously (over 65,000 ports exist; e.g., HTTP uses port 80).

What protocol operates in the transportation layer and what does it create?

TCP operates in this layer and creates a TCP header that combines with application data to form a transmission envelope.

What key information is contained in a TCP header?

Source/destination ports, sequence and acknowledgment numbers (for reliability), flags (connection status), window size (data flow), and checksum (error detection).

What is the purpose of sequence and acknowledgment numbers in TCP?

They track which data has been sent and received, ensuring reliable and complete message delivery.

What is the purpose of TCP flags?

TCP flags indicate the status of a connection (e.g., start, acknowledge, reset, finish) and control communication between systems.

What are the most important TCP flags to understand conceptually?

• SYN → starts connection

• ACK → confirms data received

• FIN → ends connection

• RST → resets connection

How can cybercriminals exploit TCP flags?

By manipulating flag sequences to confuse systems and bypass security controls like firewalls.

What does the TCP window field indicate?

It shows how much data the receiver can accept; a very small or zero window may indicate congestion or a denial-of-service condition.

What is the purpose of the checksum in TCP?

It verifies data integrity; if errors are detected, the data is retransmitted.

What is the function of the network layer?

controls the route data takes across networks and uses IP addresses to send packets from source to destination through routers.

What is the purpose of an IP address in the network layer?

a 32-bit identifier (like a phone number) that identifies the sender and receiver of data packets and allows routing across networks.

Why must TCP reassemble data at the destination?

Because data is sent in multiple packets that may arrive out of order or be duplicated due to retransmissions across routers.

Why can data packets arrive out of order or be duplicated?

Because packets travel across multiple routers and paths, and if acknowledgment is not received, packets may be resent, requiring TCP to reassemble them correctly.

How do cybercriminals hide their IP address?

By using proxy servers that replace their real IP address with a fake one, making their activity appear to originate from another location.

What are the key differences between IPv4 and IPv6?

• IPv4: 32-bit addresses, limited supply

• IPv6: larger address space, simplified headers, no fragmentation, improved security

What is fragmentation in IPv4?

It is the process of breaking data into smaller packets when networks have different size limits, requiring reassembly at the destination.

How does IPv6 handle fragmentation differently from IPv4?

IPv6 avoids fragmentation by sending data in one packet along a route that supports its size.

What is ICMP and what is it used for?

Internet Control Message Protocol is used for network monitoring, diagnostics, and communication between hosts (e.g., ping).

What is a “ping” in networking?

A diagnostic request sent to a system to check if it is active and reachable on a network.

What was the “Ping of Death” attack?

A denial-of-service attack that sent oversized packets to crash systems by exceeding maximum size limits.

What is the purpose of the checksum in the IP header?

It detects errors in transmission; if errors are found, the packet is discarded.

What is the main function of the data link layer?

It transfers data between network nodes, packages data into frames, and ensures reliable delivery through error checking and acknowledgments.

What is a frame in the data link layer?

a packaged unit of data that includes a header, trailer, error-checking bits, and a physical (MAC) address for transmission.

What is the difference between a MAC address and an IP address?

A MAC address is a physical hardware identifier for a device, while an IP address is a logical address used for routing data across networks.

What are the two sublayers of the data link layer and their roles?

• MAC (Media Access Control): Handles physical addressing and network access

• LLC (Logical Link Control): Formats data and manages transmission rules (with/without acknowledgment)

Why is the MAC address important in forensic investigations?

It uniquely identifies a physical device on a network, allowing investigators to trace activity to a specific computer.

What is the function of the hardware (physical) layer?

It sends and receives data by converting bits into electrical signals for transmission across physical network components.

What types of components are included in the physical layer?

Cables, connectors, network cards, and hardware devices (e.g., T-1 connectors) used to transmit data.

What is a keylogger?

A software or hardware tool that records all keystrokes on a computer, typically without the user’s knowledge.

Why are keyloggers dangerous even when encryption is used?

They capture keystrokes in plaintext before encryption occurs, allowing attackers to obtain passwords and sensitive data.

What type of information can keyloggers collect?

Passwords, IP addresses, emails, browsing activity, and other sensitive user input.

Why is decoding packet information important in forensic investigations?

Because packets contain hidden data that can identify who is visiting a website or committing a cybercrime, making them essential for tracing attackers.

What is the primary goal of decoding packet information?

To trace cyber activity back to the perpetrator by analyzing the data left behind in network packets.

What are web logs and why are they important in forensic investigations?

record network activity (e.g., IP address, location, user actions, browser, timestamps) and are used to trace website usage and identify potential attackers.

What are the main limitations of web logs as evidence?

Can be altered by cybercriminals and are often only stored for a short time before being overwritten or deleted.

What key information in a web log helps identify a user?

IP address (location/ISP), timestamp (date/time/time zone), user activity (requests/files), and browser/system details.

What are the most important components of a web log entry and what do they indicate?

• IP address → identifies user/network location

• Timestamp → when and where request occurred

• GET request → file requested from server

• HTTP code (200/404) → success or error

• File path & size → resource accessed

• Browser info → user system details

Why are IP address and time zone the most critical elements in web logs?

They allow investigators to trace activity to a specific location, ISP, and timeframe, helping identify the attacker.

What is TCPDUMP and how is it used in forensic investigations?

TCPDUMP is a network sniffer that captures and analyzes TCP/IP packet data, allowing investigators to examine network traffic and trace cybercriminal activity.

What is a network sniffer and why is it important?

a tool that captures datagrams traveling across a network; while hackers use it maliciously, it is a key tool for forensic investigators to analyze traffic and uncover evidence.

What key information can TCPDUMP reveal from network packets?

Timestamp, source/destination IP addresses, MAC addresses, ports, flags (e.g., SYN), sequence numbers, and window size.

Why are IP addresses, MAC addresses, and ports important in TCPDUMP analysis?

IP addresses trace the source/location, MAC addresses identify specific devices on a network, and ports show how the packet entered the system and may reveal suspicious activity.

How do web logs and TCPDUMP work together in investigations?

Web logs show user activity (when/where), while TCPDUMP reveals detailed packet-level data, allowing investigators to trace attacks and determine their origin.

Why is correlating logs across systems important in cyber investigations?

Comparing logs across time zones and ISPs helps confirm patterns of activity and strengthens evidence against a suspect.

What is SMTP and what is its role?

SMTP (Simple Mail Transfer Protocol) is the protocol used to send e-mails; it receives messages (Port 25), checks addresses, stores local messages, and forwards them to recipients.

Why are e-mails important in forensic investigations?

E-mails provide evidence of communication between fraudsters and can reveal relationships, intent, and coordination in financial crimes.

What are the major risks associated with e-mail systems?

E-mails can be spoofed (fake sender), contain malware/attachments, and spread misinformation that can cause financial losses.

What is an open relay in SMTP and why is it dangerous?

allows anyone to send e-mails through a server without verification, enabling spoofing, spam, and malicious attacks using fake identities.

How do attackers exploit SMTP Port 25?

They use tools like Telnet to connect to open mail servers and send large volumes of spoofed or malicious e-mails.

How can SMTP abuse (e.g., open relays) be prevented?

By closing Port 25, requiring authentication, and using digitally signed e-mails.

What information do SMTP logs provide?

Timestamp, message ID, sender/recipient emails, sending server IP, message size, and number of recipients.

Why are SMTP logs more reliable than e-mail headers?

Because logs are secured on servers and are harder for attackers to alter compared to visible e-mail header data.

What is required to trace an e-mail path using SMTP logs?

Cooperation between multiple ISPs and correlation of logs across systems and time zones.

What is the difference between short and long e-mail headers?

• Short header: basic info (sender, recipient, date)

• Long header: detailed routing, IP addresses, and message path used for tracing

What is the most important information in an e-mail header for tracing?

IP addresses, message ID, and “Received” lines showing the path the message traveled.

How do “Received” lines help trace an e-mail?

The earliest (bottom) “Received” entry shows the origin of the message, while others show each server (“hop”) it passed through.

Why can’t short e-mail headers be trusted for identifying the sender?

Because sender information can be easily spoofed or falsified using tools like proxies or open relays.

What does traceroute do?

It tracks the path (hops) a packet takes across the Internet, showing routers, IP addresses, and travel time between source and destination.

What does a Whois search provide?

Information about a domain/IP, including organization name, location, contacts, and administrative details.

How do traceroute and Whois work together?

Traceroute identifies the path of a packet, while Whois identifies the organization or owner behind the IP/domain.

What do tools like Nslookup, Dig, and Shodan do?

• Nslookup → maps IP ↔ domain names

• Dig → provides DNS/domain info

• Shodan → identifies devices, servers, ports, and software on networks

What is ping and what does it do?

Ping sends a request to an IP address to check if a system is active and reachable on the network.

What is a limitation of ping in tracing users?

Dynamic IP addresses change frequently, so ping only provides temporary identification.

What is a finger search?

A tool that retrieves user activity information (login times, directory info, email activity) from a network.

What happens once an IP address is traced outside a company’s network?

Further information cannot be obtained without cooperation from the ISP, which is typically not required to share data with private investigators.

What are the two main options after identifying a cyberattack suspect?

• Report to law enforcement with collected evidence

• Handle internally (especially for corporate fraud) before deciding on legal action

What key information should be included in a cybercrime report?

IP addresses, timestamps (GMT/time zones), email/screen names, logs, attack description, duration, and estimated damages.

Why must investigators preserve an electronic image of a system after an attack?

To retain original evidence for analysis, legal proceedings, and potential insurance claims.

Why are cybercrime cases difficult for local law enforcement?

Many officials lack technical expertise, and investigations can take months due to complexity and backlog.

What is a John Doe subpoena and when is it used?

A civil subpoena used to obtain the identity of an unknown suspect (e.g., from an ISP) in cases like fraud, defamation, or breach of contract.

What is a key limitation or risk of a John Doe subpoena?

It may be challenged in court as a violation of privacy or First Amendment rights, potentially preventing enforcement.

Why are boardroom (executive-level) frauds difficult to detect?

Executives can override internal controls, making traditional controls ineffective; frauds are often only discovered through third-party tips.

Why are forensic audits more effective against executive fraud?

Because they are unpredictable, investigative, and less reliant on documents provided by management.

Which executives are most at risk for committing fraud?

Those with authority to override controls and whose compensation is tied to financial performance (e.g., bonuses, stock options).

How does organizational culture affect fraud risk?

A weak ethical culture (“tone at the top”) increases fraud risk, while strong ethical values reduce it.

What types of data are monitored in a forensic audit?

Executive emails, web activity, network logs, and electronic communications across company systems.