Module 4 (2)

MODULE 4 - TOOLS FOR DATA RECOVERY
Analysing the Network Traffic
Improper network usage and network-based attacks can be analysed and recreated by analysing
the traffic being transmitted on the network . The digital forensics examination can be backed by
the information in the data that gets transmitted over networks. The data travelling over the
network may include personal or corporate chats, email messages, and other types of digital data.
Network traffic can be intercepted and captured using a packet sniffing tool, and the digital
forensics examiner can then examine the information present in the packet header to further
support the investigation. Doing this is highly critical if a digital forensics examination is being
performed while a network is facing a live cyber-attack.

How to capture evidence in a live environment:
1) A bootable forensic disk should be created.
2) Use the bootable disk on the computer system in question to load up the forensics
environment or connect to the system using remote access.
3) Every activity performed by the digital forensic examiner must be recorded.
4) A flash drive or USB could be used if the digital evidence needs to be extracted and
transported.
5) A memory forensics tool should be used to copy the contents of the physical memory.
6) The image of the evidence drive should be create and with care.
7) Use rootkit revealing tools to check for the presence of any rootkits on the device in
question if there is an intrusion.
8) The integrity of the evidence drive image that is created should be verified by calculating
the hash values of the image. The calculated hash value can be used to make sure that the
image is unaltered.

Tools for performing network investigations
The following are some powerful tools that can be used for network forensics investigations:

• PsGetSid can be used to fetch the security identifier.
• PsList diplays information about a process.
• Filemon can be used to display the activities happening on the file system.
• PsKill can be used to kill a specific running process.
• PsExec is a tool used to remotely execute and run process.
• PsLoggedOn can be used to know about the account that is currently logged into on a

computet system.
• Registry data can be displayed using the RegMon tool.
• PsPassword is a powerful tool that can be used to change account passwords.
• Two of the main packet sniffing tools are Wireshark and Tcpdump.
• If the digital forensics examiner wants to shut down or restart a computer system then they

can use the PsShutDown tool to do so.

Analysis of log files
Log files can be analysed to figure out whether any malicious activities are occurring on a
computer system or the network. A lot of information about user activities is stored in the log files.
Log files can either be examined manually by reading through them or by using various tools.
Logs can be present on computer systems, routers, IDS systems, IPS systems, firewalls, or other
network devices.