Forensic Technology Approaches

Both email spoofing and phishing are commonly used in fraudulent activities, often involving requests for sensitive information or unauthorized payment instructions. Such attacks can lead to significant financial losses or reputational damage for organizations. In this section, we will explore key indicators for identifying fraudulent emails, along with effective methods for detecting them. Part 1 - Indicators of a fraudulent e-mail: 1- Suspicious company domain Look out for slight misspellings or unfamiliar domain names that mimic real companies. Fraudulent emails often come from domains that look legitimate at first glance. 2-An unusual request (whether about payment or your credentials) Be cautious if you're asked to provide sensitive information or make urgent payments. Legitimate organizations rarely ask for credentials or payments via email unexpectedly. Part 2 - Analyzing e-mail header: In order to detect if received e-mail is suspicious, the following analysis on the e-ma...

While there are many different methods for disk imaging, one of them is performing this process on a running Windows operating system. During imaging on an active Windows system, there is a risk of unintentionally writing data to the disk. This can compromise the integrity of the data under investigation. Therefore, it is recommended that this method be avoided unless absolutely necessary. Imaging with FTK Imager: To perform imaging with the FTK Imager application, the application must be stored on a USB flash drive. After the computer to be imaged is powered on, the FTK Imager application on the USB drive is launched by double-clicking. The application interface that will then appear on the screen is as follows: To image one of the disks on the computer where the application is running, click on the "File" tab in the top left corner, followed by "Add Evidence Item." After clicking on the relevant section, the following screen will appear, where you decide whether t...

One of the most suitable methods for disk imaging is using Linux distributions. For this process, the operating system must have FTK Imager software installed, which allows image capture with the E.01 extension. Among the Linux distributions, only the Deft Zero operating system comes with this application pre-installed. For other Linux distributions, the FTK Imager software needs to be installed within these systems to perform imaging. The Ubuntu operating system allows direct imaging on devices with the new generation (UEFI) boot system without switching to the Legacy Boot Option in the UEFI interface, unlike other Linux versions. Therefore, it is recommended to use Ubuntu on customer devices where the Legacy option does not appear in the Boot Option or where Boot settings cannot be changed. First, a folder is created within the Ubuntu USB with write and delete permissions: sudo mkdir /opt/ftk-imager sudo chmod 777 /opt/ftk-imager The FTK Imager.tar file, located on another USB, is...

Zip2john is a useful tool for both extracting and cracking password protected zip files. Since it is not included in default john the ripper package, downloading it might be little bit tricky especially in Ubuntu - like Linux distributions. Downloading Zip2John Here is how the additional zip2j ohn package can be installed on ubuntu using mighty terminal; Step 1: Clone the app from github repository using following code git clone https://github.com/openwall/john -b bleeding-jumbo john && cd john/src/ && ./configure   If you get an error on previous step, add --without-openssl after ./configure then type the following; make -s clean && make -sj4 Extracting hash of the zip file Step 2: If you have succesfully completed installation, you can extract the hash file using following steps: Move to /run file using cd/home/user/john/run Step 3: Type the following code piece; ./zip2john ./test.zip > hash.txt  Hash file must be be automatically exported i...

Part of the series (2 of 3) Windows artifact analysis. LNK files, also called link lists in some sources, are created automatically by Windows operating system when user interacts with documents, apps and folders. LNK file is also can be described as the list of shortcut files which is shown when user right clicks on the file explorer image on the taskbar, as shown below, as these shortcut files are shown based on latest access time and frequency: As we all know, that list up here is modifiable and limited with recently accessed few files. So how are LNK files can help us from the forensic perspective? Even though user is able to remove that list shown above, Windows still keeps trace of those files and also the list is lot longer that it appears on the taskbar. Complete list of recently accessed files, docs, apps and folders can be found in "C:\Users\%User%\Recent" location, or simply click Windows, type "run" and enter "recent" to the command window.  La...

Part of the series (1 of 3) Windows artifact analysis. When it comes to detect recently accessed files, Windows offers wide variety of artifacts which may be helpful for enlighting forensic investigations. As there are many items -so called artifacts- exist for that particular reason, one of those artifacts, which is automatically created by Windows is called jumplist. Jumplists are system artifacts that are created to keep track of recently accessed files. As those files can be viewed typing "recent" on the run command, the list which comes up might be the whole thing. Especially during forensic investigations, it is important to make sure that all the available information is collected completely. For that very reason, all jumplist files must be reached from the custodian's computer and inspected throughly. Two types of jumplists are created when user opens up a file; automatic (.automaticDestinations-ms) file and custom (.customDestinations-ms) file. The main differenc...

Part of the series (2 of 2) cracking password protected MS Office files. Whether it is a forensic investigation or even in private life, we might need to open a password protected file which might contain a personal information or information that can change the direction of investigation. For those files, unlike common belief, depending on the length of password, it is actually possible to crack the file reach the data inside. But in order to that, we must have the correct tools and right approach.  In this article, I am going to show how to crack a password protected MS office file using Hashcat on Linux Ubuntu OS step by step. Extracting password hash from the file In our case, we are going to have example.xlsx file which is protected with password. The first thing to do here is to extract the hash of the password which can be done using John The Ripper. This step is explained in my previous article, which can be found here . Note that we are going to need the text file that is...