VISHVESHWARAIAH TECHNOLOGICAL UNIVERSITY

S.D.M COLLEGE OF ENGINEERING AND TECHNOLOGY

A seminar report on

“COMPUTER FORENSICS”

Submitted by

„SUJAY P.‟

„2SD06CS110‟
th
8 semester

DEPARTMENT OF COMPUTER SCIENCE ENGINEERING

 Computer Forensics

VISHVESHWARAIAH TECHNOLOGICAL UNIVERSITY

S.D.M COLLEGE OF ENGINEERING AND TECHNOLOGY

DEPARTMENT OF COMPUTER SCIENCE ENGINEERING

CERTIFICATE
Certified that the seminar work entitled “COMPUTER FORENSICS”

Is a bonafide work presented by „SUJAY P.‟

baring USN NO „2SD06CS110‟

in a partial fulfillment for the award of degree of Bachelor of Engineering in computer science of

the Vishveshwaraiah Technological University, Belgaum during the year 2009-10. The seminar

report has been approved as it satisfies the academic requirements with respect to seminar work

presented for the Bachelor of Engineering Degree

.Staff in charge Prof S.L DESHPANDE H.O.D

COMPUTER SCIENCE & ENGINEERING

Page 2
 Computer Forensics

CONTENT
 Introduction
 History of Computer Forensics
 Steps of Computer Forensics
 Reasons for Evidence
 Users Computer Forensics
 Handling Evidence
 Handling Information
 Evidence Processing Guidelines
 Methods of Hiding Data
 Methods of Detecting/Recovering Data
 Network forensics
 Advantages of Computer Forensics
 Disadvantages of Computer Forensics
 Conclusion

COMPUTER SCIENCE & ENGINEERING

Page 3
 Computer Forensics

Introduction

Computer forensics is simply the application of disciplined investigative techniques

in the automated environment and the search, discovery, and analysis of potential evidence. It
is the method used to investigate and analyze data maintained on or retrieved from electronic
data storage media for the purposes of presentation in a court of law, civil or administrative
proceeding. Evidence may be sought in a wide range of computer crime or misuse cases.
Computer forensics is rapidly becoming a science recognized on a par with other forensic
sciences by the legal and law enforcement communities. As this trend continues, it will
become even more important to handle and examine computer evidence properly. Not every
department or organization has the resources to have trained computer forensic specialists on
staff.

Computer evidence has become a „fact of life' for essentially all law enforcement
agencies and many are just beginning to explore their options in dealing with this new venue.
Almost overnight, personal computers have changed the way the world does business. They
have also changed the world‟s view of evidence because computers are used more and more
as tools in the commission of „traditional' crimes. Evidence relative to embezzlement, theft,
extortion and even murder has been discovered on personal computers. This new technology
twist in crime patterns has brought computer evidence to the forefront in law enforcement
circles.

Forensic science has been defined as “any science used for the purposes of the law...
[Providing] impartial scientific evidence for use in the courts of law, and in a criminal
investigation and trial”.

According to Marcus Ranum, “Network forensics is the capture, recording, and

analysis of network events in order to discover the source of security attacks or other
problem incidents”.

COMPUTER SCIENCE & ENGINEERING

Page 4
 Computer Forensics

We expand on these definitions to define computer forensics as:

“Computer forensics involves the preservation, identification, extraction, documentation,

and interpretation of computer media for evidentiary and/or root cause analysis.”

These activities are undertaken in the course of a computer forensic investigation of a

perceived or actual attack on computer resources. Evidence might be required for a wide
range of computer crimes and misuses.

Multiple methods of

 Discovering data on computer system.

 Recovering deleted, encrypted, or damaged file information.
 Monitoring live activity.
 Detecting violations of corporate policy.

Information collected assists in arrests, prosecution, termination of employment, and

preventing future illegal activity.

What Constitutes Digital Evidence?

 Any information being subject to human intervention or not, that can be extracted
from a computer.
 Must be in human-readable format or capable of being interpreted by a person with
expertise in the subject.

COMPUTER SCIENCE & ENGINEERING

Page 5
 Computer Forensics

Computer Forensics Examples

 Recovering thousands of deleted emails.
 Performing investigation post employment termination.
 Recovering evidence post formatting hard drive.
 Performing investigation after multiple users had taken over the system.

History of Computer Forensics

Michael Anderson
 “Father of computer forensics”.
 Special agent with IRS.

Meeting in 1988 (Portland, Oregon)

 Creation of IACIS, the International Association of Computer Investigative
Specialists.
 The first Seized Computer Evidence Recovery Specialists (SCERS) classes
held.

COMPUTER SCIENCE & ENGINEERING

Page 6
 Computer Forensics

Steps of Computer Forensics

Computer Forensics is a four (4) step process

Acquisition
Physically or remotely obtaining possession of the computer, all network mappings
from the system, and external physical storage devices.

Identification
This step involves identifying what data could be recovered and electronically
retrieving it by running various Computer Forensic tools and software suites.

Evaluation
Evaluating the information/data recovered to determine if and how it could be used
again the suspect for employment termination or prosecution in court.

Presentation
This step involves the presentation of evidence discovered in a manner which is
understood by lawyers, non-technically staff/management, and suitable as evidence as
determined by United States and internal laws.

COMPUTER SCIENCE & ENGINEERING

Page 7
 Computer Forensics

Computer forensics process

COMPUTER SCIENCE & ENGINEERING

Page 8
 Computer Forensics

Reasons for Evidence

Wide range of computer crimes and misuses

Non-Business Environment: evidence collected by Federal, State and local authorities

for crimes relating to:

 Theft of trade secrets

 Frauda
 Extortion
 SPAM investigations
 Virus/Trojan distribution
 Homicide investigations
 Intellectual property breaches
 Unauthorized use of personal information
 Forgery
Computer related crime and violations include a range of activities including:

Business Environment:

 Theft of or destruction of intellectual property

 Unauthorized activity
 Tracking internet browsing habits
 Reconstructing Events
 Inferring intentions
 Selling company bandwidth
 Software Piracy

COMPUTER SCIENCE & ENGINEERING

Page 9
 Computer Forensics

Users Computer Forensics

 Criminal Prosecutors

◦ Rely on evidence obtained from a computer to prosecute suspects and use as

evidence.
 Civil Litigations

◦ Personal and business data discovered on a computer can be used in fraud,

divorce, harassment, or discrimination cases.
 Insurance Companies

◦ Evidence discovered on computer can be used to mollify costs.

 Private Corporations

◦ Obtained evidence from employee computers can be used as evidence in

harassment, fraud, and embezzlement cases.
 Law Enforcement Officials

◦ Rely on computer forensics to backup search warrants and post-seizure

handling.
 Individual/Private Citizens

Obtain the services of professional computer forensic specialists to support

claims of harassment, abuse, or wrongful termination from employment.

COMPUTER SCIENCE & ENGINEERING

Page 10
 Computer Forensics

Handling Evidence
 Admissibility of Evidence

◦ Legal rules which determine whether potential evidence can be considered by

a court.

◦ Must be obtained in a manner which ensures the authenticity and validity and
that no tampering had taken place.

 No possible evidence is damaged, destroyed, or otherwise compromised by the

procedures used to search the computer.
 Preventing viruses from being introduced to a computer during the analysis process.

 Extracted / relevant evidence is properly handled and protected from later mechanical
or electromagnetic damage.
 Establishing and maintaining a continuing chain of custody.
 Limiting the amount of time business operations are affected.

 Not divulging and respecting any ethically [and legally] client-attorney information
that is inadvertently acquired during a forensic exploration.

COMPUTER SCIENCE & ENGINEERING

Page 11
 Computer Forensics

Handling Information
 Information and data being sought after and collected in the investigation must be
properly handled.
 Volatile Information

◦ Network Information
 Communication between system and the network.

◦ Active Processes
 Programs and daemons currently active on the system.

◦ Logged-on Users
 Users/employees currently using system.

◦ Open Files
 Libraries in use; hidden files; Trojans (root kit) loaded in system.
 Non-Volatile Information

◦ This includes information, configuration settings, system files and registry

settings that are available after reboot.

◦ Accessed through drive mappings from system.

◦ This information should investigate and reviewed from a backup copy.

COMPUTER SCIENCE & ENGINEERING

Page 12
 Computer Forensics

Evidence Processing Guidelines

Following are the 16 recommended steps in processing evidence

Step 1: Shut down the computer

◦ Considerations must be given to volatile information.

◦ Prevents remote access to machine and destruction of evidence (manual or ant-
forensic software).

Step2: Document the Hardware Configuration of the System.

◦ Note everything about the computer configuration prior to re-locating.

Step 3: Transport the Computer System to a Secure Location

◦ Do not leave the computer unattended unless it is locked in a secure location.

Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks.

Step 5: Mathematically Authenticate Data on All Storage Devices

◦ Must be able to prove that you did not alter any of the evidence after the
computer came into your possession.

Step 6: Document the System Date and Time.

Step 7: Make a List of Key Search Words.

Step 8: Evaluate the Windows Swap File.

Step 9: Evaluate File Slack

◦ File slack is a data storage area of which most computer users are unaware; a
source of significant security leakage.

COMPUTER SCIENCE & ENGINEERING

Page 13
 Computer Forensics

Step 10: Evaluate Unallocated Space (Erased Files).

Step 11: Search Files, File Slack and Unallocated Space for Key Words.

Step 12: Document File Names, Dates and Times.

Step 13: Identify File, Program and Storage Anomalies.

Step 14: Evaluate Program Functionality.

Step 15: Document Your Findings.

Step 16: Retain Copies of Software Used.

COMPUTER SCIENCE & ENGINEERING

Page 14
 Computer Forensics

Methods of Hiding Data

 To human eyes, data usually contains known forms, like images, e-mail, sounds, and
text. Most Internet data naturally includes gratuitous headers, too. These are media
exploited using new controversial logical encodings: steganography and marking.

 Steganography: The art of storing information in such a way that the existence of the
information is hidden.
 Watermarking: Hiding data within data
 Information can be hidden in almost any file format.
 File formats with more room for compression are best

 Image files (JPEG, GIF)

 Sound files (MP3, WAV)

 Video files (MPG, AVI)

 The hidden information may be encrypted, but not necessarily.

 Numerous software applications will do this for you: Many are freely
available online.
 Hard Drive/File System manipulation

 Slack Space is the space between the logical end and the physical end of file
and is called the file slack. The logical end of a file comes before the physical
end of the cluster in which it is stored. The remaining bytes in the cluster are
remnants of previous files or directories stored in that cluster.

 Slack space can be accessed and written to directly using a hex

editor.
 This does not add any “used space” information to the drive.
 Hidden drive space is non-partitioned space in-between partitions
COMPUTER SCIENCE & ENGINEERING
Page 15
 Computer Forensics

 The File Allocation Table (FAT) is modified to remove any reference

to the non-partitioned space.

 The address of the sectors must be known in order to read/write

information to them.

 Bad sectors occur when the OS attempts to read info from a sector
unsuccessfully. After a (specified) number of unsuccessful tries, it copies (if
possible) the information to another sector and marks (flags) the sector as bad
so it is not read from/written to again.

 users can control the flagging of bad sectors.

 Flagged sectors can be read to /written from with direct reads and
writes using a hex editor.

 Extra Tracks: most hard disks have more than the rated number of tracks to
make up for flaws in manufacturing (to keep from being thrown away because
failure to meet minimum number).

 Usually not required or used, but with direct (hex editor) reads and
writes, they can be used to hide/read data.
 Change file names and extensions – i.e. rename a .doc file to a .dll file.

COMPUTER SCIENCE & ENGINEERING

Page 16
 Computer Forensics

Methods of Detecting/Recovering Data

• Steganalysis - the art of detecting and decoding hidden data.

– Hiding information within electronic media requires alterations of the media

properties that may introduce some form of degradation or unusual
characteristics.

– The pattern of degradation or the unusual characteristic of a specific type of

steganography method is called a signature.

– Steganalysis software can be trained to look for a signature.

Steganalysis Methods - Detection

– Human Observation

• Opening a text document in a common word processor may show

appended spaces and “invisible” characters.

• Images and sound/video clips can be viewed or listened to and

distortions may be found.

• Generally, this only occurs if the amount of data hidden inside the
media is too large to be successfully hidden within the media (15%
rule).

– Software analysis

• Even small amounts of processing can filter out echoes and shadow
noise within an audio file to search for hidden information.

• If the original media file is available, hash values can easily detect
modifications.

– Disk analysis utilities can search the hard drive for hidden tracks/sectors/data.

COMPUTER SCIENCE & ENGINEERING

Page 17
 Computer Forensics

– RAM slack is the space from the end of the file to the end of the containing
sector. Before a sector is written to disk, it is stored in a buffer somewhere in
RAM. If the buffer is only partially filled with information before being
committed to disk, remnants from the end of the buffer will be written to disk.
In this way, information that was never "saved" can be found in RAM slack on
disk.

– Firewall/Routing filters can be applied to search for hidden or invalid data in IP

datagram headers.

– Statistical Analysis

• Most steganographic algorithms that work on images assume that the

Least Significant Bit (LSB) is random

• If a filter is applied to an image, the LSB bits will produce a

recognizable image, so the assumption is wrong

• After inserting hidden information into an image, the LSB is no longer

non-random (especially with encrypted data). If you apply the same
filter, it will no longer produce a recognizable image

• Statistical analysis of the LSB will tell you if the LSB bits are random
or not

• Can be applied to audio files as well (using LSB)

– Frequency scanning

• Software can search for high, inaudible frequencies.

Steganalysis methods – Recovery

– Recovery of watermarked data is extremely hard.

• Currently, there are very few methods to recover hidden, encrypted

data.
COMPUTER SCIENCE & ENGINEERING
Page 18
 Computer Forensics

– Data hidden on disk is much easier to find. Once found, if unencrypted, it is

already recovered

– Deleted data can be reconstructed (even on hard drives that have been
magnetically wiped)

– Check swap files for passwords and encryption keys which are stored in the
clear (unencrypted)

– Software Tools

• Scan for and reconstruct deleted data

• Break encryption

Example:
GetFree - Forensic Data Capture Tool When files are 'deleted' in DOS, Windows, Windows
95 and Windows 98, the data associated with the file is not actually eliminated. It is simply
reassigned to unallocated storage space where it may eventually be overwritten by the
creation of new files over time. Such data can provide the computer forensics investigator
with valuable leads and evidence.

GetSlack - Forensic Data Capture Utility this software is used to capture all of the file slack
contained on a logical hard disk drive or floppy diskette on a DOS, Windows, Windows 95
and/or Windows 98 computer system. The resulting output from GetSlack can be analyzed
with standard computer utilities or with special NTI tools, e.g., Filter_I and Net Threat
Analyzer software.

Forensic Graphics File Extractor - NTI's Forensic Graphics Image File Extractor is a
computer forensics software tool which was designed to automatically extract exact copies of
graphics file images from ambient data sources and from SafeBack bit stream image backup
files. The latter process has the potential of quickly identifying all graphics file images stored

COMPUTER SCIENCE & ENGINEERING

Page 19
 Computer Forensics

on a computers hard disk drive. The resulting output image files can be quickly evaluated
using a graphics file viewer.

DiskScrub - Hard Drive Data Elimination Software It is becoming standard practice in

corporations, government agencies, law firms and accounting firms to reassign computers
and to donate older computers to charity. Millions of personal computers have been put to
use since 1981 when the IBM Personal Computer came into existence. Many of the older
personal computers have been reassigned or donated to charity and many more will fall into
this category in the future. However, data security is often ignored when computers change
hands. You must be aware that personal computers were never designed with security in
mind. Potentially anything that transpired on a used computer still exists. Multiply that by the
number of computers your organization will reassign or surplus this year, and you get the
point. Computers should be reassigned and donated to charity but the contents of the hard
disk drives should not be ignored. With computer technology changing almost daily,
corporations and government agencies have to stay current while still making the best uses of
aging computer resources. Advancements in hard disk drive storage capacities, operating
systems and software applications cause corporations to buy or lease new computers every
year.
But what is done with the old computers? What is done about the sensitive data still
Existing, essentially "stored" on these computers when they are sold, transferred or donated?
That is a serious problem, and NTI's Disk Scrub software was specifically designed to deal
with these risks, for corporations, government agencies, hospitals, financial institutions, law
firms and accounting firms.

COMPUTER SCIENCE & ENGINEERING

Page 20
 Computer Forensics

COMPUTER SCIENCE & ENGINEERING

Page 21
 Computer Forensics

Network forensics
As technology has advanced, computers have become incredibly powerful.
Unfortunately, as computers get more sophisticated, so do the crimes committed with them.
Distributed Denial of Service Attacks, ILOVEYOU and other viruses, Domain Name
Hijacking, Trojan Horses, and Websites shut down are just a few of the hundreds of
documented attack types generated by computers against other computers usually using an
electronic network. The need for security measures to prevent malicious attacks is well
recognized and is a fertile research area as well as a promising practioner's marketplace.
Though there is an immense effort ongoing to secure computer systems and prevent attacks,
it is clear that computer and network attacks will continue to be successful. When attacks are
successful, forensics techniques are needed to catch and punish the perpetrators, as well as to
allow recovery of property and/or revenue lost in the attack. Computer and Network
Forensics (CNF) techniques are used to discover evidence in a variety of crimes ranging from
theft of trade secrets, to protection of intellectual property, to general misuse of computers.
The ultimate goal of computer and network forensics is to provide sufficient evidence to
allow the criminal perpetrator to be successfully prosecuted. As such, CNF efforts are mainly
centered in law enforcement agencies. Any enterprise that depends on, or utilizes, computers
and networks should have a balanced concern for security and forensic capabilities.
Unfortunately, there is little academic or industrial research literature available on CNF.
Forensic techniques are developed by the try and fix method, and few organizations have
plans for conducting forensics in response to successful attacks. We propose several
categories of policies that will help enterprises deter computer crime and will position them
to respond effectively to successful attacks by improving their ability to conduct computer
and network forensics. These policies correlate to taxonomy of approaches common to
computer attacks. We present policies in the following categories: Retaining Information,
Planning the Response, Training, Accelerating the Investigation, Preventing Anonymous
Activities and Protecting the Evidence.
The evidence found during a forensic investigation may depend on the type of crime
committed. For example, in a criminal case, incriminating evidence may be found such as
documents related to homicides, financial fraud, drug or embezzlement record keeping, or

COMPUTER SCIENCE & ENGINEERING

Page 22
 Computer Forensics

child pornography. In a civil case, evidence of personal and business records related to fraud,
divorce, discrimination, or harassment could be found.

CNF experts are not only hired by lawyers. CNF techniques are sometimes needed by
insurance companies to discover evidence to decrease the amount paid in an insurance claim.
Individuals may also hire CNF experts to support a claim of wrongful termination, sexual
harassment, or discrimination. Gathering evidence is at the heart of CNF. In computer-related
crimes, evidence is accumulated from information collected by different components of the
system. The information does not become evidence until a crime is committed and this data
is used to find clues. For this reason, we call the data collected by the system potential
evidence. There are many sources of potential evidence in computers and network
components. Files are an obvious source of potential evidence. Application output word
processors, spread sheets, etc. are almost always valuable potential evidence, as are hidden
application files that may contain history information, caches, backups, or activity logs.
Occasionally, sophisticated criminals may encrypt incriminating files or attempt to hide them
with system-oriented or otherwise unlikely looking names. There are numerous sources of
potential evidence, which we discuss more exhaustingly in the section dedicated to
establishing recommended policies. Because gathering potential evidence may not be as easy
as finding application files on a computer, it requires someone with special skills. CNF
experts are specially trained with the skills necessary to successfully carry out a forensic
investigation. A forensics expert must have the investigative skills of a detective, the legal
skills of a lawyer, and the computing skills of the criminal. Even with these skills, CNF is not
an exact science, so there is no guarantee that an expert will find sufficient evidence.
However, experienced forensics specialists can find more potential evidence than even the
best hackers will expect.

COMPUTER SCIENCE & ENGINEERING

Page 23
 Computer Forensics

Advantages of Computer Forensics

It has an ability to search through a massive amount of data
 Quickly
 Easily
 Thoroughly
 In any language

Disadvantages of Computer Forensics

 Digital evidence accepted into court
 Must prove that there is no tampering.
 All evidence must be fully accounted for.

 Computer forensic specialists must have complete knowledge of legal

requirements, evidence handling and storage and documentation procedures
Costs.
 Producing electronic records & preserving them is extremely costly.

 Presents the potential for exposing privileged documents.

 Legal practitioners must have extensive computer knowledge.

COMPUTER SCIENCE & ENGINEERING

Page 24
 Computer Forensics

Conclusion
Practical investigations tend to rely on multiple streams of evidence which
corroborate each other - each stream may have its weaknesses, but taken together may point
to a single conclusion. Disk forensics may remain for some time the single most important
form of digital evidence .Increasing number of computer crime means increasing demand for
computer forensics services. In doing computer forensics investigation, choosing the right
disk imaging tool is very important. There is no standard conformity of computer forensic
imaging methodology or tool. This paper only provides guidance and suggestions regarding
imaging tool. It should not be constructed as mandatory requirement.
Today, everyone is exposed to potential attacks and has a responsibility to its network
neighbors to minimize their own vulnerabilities in an effort to provide a more secure and
stable network. As the enormity of the problem unfolds, we will better comprehend how vital
it is to work towards dramatic changes in research, prevention, detection and reporting, and
computer crime investigation. Security can no longer be thought of as an impediment to
accomplishing the mission, but rather a basic requirement that is properly resourced.
Our focus has been to implement the newest and most advanced technology, but little
has prepared us for the gaping security holes we‟ve neglected to mend along the way. From
the ranks of management to every employee that works behind each terminal, the policies
that protect and mitigate risks must be current, understood, and aggressively enforced.
Reporting must be standard operating procedure so that everyone can realize the total impact
and define what is required for a secure cyber environment. The responsibility belongs to
everyone and it is with that effort we will be able to harness the security of this new
technological age. An enormous challenge lies before us and we must attack it with the same
enthusiasm and determination that brought us to this new frontier.

COMPUTER SCIENCE & ENGINEERING

Page 25
 Computer Forensics

References
 All State Investigations, Inc. January 2005 http://www.alls
tateinvestigation.com/ComputerForensicServices.htm
 Computer Forensics, Inc. http://www.forensics.com/
 Computer Forensic Services, LLC. January 2005.
http://www.computer-forensic.com/index.html
 International Association of Computer Investigative
Specialists. January 2005. http://www.cops.org/

 Middlesex County Computer Technology. January 2005.

http://www.respond.com/countyguides/1800000002/NJ/
023

 Virtue, Emily. “Computer Forensics: Implications for

Litigation and Dispute Resolutions.” April 2003.
http://ncf.canberra.edu.au/publications/emilyvirtue1.p
df

COMPUTER SCIENCE & ENGINEERING

Page 26