Mag. iur. Dr. techn.

Michael Sonntag

Introduction to Computer forensics

Computer forensics

Institute for Information Processing and

Microprocessor Technology (FIM)
Johannes Kepler University Linz, Austria
E-Mail: [email protected]
http://www.fim.uni-linz.ac.at/staff/sonntag.htm

© Michael Sonntag 2008

 Agenda

z What is computer forensics?

Æ When and where is it used?
Æ Who may use such techniques?
z Computer forensics vs. encryption
z Computer forensics vs. steganography
z Securing evidence
Æ Running systems
Æ "Inert" systems
z What information can be obtained in which circumstances?
z Legal aspects:
Æ Classifying information to look for according to crimes
Æ Admissibility of evidence

Michael Sonntag Computer forensics: Introduction to Computer Forensics 2

 What is "Computer Forensics"?

z Computer Forensics (CF) is obtaining digital evidence

» Analogue evidence is usually not considered here: Use
"ordinary" forensics to gather/evaluate
– Analogue computers are almost non-existing today!
Æ This may come from running systems or parts of them
» Hard disks flash drives, PDAs, mobile phones, telephones etc.
Æ Can be evidence for computer crimes (computer fraud,
hacking, …) or any other crime (documents with plans for x)
or for various other uses

z One indispensable issue is "data integrity"

Data is easily changeable:
Evidence is then and only then usable in proceedings, if it is
ensured, that it has not been changed!
Michael Sonntag Computer forensics: Introduction to Computer Forensics 3
 What is "Computer Forensics"?
z Other definitions:
Æ Analytical techniques to identify, collect, preserve, and examine
evidence/information which is magnetically stored or encoded
» Problem: "magnetically" Æ Flash disks, running systems?
» Better: "in computerized systems and their parts"
Æ We define computer forensics as the discipline that combines
elements of law and computer science to collect and analyze
data from computer systems, networks, wireless
communications, and storage devices in a way that is
admissible as evidence in a court of law.
» Focus on legal proceedings; there are many other uses as well!
– Note that this is the "highest" form: If evidence is sufficient for
criminal proceedings, it can be used for everything else as well!
ÆA technological, systematic inspection of the computer system
and its contents for evidence or supportive evidence of a crime
or other computer use that is being inspected.
Michael Sonntag Computer forensics: Introduction to Computer Forensics 4
 The basic principles of CF

z No action to secure/collect evidence should affect its integrity

Æ It becomes much less worth/completely worthless!
z Examiners should be trained
Æ Only investigate as far as your knowledge goes
z All activities should be logged
Æ Seizure, examination, storage, and transfer
» Complete chain of custody (including its security measures)
Æ Documented, preserved, and available for review
» Proof for the chain of custody
z Investigations must be accurate and impartial
Æ Computer forensic ≠ prosecutor/attorney/judge
» Describe what was actually found
– And what should have been found, but was missing!
» Describe how reliable these facts are
» Describe what conclusions can reasonably be drawn from it
Michael Sonntag Computer forensics: Introduction to Computer Forensics 5
 When to use CF?

z To provide digital evidence of specific activity

Æ In general, proving non-activity might also be the goal, but
this is more difficult and only sometimes possible!
z For legal proceedings
Æ Criminal cases: Child pornography, computer fraud, ...
Æ Civil cases: Hacking, information theft, industry espionage, …
z Recovering data
Æ (In)advertently deleted information
z Identifying weaknesses
Æ After a break in, identify the method employed to prevent it in
the future
z Identifying the attack/attacker
Æ Verify, whether an incident actually happened and who was
responsible for it
Michael Sonntag Computer forensics: Introduction to Computer Forensics 6
 When to use CF?
Concrete examples

z Misuse of ICT by employees

Æ Unauthorized disclosure of data
Æ Internet (WWW, E-Mail, …) abuse
Æ Deleted/damaged information
z Exploiting ICT
Æ Industrial espionage
Æ Hacking of systems
Æ Infiltration (zombie, trojans, viruses, …)
z Damaging ICT
Æ Web page defacements
Æ Denial of Service attacks
Æ Crashing computers
z Use of ICT
Æ
Michael Sonntag
Storing data on various (planned) crimes
Computer forensics: Introduction to Computer Forensics 7
 Who should/may use CF?

z Authorization required for accessing data

Æ See privacy laws!
z Live monitoring, hacking, password cracking etc. tools are
legally very "dangerous"!
Æ Possession alone might be criminal
» Good explanation and evidence for its necessity is required!

z Personnel to "do" CF:

Æ System administrators in their own area
Æ Experts for courts or private investigations
Æ Everyone on their own system
» Note: A second person (Æ e.g. husband/wife) uses the system
means, that consent by this person is indispensable!

Michael Sonntag Computer forensics: Introduction to Computer Forensics 8

 Where to find evidence
z Disks: Hard disks, USB-Disks, floppy disks, tapes, …
Æ The typical "storage medium"
Æ Note: These can be very small and very easily hidden
» They might also pose as "normal" objects
– Example: USB-Stick in pocket knife!
z Devices: Mobile phones, PDAs, MP3 players, …
Æ Directly or in disks contained therein
Æ Not a storage medium, but usually may contain arbitrary data
» In addition to the "normal" data like music, contacts etc.!
z Recorders: Cameras, audio recorders, GPS trackers, …
Æ Similar to devices: Own data + any other stored data
z Digital copiers/printers
Æ Might add a serial number to each copied/printed sheet!
Æ May contain old scanned pages
Michael Sonntag Computer forensics: Introduction to Computer Forensics 9
 The sequence of actions in CF
(1)

z Secure and isolate

Æ Remove all other personnel
Æ Keep reliable witness (police, other third persons)
» To protect against "The investigator added this data!"
z Record the scene
Æ Photograph, write down
» Example: Mouse on left or right side? Æ Left-/Right-handed
» How are the systems connected (WLAN!)?
» What is the current state (running; screen content; …)
z Conduct a systematic search for evidence
Æ Especially: Notes with passwords, hints for online services
used, storage mediums (USB sticks, flash cards etc.)
» More "conventional" search, but important
» E.g. steganography impossible without programs Æ Disks, …
Æ Printouts in waste paper basket, …
Michael Sonntag Computer forensics: Introduction to Computer Forensics 10
 The sequence of actions in CF
(2)
z Collect and package evidence
Æ Keep it safe (no loss/destruction) and secure (no changes)
» Secure wrapping; external influences
» Especially: Magnetic media and magnet fields
– Modern harddisks are resilient, but not all media are as safe!
» Flash cards, USB sticks, etc.: Static electricity
z Maintain chain of custody
Æ Keep log on who has access and restrict this access
z Inspect and evaluate data
Æ The main aspect we are going to cover here!
Æ Perhaps triage: Immediate brief investigation
» What to impound, already some illegal material found Æ arrest
Æ Detailed investigation + report in lab (from copy of media!)
z Present the results
Æ In a report and/or before the court
Michael Sonntag Computer forensics: Introduction to Computer Forensics 11
 Chain of Custody
z Guaranteeing identity and integrity of the evidence
z Requirements:
n Making sure, the piece of evidence introduced is the same as
was taken from the suspect/scene of crime/….
» Serial numbers Æ All harddisks/USB/… look exactly the same!
o Making sure there was no tampering with it
» Witnesses of actions, trust in the person
p Making sure of the transition to the next custodian
» Who got it next, i.e. when was a chance for tampering
– Lying around somewhere? Handed to a untrusted person? …
Æ Repetition of o and p until the presentation in court
z Note: Digital evidence has a very nice property here: Hash
values can nicely prove the "no tampering"!
Æ Acquire as early and trustworthy as possible
Æ Store it "securely", e.g. on paper with signature of third person
Michael Sonntag Computer forensics: Introduction to Computer Forensics 12
 The main problems of CF

z Anything done to a system changes it

Æ Especially problematic for running systems
Æ Usually not a problem for hard disks
» Reading data may change the content microscopically …
z You can never trust the system under investigation
Æ It may be hacked, modified by the owner etc.
z Proving you did not change anything is difficult
Æ You must be "above suspicion" and take precautions
z The past can never be known
Æ We can only find hints what might have possibly been
» The content could have been manufactured by someone!
» This can be pretty good evidence, but no absolute proof
z Not everyone knows everything
Æ Every forensic examination is limited through the examiner!
Michael Sonntag Computer forensics: Introduction to Computer Forensics 13
 An increasing problem of CF:
Networking & Security
z Today much data is not stored on "the" computer anymore
Æ FTP server, bulletin boards, "online harddisks"
» Example: RapidShare and similar services
Æ Webmail accounts
Æ Remote harddisks
Æ VPN networks to other systems
z Obtaining a copy of one system is often not enough today!
Æ Find traces of the existence of remote information
Æ Find traces of the remote information itself
» Caches, paging file, file slack, …
Æ Try to access this remote information
» By seizure, copying, access over the network, …
z Encrypted disks are difficult
Æ Obtain keys from memory of running system if possible
Æ
Michael Sonntag
See also TPM (Trusted Platform Module)
Computer forensics: Introduction to Computer Forensics 14
 The order of volatility

z Registers, caches
z Memory
z Network state (routing configuration, estab. connections)
z Running processes
z Media in use: Disks in use
z Backup media: Disks not in use, tapes
z WOM: CD-ROMs, DVDs
z Analogue material: Paper, fingerprints, DNA, …

Evidence should be secured/collected in this order !

z Power management (e.g. sleep) can be a great help here

Æ Used also normally, so the likelihood of delete-scripts is low)!
Michael Sonntag Computer forensics: Introduction to Computer Forensics 15
 Computer forensics vs. encryption
z CF does work, but doesn't bring usable results if the data
dis-/recovered is encrypted
Æ Depends strongly on the kind of encryption!
z For some programs, decryption software is readily available
Æ Especially the integrated encryption of MS Office and Zip!
Æ Sometimes based on weaknesses or short keys
» But otherwise just brute force attacks: High computing power,
special software, and long time may be necessary!
z If really good encryption is used, there is almost no chance
of decryption without the key (or brute force)
Æ One of the reason for the hidden searches: Get at the data
before/after it has been en-/decrypted!
Æ But: Very often passwords are known words (Æ lists!),
are written down somewhere, stored somewhere, …
» Important to search the environment for any clues!
Michael Sonntag Computer forensics: Introduction to Computer Forensics 16
 Data hiding methods

z Numerous approaches to hide data exist :

Æ Through the operating system
» Mark as "hidden", "system", ...; use ADS
Æ File extension modification: "order.txt" Æ "cmd.com"
Æ RAM slack: End of file Æ End of sector
Æ File slack: End of file Æ end of cluster
Æ Partition slack: End of partition Æ end of track
Æ Disk slack: End of last partition Æ end of disk
Æ Unallocated/bad sectors
Æ Delete file / partition; format disk
Æ Steganography
z Attention: Several methods are "unstable", i.e. further actions
might destroy the data Æ Using such methods is complex!
z Many approaches require special programs (Hints!)
Michael Sonntag Computer forensics: Introduction to Computer Forensics 17
 Introduction to Steganography

z Steganography: Hiding messages

Æ The intention is, that there is no sign, that data exists at all
z Typical "recipients": graphics, HTML, text, executables
Æ Usual problem: Only a small part of the content data can be
used for hiding information Æ Large "cover" for little "content"!
z Usage areas:
Æ Where encryption is illegal
Æ When the fact of communication itself should be hidden
z Combining encryption and steganography
Æ Makes detection through statistics much harder!
z Relation to computer forensics:
Æ Hiding data in "inaccessible" places is steganography too
Æ Examples: Various slack spaces, alternate data streams
» Rather easy to uncover, if presence is known!
Michael Sonntag Computer forensics: Introduction to Computer Forensics 18
 Problems of Steganography

z Not very resilient:

Æ Data hidden in images is easily destroyed through recoding
Æ Text can be reformatted
z Not all base data is suitable:
Æ Many files are exactly "known": E.g. OS files cannot be used
to hide data within them
» See also the problems caused by signed code!
z Complicated to use: Additional tools necessary
Æ These can be found on the computer, disks, USB sticks, …
» But need not necessarily be installed!
z Large pieces of seemingly important base material needed
Æ This is not always available, or is a hint to hidden data
z Requires a high level of knowledge to be "good"
Æ Free tools are available, but these are often easily detected!
Michael Sonntag Computer forensics: Introduction to Computer Forensics 19
 CF vs. Steganography

z In practice, Steganography seems to be rather rare

Æ There are much easier methods for hidden communication!
» E.g. the personal ad columns with certain pre-defined texts
» If the text to hide is very long (or multiple pictures, videos),
Steganography is still problematic
z Still, looking for hints that it has been applied should be part
of every investigation
Æ Are there any traces of Steganography programs?
Æ Is there suspicious data?
z Brute force attacks, e.g. using steganalysis programs on all
images on a computer, are probably less useful
Æ Takes very long and it's not very probable to find anything
» Mostly, the programs only "support" specific tools!

Michael Sonntag Computer forensics: Introduction to Computer Forensics 20

 Securing evidence:
General considerations

z Evidence must be secured in a "trustworthy" way

Æ Nobody should later be able to question the authenticity
z Evidence should be collected as fast as possible, but
without destroying anything
Æ This might mean, keeping some devices powered, others
without power
» Keep with power: mobile phones, PDAs, fax machines, …
» Store without power: Flash disks, hard drives, computers
Æ Disconnect any communication to/from the device
– Attention: Not necessarily immediately!
» E.g. mobile phones: Shielding (no powering off!)
» Computers: Network cables, phone lines, serial lines etc.
Æ Check with other forensic experts: Fingerprints
» Obtaining traces can damage electronic media!
Michael Sonntag Computer forensics: Introduction to Computer Forensics 21
 Securing evidence

z Secure the scene

Æ Preservepotential fingerprints, ensure personnel safety
Æ Immediately restrict access to computers
» Physically; electronically comes next!
Æ Document current state (hardware & software)
z Secure the computer as Evidence
Æ If the computer is "OFF", do not turn it "ON"
» Disconnect all power sources; unplug from wall AND computer
» Place evidence tape over each drive slot
» Photograph/diagram and label back of components with existing
connections
» Label all connectors/cable end to allow reassembly as needed
» Package components and transport/store components as "fragile"
» Keep away from magnets, radio transmitters, heated seats, etc.
z Interview all persons/witnesses
Michael Sonntag Source: US Secret Service Computer forensics: Introduction to Computer Forensics 22
 Securing evidence:
Online computers (1)

Æ If the computer is "ON"

» Stand-alone computer (non-networked)
– Consult computer specialist
– If specialist is not available
» Photograph screen
» Disconnect all power sources; unplug from wall AND computer
» Continue as with offline computer!
» Networked or business computers / Routers
– Consult a Computer Specialist for further assistance, because pulling
the plug could:
» Severely damage the system
» Disrupt legitimate business
» Create officer and department liability

z Please note: Typical procedure for non-experts

Æ Experts will (try to) acquire the runtime-state first!
Michael Sonntag Source: US Secret Service Computer forensics: Introduction to Computer Forensics 23
 Securing evidence:
Online computers (2)
z Better: Obtain as much information from the running system
as possible; only then "shutdown" the system
Æ General rule: Do not alter the state (On Æ On, Off Æ Off)!
n Obtain a copy of the complete state
Æ Copy of the complete memory
» With as little changes as possible!
– Some additional software MUST be started for transfer!
Æ Output of various "state" commands, e.g. running processes,
open network connections, open files/shares, …
o Remove power cable from computer
» In general, some files might be destroyed, so the computer might
not boot anymore. But much less data is lost/changed in this way
than when shutting it down!
– "Delete paging file on shutdown", "Clear privacy data when I close Firefox", …
Æ Not from wall socket: There might be a UPS somewhere!
Æ Laptops: Remove accumulator (both if present) as well
Michael Sonntag Computer forensics: Introduction to Computer Forensics 24
 Pulling the plug

z Note: Other recommendations are bit more sophisticated

Æ Servers: Shutdown
» Much data can be destroyed when a file/database/E-Mail server is
"killed", which can be a problem for companies
– Data is lost, computer must be reinstalled/backups restored, …
» Little danger of deletion/modification scripts
– These might be shut down at any point in time by someone else
Æ Workstations: Pull plug
» Little damage to be done by killing
» Usually full control by a single person Æ Traps much likelier
» Restore much quicker and easier
» Affects only a single private person, not a huge company!
Æ Appliances: Pull plug
» They typically are built to survive this without any damage
» The runtime data must be copied before, of course!
Michael Sonntag Computer forensics: Introduction to Computer Forensics 25
 The Heisenberg principle - Analogon
z It is impossible to completely capture an entire running
system at any point in time
Æ Every kind of "copying the state" will change the state itself!
z The goal to reach:
Æ With as little changes as possible
Æ Without distortion (like installing additional software)
Æ Without bias (like adding hardware/software)
» With additional hardware, the data state alone can be captured
completely and without its modification!
z Decisions are necessary, what to do (and with that tools!)
Æ Generally, try to obtain as much information as possible
without changing too much
Æ Examples: Display the running processes and photograph
the output on the screen
» Even better: Use your own (statically linked) program from a CD
Michael Sonntag Computer forensics: Introduction to Computer Forensics 26
 Interviewing personnel/witnesses
z Very important: Encryption, Steganography!
z Information to obtain:
Æ Owner
Æ User names, passwords
» PW: Account, BIOS, E-Mail, configuration, network, ISP,
applications, token codes, …
Æ Procedures for access (log in method)
Æ E-Mail addresses, online services/applications used, ISP
Æ Purpose of the system, persons using it
Æ Security schemes (self-destruct systems; e.g. delete scripts)
Æ Offsite data: Backups, online replications, …
Æ Documentation of the system: Version numbers
z Note also when information is not provided!
» Or what turns out to be incorrect
Æ
Michael Sonntag
Won't help the investigation, but may be important in court 27
Computer forensics: Introduction to Computer Forensics
 Guiding the search for information

z The aim of the search is most important

Æ Is it a search for "something illegal", a specific crime, or
whether the image "xyz.jpg" is present on the computer?
Æ Uncovering all information that is recoverable is possible, but
also a lot of work (and therefore very expensive!)!
z Assessing the proficiency of the suspect
Æ What "hiding" can reasonable be expected?
» If unknown, always assume the worst, i.e. expert techniques!
z When to stop:
Æ If something matching has been found or must all/the most of
such data be recovered?
Æ Monetary considerations (expenses)

Michael Sonntag Computer forensics: Introduction to Computer Forensics 28

 Information according to crimes
z Electronic intrusion
Æ Configuration files
Æ Executable programs and source code/scripts
Æ Open ports, running processes (esp. servers)
Æ Logs: Activity, connection, programs, communication, …
z Fraud
Æ Address books, calendars: Physical, E-Mail etc.
Æ Images: Cheques, currency, Western Union, signatures,
products, …
Æ Credit card data, esp. CVC
Æ Office documents: Letters, spreadsheets, databases
Æ Banking/accounting software: Dedicated and online
Æ Internet activity: Logs, caches, cookies, …
Æ Account information: eBay, banks, …
Æ Communication history: E-Mails, chat logs
Michael Sonntag Computer forensics: Introduction to Computer Forensics 29
 Information according to crimes
z Undesirable communication (threats, spam, mobbing)
Æ Address information: E-Mail, telephone, …
Æ Documents: Background information, diaries, legal etc.
Æ Communication: Letters, E-Mails, SMS, chat logs, …
Æ Internet activity: Cache, logs, cookies
Æ Accounts: Online communication facilities
Æ Images: Person, products, fakes
Æ Software: Mass mailers, text/image/PDF generators
Æ Financial information: Accounts, banking
z Violence: Child abuse/pornography, domestic v., death
Æ Images, especially hidden ones, and videos
Æ Date and time stamps
Æ Internet activity: Cache, logs, cookies, access time, searches
Æ Software: Communication, photo, P2P
Æ Address information and communication: E-Mails, chats, tel.
Æ Documents: Legal, medical
Michael Sonntag Computer forensics: Introduction to Computer Forensics 30
 Information according to crimes

z Identity theft
Æ Personal information: Name, address, credit card, …
Æ Communication: Especially copies of other person's,
obtaining/buying information online
Æ Software: Generators (names, credit card numbers), imaging
(scanner, photo modification)
Æ Images: Certificates, forms, signatures
Æ Documents: Forms, letters, orders, …
Æ Electronic signatures
Æ Internet activity: Cache, logs, searches

Michael Sonntag Computer forensics: Introduction to Computer Forensics 31

 Information according to crimes

z Copyright
Æ Software: P2P, CD/DVD-burning, encryption, recoding, key
generators, cracks
Æ Documents: Serial numbers, authorization information
Æ Internet activity: Cache, logs, searches, cookies
Æ Images: Covers, license forms
Æ Communication information: E-Mail, chat
Æ Accounts: Web-Sites, FTP, shops
Æ Date and time stamps

Michael Sonntag Computer forensics: Introduction to Computer Forensics 32

 Admissibility of evidence
(1)
z Digital information is no evidence as such alone
Æ Illegal image on disk? How did it come to be there? Unknown!
» Was it the accused, someone else with his account, the police, a
hacker who broke in over the network, … ?
» Additional information can help if present
– Physical access to computer, logon-history, encryption etc.
z One very important aspect is the person collecting and
interpreting the evidence
Æ If this person is trusted, then no later modifications took place
Æ When a conclusion is stated as a fact, the person will not be
very useful, as judges will not believe them
» Fact = Observable
– Example: Car braking took x meters (measured on asphalt)
» Conclusion = Fact + interpretation/general rules
– Example: Start speed was y km/h because of known friction of tires,
weight of car, laws of physics, …
Michael Sonntag Computer forensics: Introduction to Computer Forensics 33
 Admissibility of evidence
(2)

z Continental law:
Æ Generally all evidence is admissible, regardless how obtained
» But what evidence is worth depends on
– How it was collected and stored
– By whom it was collected
– Who analyzed it
– How it was analyzed
– Whether the conclusions are supported by facts
– Whether the conclusions are "state of the art"
Æ Typically the judge (or a jury) decides
z Common law:
Æ Facts might also be fixed by parties!
» If agreed upon, judge/jury cannot discuss it any more
Æ Esp. USA: "fruit of the poisonous tree" doctrine
» Evidence obtained unlawfully may not be used
Michael Sonntag Computer forensics: Introduction to Computer Forensics 34
 Documenting actions

z All actions during an investigation must be documented

Æ This starts with acquiring the evidence!
» Writing down and photographing when/how the computer was
found, which state it was in, etc.
z Running systems: Every single command entered must be
documented with the time and the complete results
Æ Ideally the log and the result should be stored as a file with a
checksum to verify its integrity
z Offline systems:
Æ The state must be exactly documented, e.g. checksums over
the whole disk
Æ Every step of the examination should be documented like in
a running system
z Generally: Document also tools (make, version, …) used!
Michael Sonntag Computer forensics: Introduction to Computer Forensics 35
 Final report: General information

z Identity of the examiner

z Identification of the case, e.g. case numbers
z Subject of examination
Æ List of and serial numbers of disks/components/…
z Procedural history
Æ When was what piece of evidence received, examined,
passed on, reported upon, …
Æ Description of the examination: Who did what when
z Results and conclusions
Æ Facts (see next slide): What was found
Æ Conclusions: What can be derived from that?
» This must conform to a very high degree and state assumptions!
– Example: Time of computer matches "real" time, file access date is
12.12.06 (facts) Æ File was accessed at that time
» Note: Changing the clock, who used the computer, network connections, …?
Michael Sonntag Computer forensics: Introduction to Computer Forensics 36
 Final report: Content

z Summary of findings (non-technical language!)

z Detailed findings:
Æ Specific files matching the search
» And other files supporting the findings
Æ String searches, keywords searches, and text string searches
Æ Internet-evidence: Web traffic analysis, chat logs, cache files,
E-Mail, newsgroup activity, ICQ/Skype/… activity
Æ Graphic image analysis
Æ Ownership status of all files found
» Who of the users owned them/when were they created/accessed
Æ Techniques used to hide data or limit access to it
» Steganography, encryption, hidden attributes/partitions/streams
» Incorrect file names (e.g. JPEG files with ".bin" extension)
z Annex: Printouts, digital copies, documentation
Michael Sonntag Computer forensics: Introduction to Computer Forensics 37
 Conclusions

z Obtaining some information from hard disks is easy

Æ Ensuring it is complete and usable in courts is difficult!
Æ There is only a single chance …
z A wide variety of hardware exists, which must be treated
differently and contains various information
Æ Specialization is needed for in-depth investigation
z The huge amount of data on modern computers is a problem
Æ Try to reduce the scope of investigation
» Lists of "known good" files
Æ Automate examination
» Keyword searches, deleted file recreation etc.
z Expensive software needed
Æ Some investigation also possible with cheaper tools
Æ Open source software available partly
Michael Sonntag Computer forensics: Introduction to Computer Forensics 38
 ? ?
Questions? ?
?
Thank you for your attention!

?
?
© Michael Sonntag 2008
 Literature

z NIJ Report: Forensic Examination of Digital Evidence: A

Guide for Law Enforcement. http://www.ojp.usdoj/nij
z NIJ Report: Electronic Crime Scene Investigation: A Guide
for First Responders. http://www.ojp.usdoj/nij
z dns: An introduction to: Computer Forensics
http://www.dns.co.uk/NR/rdonlyres/5ED1542B-6AB5-4CCE-
838D-D5F3A4494F46/0/ComputerForensics.pdf

Michael Sonntag Computer forensics: Introduction to Computer Forensics 40