Computer Forensic and its uses:- Computer
Forensics is a scientific method of
investigation and analysis in order to gather
evidence from digital devices or computer
networks and components which is suitable for
presentation in a court of law or legal body. It
involves performing a structured investigation
while maintaining a documented chain of
evidence to find out exactly what happened on
a computer and who was responsible for it.
TYPES:-Disk Forensics: It deals with
extracting raw data from the primary or
secondary storage of the device by searching
active, modified, or deleted files. Network
Forensics: It is a sub-branch of Computer
Forensics that involves monitoring and
analysing the computer network traffic.
Database Forensics: It deals with the study and
examination of databases and their related
metadata. Malware Forensics: It deals with the
identification of suspicious code and studying
viruses, worms, etc. Email Forensics: It deals
with emails and their recovery and analysis,
including deleted emails, calendars, and
contacts. Memory Forensics: Deals with
collecting data from system memory (system
registers, cache, RAM) in raw form and then
analysing it for further investigation. Mobile
Phone Forensics: It mainly deals with the
examination and analysis of phones and
smartphones and helps to retrieve contacts, call
logs, incoming, and outgoing SMS, etc., and
other data present in it. USES:- Track
computer use, discover critical data, and make
copies of information that will be used in court,
it helps the government agencies as well as
private enterprises to control their risk and
maximize security. Computer forensics is also
used to know about the extent of a data breach or
any attack on the network. With the right tools,
police or concerned authorities can uncover
critical or criminal files on the devices. With
computer forensics, one can track the hacking or
attacks to know their source or origin.
Computer Forensic Services:-Computer
forensics professionals should be able to
successfully perform complex evidence recovery
procedures with the skill and. For example, they
should be able to perform the following services:
1.DATA SEIZURE:Following federal
guidelines, computer forensics experts should
act as the representative, using their knowledge
of data storage technologies to track down
evidence.2.DATA DUPLICATION:By making
an exact duplicate of the needed data the
computer forensics experts should acknowledge
the concerns that are important while seizing the
data. When experts works on the duplicate data,
the integrity of the original is maintained. 3.
DATA RECOVERY: Using proprietary tools,
your computer forensics experts should be able
to safely recover and analyse otherwise
inaccessible evidence. 4.DOCUMENT
SEARCHES: Computer forensics experts
should also be able to search over 200,000
electronic documents in seconds rather than
hours.5.MEDIA CONVERSION: Computer
forensics experts should extract the relevant data
from old and un-readable devices, convert it into
readable formats, and place it onto new storage
media for analysis. 6. EXPERT WITNESS
SERVICES: Computer forensics experts should
be able to explain complex technical processes
in an easy-to- understand fashion
7.COMPUTER EVIDENCE SERVICE
OPTIONS Computer forensics experts should
offer various levels of service, each designed to
suit your individual investigative needs like
Standard service and On-site service.
Steps taken by Computer Forensic
Specialists:- The computer forensics specialist
should take several careful steps to identify and
attempt to retrieve possible evidence that may
exist on a subject’s computer system. For
example, the following steps should be taken: 1.
Protect the subject computer system during the
forensic examination from any possible
alteration, damage, data corruption, or virus
introduction. 2. Discover all files on the subject
system. This includes existing normal files,
deleted yet remaining files, hidden files,
password-protected files, and encrypted files. 3.
Recover all of discovered deleted files. 4.
Reveal the contents of hidden files as well as
temporary or swap files used by both the
application programs and the operating system. 5.
Access the contents of protected or encrypted
files. 6. Analyze all possibly relevant data found
in special areas of a disk. This includes but is not
limited to what is called unallocated space on a
disk, as well as slack space in a file 7. Print out
an overall analysis of the subject computer
system, as well as a listing of all possibly
relevant files and discovered file data. 8.
Provide an opinion of the system layout, the file
structures discovered, any attempts to hide,
delete, protect, and encrypt information; and
anything else that appears to be relevant to the
overall computer system examination. 9.
Provide expert consultation and testimony, as
required.
Types of Computer Forensic technology:-
1)TYPES OF MILITARY COMPUTER
FORENSIC TECHNOLOGY:-Real-time
tracking of potentially malicious activity is
especially difficult when the pertinent
information has been intentionally hidden,
destroyed, or modified in order to elude
discovery. The Computer Forensics Experiment
2000 (CFX-2000) resulted from the partnership
of information directorate and NIJ. CFX-2000 is
an integrated forensic analysis framework. The
central hypothesis of CFX-2000 is that it is
possible to accurately determine the motives,
intent, targets, sophistication, identity, and
location of cyber criminals and cyber terrorists
by deploying an integrated forensic analysis
framework. The cyber forensic tools involved in
CFX-2000 consisted of off-the-shelf software
and R&D prototypes. CFX includes SI-FI
integration environment.
TYPES OF LAW ENFORCEMENT
COMPUTER FORENSIC TECHNOLOGY:-
Computer Evidence Processing Procedures:-
Processing procedures and methodologies
should conform to federal computer evidence
processing standards. 1. Preservation of
Evidence:- Computer evidence can be useful in
criminal cases, civil disputes, and human
resources/ employment proceedings. Black box
computer forensics software tools are good for
some basic investigation tasks, but they do not
offer a full computer forensics solution.
SafeBack software overcomes some of the
evidence weaknesses inherent in black box
computer forensics approaches. 2. Disk
Structure Computer forensic experts must
understand how computer hard disks and floppy
diskettes are structured and how computer
evidence can reside at various levels within the
structure of the disk. 3. Data Encryption
Computer forensic experts should become
familiar with the use of software to crack
security associated with the different file
structures.4. Matching a Diskette to a
Computer Specialized techniques and tools that
make it possible to conclusively tie a diskette to
a computer that was used to create or edit files
stored on it. Computer forensic experts should
become familiar how to use special software
tools to complete this process. 5. Data
Compression Computer forensic experts should
become familiar with how compression works
and how compression programs can be used to
hide and disguise sensitive data and also learn
how password- protected compressed files can
be broken. 6. Erased Files Computer forensic
experts should become familiar with how
previously erased files can be recovered by using
DOS programs and by manually using data-
recovery technique & familiar with cluster
chaining. 7. Internet Abuse Identification and
Detection Computer forensic experts should
become familiar with how to use specialized
software to identify how a targeted computer has
been used on the Internet.
TYPES OF BUSINESS COMPUTER
FORENSIC TECHNOLOGY:- 1. REMOTE
MONITORING OF TARGET COMPUTERS
Data Interception by Remote Transmission
(DIRT) is a powerful remote control monitoring
tool that allows stealth monitoring of all activity
on one or more target computers simultaneously
from a remote command centre, No physical
access is necessary. 2.CREATING
TRACKABLE ELECTRONIC
DOCUMENTS: Binary Audit Identification
Transfer (BAIT) is a powerful intrusion
detection tool that allows users to create
trackable electronic documents. BAIT identifies
(including their location) unauthorized intruders
who access, download, and view these tagged
documents. BAIT also allows security personnel
to trace the chain of custody and chain of
command of all who possess the stolen
electronic documents. 3. THEFT RECOVERY
SOFTWARE FOR LAPTOPS AND PCS: PC
PhoneHome is a software application that will
track and locate a lost or stolen PC or laptop
any-where in the world. If your PC PhoneHome-
protected computer is lost or stolen, all you need
to do is make a report to the local police and call
CD’s 24-hour command center. CD’s recovery
specialists will assist local law enforcement in
the recovery of your property.
Computer Forensic Evidence and Capture:-
Data Recovery Defined:- Data recovery is the
process in which highly trained engineers
evaluate and extract data from damaged media
and return it in an intact format. The Role of
Back-up in Data Recovery: The role of Back-
up has changed: The role of backup now
includes the responsibility for recovering user
errors and ensuring that good data has been
saved and can quickly be restored. The Data
Recovery Solution: The complex systems that
have evolved over the past 30 years must be
monitored, managed, controlled, and optimized.
Backups often take place while an application is
running. Evaluate your preparation: If all of
the resources (image copies, change
accumulations, and logs) are available at
recovery time, these preparations certainly allow
for a standard recovery. Finding out at recovery
time that some critical resource is missing can be
disastrous! Checking your assets to make sure
they’re ready should be part of your plan.
Automated Recovery: With proper planning
and automation, recovery is made possible,
reliance on specific personnel is reduced, and the
human-error factor is nearly eliminated. In the
event of a disaster, the Information Management
System (IMS) recovery control (RECON) data
sets must be modified in preparation for the
recovery. Make Recoveries Efficient:
Multithreading tasks shorten the recovery
process. Recovering multiple databases with one
pass through your log data certainly will save
time. Take Back-ups: The first step to a
successful recovery is the backup of your data.
Your goal in backing up data is to do so quickly,
efficiently, and usually with minimal impact to
your customers.
BACK-UP AND RECOVERY SOLUTION:-
BMC software has developed a model called the
Back-up and Recovery Solution (BRS) for the
Information Management System (IMS) product.
Image Copy: BRS contains an Image Copy
component to help manage your image copy
process. Change Accumulation: The BRS
Change Accumulation component takes
advantage of multiple engines, large virtual
storage resources, and high-speed channels and
controllers that are available in many
environments. Recovery: The BRS Recovery
component, which functionally replaces the IMS
Database Recovery utility for null- function
(DL/I) databases and data-entry databases
(DEDBs), allow recovery of multiple databases
with one pass of the log and change
accumulation data sets while dynamically
allocating all data sets required for recovery.
POINTER CHECKING: BRS offers the
capability to verify the validity of database
pointers through the Concurrent Pointer
Checking function. INDEX REBUILD: If
indexes are ever damaged or lost, the Index
Rebuild function of BRS allows you rebuild
them rather than recover them. RECOVERY
ADVISOR: The Recovery Advisor component
of BRS allows you to monitor the frequency of
your image copies and change accumulations. It
helps you to determine whether all your
databases are being backed-up.
UNIT 4
Collect evidence, Collection options &
obstacles: Collect Evidence: Future Prevention:
Without knowing what happened, you have no
hope of ever being able to stop someone else
from doing it again. Responsibility: The attacker
is responsible for the damage done, and the only
way to bring him to justice is with proper
evidence to prove his actions. Information
gathered after a compromise can be examined
and used by others to prevent further attacks.
Collection Options: a)Pull the system off the
network and begin collecting evidence: In this
case you may find that you have insufficient
evidence or, worse, that the attacker left a dead
man switch that destroys any evidence once the
system detects that its offline.b)Leave it online
and attempt to monitor the intruder: you may
accidentally alert the intruder while monitoring
and cause him to wipe his tracks any way
necessary, destroying evidence as he goes.
Obstacles: Computer transactions are fast, they
can be conducted from anywhere, can be
encrypted and have no intrinsic identifying
features such as handwriting and signatures to
identify those responsible. Any paper trail of
computer records they may leave can be easily
modified or destroyed, or may be only
temporary. Auditing programs may
automatically destroy the records left when
computer transactions are finished with them.
Investigating electronic crimes will always be
difficult because of the ease of altering the data
and the fact that transactions may be done
anonymously.
Types of Evidence: Collecting the shreds of
evidence is really important in any
investigation to support the claims in court.
Below are some major types of evidence. Real
Evidence: These pieces of evidence involve
physical evidence such as flash drives, hard
drives, documents, etc. an eyewitness can also
be considered as a shred of tangible evidence.
Hearsay Evidence: These pieces of evidence
are referred to as out-of-court statements.
These are made in courts to prove the truth of
the matter. Original Evidence: These are the
pieces of evidence of a statement that is made
by a person who is not a testifying witness. It
is done in order to prove that the statement was
made rather than to prove its truth.
Testimony: Testimony is when a witness takes
oath in a court of law and gives their statement
in court. The shreds of evidence presented
should be authentic, accurate, reliable, and
admissible as they can be challenged in court.
Rules of Evidence:1. Admissible: Admissible is
the most basic rule. The evidence must be able
to be used in court. 2.Authentic: You must be
able to show that the evidence relates to the
incident in a relevant way. 3. Complete: It’s not
enough to collect evidence that just shows one
perspective of the incident. 4. Reliable: Your
evidence collection and analysis procedures
must not cast doubt on the evidence’s
authenticity and veracity. 5. Believable: The
evidence you present should be clearly
understandable and believable to a jury.
Volatile Evidence, General Procedure &
Methods of Collection: Volatile Evidence:
Always try to collect the most volatile evidence
first. Order of volatility would be: 1. Registers
and cache 2. Routing tables 3. Arp cache. 4.
Process table 5. Kernel statistics and modules 6.
Main memory 7. Temporary file systems 8.
Secondary memory 9. Router configuration 10.
Network topology. General Procedure :
Identification of Evidence: You must be able to
distinguish between evidence and junk data.
Preservation of Evidence: The evidence you
find must be preserved as close as possible to its
original state. Analysis of Evidence: Analysis
requires in-depth knowledge of what you are
looking for and how to get it. Presentation of
Evidence: The manner of presentation is
important, and it must be understandable by a
layman to be effective. Methods of Collection:
There are two basic forms of collection: freezing
the scene and honey-potting. a)Freezing the
Scene: It involves taking a snapshot of the
system in its compromised state. You should
then start to collect whatever data is important
onto removable non-volatile media in a standard
format. b)Honey-potting: It is the process of
creating a replica system and luring the attacker
into it for further monitoring. The placement of
misleading information and the attacker’s
response to it is a good method for determining
the attacker’s motives.
Collection Steps of Evidence: 1.Find the
Evidence: Use a checklist. Not only does it help
you to collect evidence, but it also can be used to
double-check that everything you are looking for
is there. 2. Find the Relevant Data: Once
you’ve found the evidence, you must figure out
what part of it is relevant to the case. 3. Create
an Order of Volatility: The order of volatility
for your system is a good guide and ensures that
you minimize loss of uncorrupted evidence. 4.
Remove external avenues of change: It is
essential that you avoid alterations to the original
data. 5. Collect the Evidence: Collect the
evidence using the appropriate tools for the job.
6. Document everything: Collection procedures
may be questioned later, so it is important that
you document everything you do. Timestamps,
digital signatures, and signed statements are all
important.
Chain of Custody: Chain of custody means
documentation that identifies all changes in the
control, handling, custody and ownership of a
piece of evidence. The gathered evidences
should store in a tamper-proof manner means
that evidence cannot be accessed by
unauthorized person, it helps in maintain the
chain of custody. For each obtained item a
complete chain-of-custody record is kept.
Process: 1. Data collection: It is the first step in
the chain of custody process. It entails the
identification labelling, recording, and
acquisition of data from all relevant sources
while maintaining the data and evidence's
integrity. 2.Examination: During this step, the
chain of custody information is documented, as
well as the forensic procedure that was followed.
It's critical to take screenshots throughout the
process to demonstrate the tasks that have been
completed and the evidence that has
been discovered. 3.Analysis: The result of the
examination stage is the analysis stage. In the
Analysis stage, legally justifiable methods and
techniques are used to gather useful information
in order to respond the questions posed in the
case. 4.Reporting: In the Examination and
Analysis stage, this is the documentation phase.
The following items are included in reporting: A
statement about the Chain of Custody. The
various tools that were used are explained. A
description of how various data sources were
analysed. Issues have been identified.
Vulnerabilities have been discovered. Additional
forensics measures that can be taken are
suggested. The procedure for establishing the
Chain of Custody: A series of steps must be
followed in order to ensure the chain of
custody's authenticity. It's worth noting that the
more information a forensic expert obtains about
the evidence, the more reliable the chain of
custody created becomes. According to the chain
of custody for electronic devices, you should
ensure that the following procedure is followed:
Save the original files. Photograph the physical
evidence. Taking screenshots of the digital
evidence is a good idea. Date, time, and any
other information about the evidence's receipt
should be documented. Inject forensic computers
with a bit-for-bit clone of digital evidence
content. To authenticate the working clone,
perform a hash test analysis.
Computer evidence processing steps: The
following are general computer evidence
processing steps: 1. Shut down the computer:
Depending on the computer OS, this usually
involves pulling the plug or shutting down a
network computer using relevant commands
required by the network involved. 2. Document
the hardware configuration of the system:
Before dismantling the computer, it is important
that pictures are taken of the computer from all
angles to document the system hardware
components and how they are connected. 3.
Transport the computer system to a secure
location: A seized computer left unattended can
easily be compromised. Don’t leave the
computer unattended unless it is locked up in a
secure location. 4. Make bit stream backups of
hard disks and floppy disks: All evidence
processing should be done on a restored copy of
the bit stream backup rather than on the original
computer. Bit stream backups are much like an
insurance policy and are essential for any serious
computer evidence processing. 5.
Mathematically authenticate data on all
storage devices: You want to be able to prove
that you did not alter any of the evidence after
the computer came into your possession. Since
1989, law enforcement and military agencies
have used a 32- bit mathematical process to do
the authentication process. 6. Make a list of key
search words:Gathering information from
individuals familiar with the case to help
compile a list of relevant keywords is important.
Such keywords can be used in the search of all
computer hard disk drives and floppy diskettes
using automated soft-ware. 7. Evaluate the
Windows swap file: The Windows swap file is
a potentially valuable source of evidence and
leads. When the computer is turned off, the swap
file is erased. But the content of the swap file
can easily be captured and evaluated. 8.
Evaluate unallocated space (erased files):
Unallocated space should be evaluated for
relevant keywords to supplement the keywords
identified in the previous steps. 9. Document
file names, dates, and times: From an evidence
standpoint, file names, creation dates, and last
modified dates and times can be relevant. 10.
Identify file, program, and storage anomalies:
Encrypted, compressed, and graphic files store
data in binary format. As a result, text data
stored in these file formats cannot be identified
by a text search program. Manual evaluation of
these files is required. 11. Evaluate program
functionality: Depending on the application
software involved, running programs to learn
their purpose may be necessary. When
destructive processes that are tied to relevant
evidence are discovered, this can be used to
prove wilfulness.
Evidence Collection Procedure: 1)Do not rush:
The investigation team will need a copy of their
incident-handling procedure, an evidence
collection notebook, and evidence identification
tags. They may also need to bring tools to
produce reliable copies of electronic evidence,
including media to use in the copying process.
2)The Incident Coordinator: will contact the
other members of the response when an incident
is reported. will be responsible for ensuring that
every detail of the incident-handling procedure
is followed, upon arrival at the incident site.
3)The Evidence Notebook: One team member
will be assigned the task of maintaining the
evidence note-book. This person will record the
who, what, where, when, and how of the
investigation process. At a minimum, items to be
recorded in the notebook include the following
task. This notebook is a crucial element in
maintaining chain of custody. Therefore, it must
be as detailed as possible to assist in maintaining
this chain. 4)Evidence Collection: Another
team member will be assigned the task of
evidence collection. To avoid confusion, the
number of people assigned this task should be
kept to a minimum. This member should also be
highly proficient with copying and analysis tools.
This person will tag all evidence and work with
the person responsible for the evidence notebook
to ensure that this information is properly
recorded. 5)Storage and Analysis of Data: The
lab must provide some form of access control; a
log should be kept detailing entrance and exit
times of all individuals. It is important that
evidence never be left in an unsecured area. If a
defense lawyer can show that unauthorized
persons had access to the evidence, it could
easily be declared inadmissible.
UNIT 5
Validating Forensic Data: Validating digital
evidence is one of the most important
components of computer forensics since it is
necessary to ensure the integrity of the data you
gather in order to present evidence in court. In
addition, forensic hashing methods are utilised to
validate captured images before further analysis.
Automated hashing of picture files is offered by
the majority of computer forensic products
including ProDiscover, X-Ways Forensics, FTK,
and Encase. For instance. ProDiscover performs
hash when it imports an image file and compares
the result to the hash that was created when the
picture was initially obtained. When the Auto
Image Checksum Verification dialogue box
appears when you load an image file in
ProDiscover, you might recall seeing this
function. To maintain data integrity, it is vital to
understand how to utilise complex hexadecimal
editors since computer forensics programmes
have some limits when it comes to hashing.
Data hiding Techniques: Data hiding involves
changing or manipulating a file to conceal
information. Data-hiding techniques include
changing file extensions, setting file attributes to
hidden, bit-shifting, using encryption, etc. Some
of these techniques are discussed in the
following sections. 1) Hiding Partitions: One
way to hide partitions is to create a partition and
then use a disk editor, such as Norton Disk Edit,
to delete any reference to it manually. To access
the deleted partition, users can edit the partition
table to re-create the links, and then the hidden
partition re-appears when the computer is
restarted. Another way to hide partitions is with
a disk-partitioning utility, such as G Disk,
Partition Magic, System Commander, or Linux
Grand Unified Boot loader (GRUB), which
provides a start-up menu where you can select
an OS. The system then ignores other bootable
partitions. 2) Marking Bad Clusters: Another
data-hiding technique, more common in FAT
file systems, is placing sensitive or incriminating
data in free or slack space on disk partition
clusters. This technique involves using a disk
editor, such as Norton Disk Edit, to mark good
clusters as bad clusters. The OS then considers
these clusters unusable. The only way they can
be accessed from the OS is by changing them to
good clusters with a disk editor. 3) Bit-Shifting:
Some home computer users developed the skill
of programming in the computer manufacturer’s
assembly language and learned how to create a
low-level encryption program that changes the
order of binary data, making the altered data
unreadable when accessed with a text editor or
word processor.
Performance Remote Acquisition: Runtime
Software offers the following shareware
programs for remote acquisitions: 1.Disk
Explorer for FAT 2.Disk Explorer for NTFS
3.HDHOST. Remember that they’re designed to
be file system specific, so there are Disk
Explorer versions for both FAT and NTFS that
you can use to create raw format image files or
segmented image files for archiving purposes.
HDHOST is a remote access program for
communication between two computers. The
connection is established by using the Disk
Explorer program (FAT or NTFS) corresponding
to the suspect (remote) computer’s file system.
Network Forensic: a)Network Forensics
Overview: Network forensics is the process of
collecting and analysing raw network data and
tracking network traffic systematically to
ascertain how an attack was carried out or how
an event occurred on a network. Because
network attacks are on the rise, there’s more
focus on this field and an increasing demand for
skilled technicians. Network forensics can also
help you determine whether a network is truly
under attack or a user has inadvertently installed
an untested patch or custom program.Network
forensics examiners must establish standard
procedures for how to acquire data after an
attack or intrusion incident. b)Securing a
Network: Network forensics is used to
determine how a security breach occurred;
however, steps must be taken to harden networks
before a security breach happens. Hardening
includes a range of tasks, from applying the
latest patches to using a layered network defence
strategy, which sets up layers of protection to
hide the most valuable data at the innermost part
of the network. It also ensures that the deeper
into the network an attacker gets, the more
difficult access becomes and the more
safeguards are in place. The National Security
Agency (NSA) developed a similar approach,
called the defense in depth (DiD) strategy. DiD
have three modes of protection: 1.People 2.
Technology 3.Operations .
Performing Live Acquisitions: Create or
download a bootable forensic CD, and test it
before using it on a suspect drive. If the suspect
system is on your network and you can access it
remotely, add the appropriate network forensics
tools to your workstation. If not, insert the
bootable forensics CD in the suspect system.
Make sure you keep a log of all your actions;
documenting your actions and reasons for these
actions is critical. A network drive is ideal as a
place to send the information you collect. If you
don’t have one available, connect a USB thumb
drive to the suspect system for collecting data.
Next, copy the physical memory (RAM).
Microsoft has built-in tools for this task, or you
can use available freeware tools, such as mem
fetch and Back Track. The next step varies,
depending on the incident you’re investigating.
With an intrusion, for example, you might want
to see whether a rootkit is present by using a tool
such as Root Kit Revealer. You can also access
the system’s firmware to see whether it has
changed, create an image of the drive over the
network, or shut the system down and make a
static acquisition later. Be sure to get a
forensically sound digital hash value of all files
you recover during the live acquisition to make
sure they aren’t altered later.
Securing a Computer Incident or Crime
Scene: Investigators secure an incident or crime
scene to preserve the evidence and to keep
information about the incident or crime
confidential. Information made public could
jeopardize the investigation. If you’re in charge
of securing a computer incident or crime scene,
use yellow barrier tape to prevent bystanders
from accidentally entering the scene. Use police
officers or security guards to prevent others from
entering the scene. Legal authority for a
corporate incident scene includes trespassing
violations; for a crime scene, it includes
obstructing justice or failing to comply with a
police officer. Access to the scene should be
restricted to only those people who have a
specific reason to be there. The reason for the
standard practice of securing an incident or
crime scene is to expand the area of control
beyond the scene’s immediate location. In this
way, you avoid overlooking an area that might
be part of the scene. Shrinking the scene’s
perimeter is easier than expanding it. For major
crime scenes, computer investigators aren’t
usually responsible for defining a scene’s
security perimeter. These cases involve other
specialists and detectives who are collecting
physical evidence and recording the scene. For
incidents primarily involving computers, the
computers can be a crime scene within a crime
scene, containing evidence to be processed.
Seizing Digital Evidence at the Scene: With
proper search warrants, law enforcement can
seize all computing systems and peripherals. In
corporate investigations, you might have similar
authority; however, you might have the authority
only to make an image of the suspect’s drive.
Depending on company policies, corporate
investigators rarely have the authority to seize all
computers and peripherals. When seizing
computer evidence in criminal investigations,
follow the U.S. DOJ standards for seizing digital
data. For civil investigations, follow the same
rules of evidence as for criminal investigation.
You might be looking for specific evidence,
such a particular e-mail message or spreadsheet.
In a criminal matter, investigators seize entire
drives to preserve as much information as
possible and ensure that no evidence is
overlooked.
Storing Digital Evidence: With digital evidence,
you need to consider how and on what type of
media to save it and what type of storage device
is recommended to secure it. The media you use
to store digital Evidence usually depends on how
long you need to keep it. If you investigate
criminal matters, store the evidence as long as
you can. The ideal media on which to store
digital data are CDRs or DVDs. These media
have long lives, but copying data to them takes a
long time. Older CDs had lives up to five years.
Today’s larger drives demand more storage
capacity; 200 GB drives are common, and DVDs
can store up to only 17 GB of data. You can also
use magnetic tape to preserve evidence data. The
4-mm DAT magnetic tapes store between 40 to
72 GB or more of data, but like CD-Rs, they are
slow at reading and writing data. If you’re using
these tapes, test your data by copying the
contents from the tape back to a disk drive. Then
verify that the data is good by examining it with
your computer forensics tools or doing an MD5
hash comparison of the original data set and the
newly restored dataset. If a 30-year lifespan for
data storage is acceptable for your digital
evidence, older DLT magnetic tape cartridge
systems are a good choice. DLT systems have
been used with mainframe computers for several
decades and are reliable data-archiving systems.
Depending on the size of the DLT cartridge, one
cartridge can store up to 80 GB of data in
compressed mode. Speed of data transfer from
your hard drive to a DLT tape is also faster than
transferring data to a CD-R or DVD. Recently,
manufacturers have introduced a high-speed,
high-capacity tape cartridge drive system called
Super Digital Linear Tape (Super-DLT or
SLDT). These systems are specifically designed
for large RAID data backups and can store more
than 1 TB of data.
UNIT 6
Types of Computer Forensic Tools: Computer
forensics tools are divided into two major
categories: hardware and software. The
following sections outline basic features required
and expected of most computer forensics tools.
Hardware Forensics Tools range from simple,
single purpose components to complete
computer systems and servers. Single-purpose
components can be devices, such as the ACARD
Ultra Wide SCSI-to-IDE Bridge, which is
designed to write-block an IDE drive connected
to a SCSI cable. Some examples of complete
systems are Digital Intelligence F.R.E.D.
systems, DIBS Advanced Forensic Workstations,
etc. Software Forensics Tools are grouped into
command-line applications and GUI applications.
Some tools are specialized to perform one task,
such as Safe Back, a command-line disk
acquisition tool from New Technologies, Inc.
(NTI). Other tools are designed to perform many
different tasks. For example, Technology
Pathways Pro- Discover, X-Ways Forensics,
Guidance Software En Case, and Access Data
FTK are GUI tools designed to perform most
computer forensics acquisition and analysis
functions. Software forensics tools are
commonly used to copy data from a suspect’s
drive to an image file. Many GUI acquisition
tools can read all structures in an image file as
though the image were the original drive.
Validating & Testing Forensic Software: To
make sure the evidence you recover and analyze
can be admitted in court. To do this, you must
test and validate your software. The bellow we
discuss validation tools available at the time of
this writing and how to develop your own
validation protocols. The National Institute of
Standards and Technology (NIST) publishes
articles, provides tools, and creates procedures
for testing and validating computer forensics
software. Establish categories for computer
forensics tools—Group computer forensics
software according to categories, such as
forensics tools designed to retrieve and trace e-
mail. Identify computer forensics category
requirements—For each category, describe the
technical features or functions a forensics tool
must have. Develop test assertions—Based on
the requirements, create tests that prove or
diSprove the tool’s capability to meet the
requirements. Identify test cases—Find or create
types of cases to investigate with the forensics
tool, and identify information to retrieve from a
sample drive or other media. Establish a test
method—Considering the tool’s purpose and
design, specify how to test it. Report test
results—Describe the test results in a report that
complies with ISO 17025, which requires
accurate, clear, unambiguous, and objective test
reports. Another standards document, ISO 5725,
demands accuracy for all aspects of the testing
pro- cess, so results must be repeatable and
reproducible.
E-Mail Investigation: a)The Role of E-mail in
Investigations:- E-mail evidence has become an
important part of many computing investigations,
so computer forensics investigators must know
how e-mail is processed to collect this essential
evidence. In addition, with the increase in e-mail
scams and fraud attempts with phishing or
spoofing, investigators need to know how to
examine and interpret the unique content of e-
mail messages. As a computing investigator, you
might be called on to examine a phishing e-mail
to see whether it’s authentic. Later, in tracing an
E-mail Message, you learn about resources for
looking up e-mail and Web addresses to verify
whether they’re associated with a spoofed
message. One of the most noteworthy e-mail
scams was 419, or the Nigerian Scam, which
originated as a chain letter from Nigeria, Africa.
Unlike newer, more sophisticated phishing e-
mail frauds, 419 messages have certain
characteristic ploys and a typical writing style.
For example, the sender asks for access to your
bank account so that he can transfer his money
to it as a way to prevent corrupt government
officials in his homeland from confiscating it.
The sender often promises to reward you
financially if you make a minor payment or
allow access to your bank account. The
messages are usually in uppercase letters and use
poor grammar. b)The Roles of the Client and
Server in E-mail: You can send and receive e-
mail in two environments: via the Internet or an
intranet (an internal network). In both e-mail
environments, messages are distributed from a
central server to many connected client
computers, a configuration called client/server
architecture. The server runs an e-mail server
program, such as Microsoft Exchange Server or
Novell GroupWise to provide e-mail services.
Client computers use e-mail programs (also
called e-mail clients), to contact the e-mail
server and send and retrieve e-mail messages.
Regardless of the OS or e-mail program, users
access their e-mail based on permissions the e-
mail server administrator grants. These
permissions prevent users from accessing each
other’s e-mail. To retrieve messages from the e-
mail server, users identify themselves to the
server, as when logging on to the network. Then
e-mails are delivered to their computers. E-mail
services on both the Internet and an intranet use
a client/server architecture, but they differ in
how client accounts are assigned, used, and
managed and in how users access their e-mail.
Overall, an intranet e-mail system is for the
private use of network users, and Internet e-mail
systems are for public use. c)Investigating E-
mail Crimes and Violations: 1. Examine the
email: When it is come into the light that email
crime has happened then it is necessary to
collect the evidence which is required to prove
the crime in the court of law. Evidence is the
mail which the victim received. First take the
image of 'machines hard drive. Obtain the
victims machine password to open the encrypted
file. Take the printed copy of the crime mail
(including header). Examine the IP address of
the sender's server. 2. Copy the email message
into the USB key. 3. Take the printout of the
email message by using the print option
available in the mail program. 4. View the mail
header: To check the mail header, Open your
mail. Right click on your mail. After right click
menus will display. Click on view full header.
The file header will get opened.5. Examine the
email header: The email header contains the
message header and the subject body. The email
header contains the information of the email
origin. It also gives the return path, and the
receiver mail id. 6. Examine the attachments:
If the mail contains any attachment then copy
that attachment and also take the print of the
attachment. 7. Trace the Email: The IP address
of the origination computer machine tells the
owner of the email address which has been used
in the possible crime that is being investigated. It
may be possible that this information may be
fake. So it's important to validate the evidence
which you uncover.
Computer Forensic Software Tools: 1. SANS
SIFT: The SANS Investigative Forensic Toolkit
(SIFT) is an Ubuntu based Live CD which
includes all the tools you need to conduct an in-
depth forensic or incident response investigation.
2. Crowd Strike Crowd Response: Crowd
Response is a lightweight console application
that can be used as part of an incident response
scenario to gather contextual information such as
a process list scheduled tasks, or Shim Cache. 3.
Volatility: Volatility is a memory forensics
framework for incident response and malware
analysis that allows you to extract digital
artifacts from volatile memory (RAM) dumps. 4.
The Sleuth Kit (+Autopsy): The Sleuth Kit is an
open source digital forensics toolkit that can be
used to perform in-depth analysis of various file
systems. Autopsy is essentially a GUI that sits
on top of The Sleuth Kit . 5. ExifTool: ExifTool
is a command-line application used to read,
write or edit file metadata information. It is fast,
powerful and supports a large range of file
formats. 6. Free Hex Editor Neo: Free Hex
Editor Neo is a basic hex editor that was
designed to handle very large files. 7. Bulk
Extractor: bulk extractor is a computer forensics
tool that scans a disk image, file, or directory of
files and extracts information such as credit card
numbers, domains, e-mail addresses. URLS, and
ZIP files. 8. Last Activity View: Last Activity
View allows you to view what actions were
taken by a user and what events occurred on the
machine.