0% found this document useful (0 votes)
38 views34 pages

Unit 01

ssd

Uploaded by

Faraja January
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
38 views34 pages

Unit 01

ssd

Uploaded by

Faraja January
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

Computer Forensics

ISM09204

Dr. Nicodemus M. M.
Computer Forensics - Overview

• The Internet and emerging technologies have propelled us into an era of


unprecedented progress and connectivity

• Unfortunately, this digital revolution has a downside;


• It has led to criminal innovation and created a new forum for both terrorist
activities and criminal behavior.

• It has led to exacerbating the vulnerabilities of government, organizations,


institutions, and individuals alike.
WannaCry

• The WannaCry ransomware attack was a


worldwide cyberattack in May 2017 by the
WannaCry ransomware cryptoworm.

• It was designed to exploit a security vulnerability in


Windows OS that was created by the NSA and
leaked by the Shadow Brokers hacker group.

• WannaCry a ected 230,000 computers worldwide.


The attack hit one-third of all NHS hospitals in the
UK, causing estimated damages of 92 million
pounds.

• Users were locked out and a ransom payable in


Bitcoin was demanded.

• The worldwide nancial damage caused by


WannaCry was approximately US$4 billion.
ff
fi
Computer Forensics
Teaches You

• How computers, mobile devices, and networks work.


• How data is stored and accessed, how it travels over the internet, how it is
stored on our devices on our phones, and in the cloud

• How to manage large amount of data e ciently, so that we can nd what we


are looking for much easier

• How to think logically, because we are investigating, we have to go though the


logical process to put evidence together to accept or deny hypothesis
(evidence based reasoning)

• How to write and communicate e ectively.


ff
ffi
fi
Computer Forensics - Definition

• Computer forensics is a branch of forensic science focused on the


investigation, recovery, and analysis of digital evidence from electronic
devices and digital media to uncover information related to computer crimes,
cybersecurity incidents, or other legal matters.

• It involves the systematic examination of digital artifacts such as les, emails,


logs, network tra c, and metadata to reconstruct events, identify
perpetrators, and provide evidence for legal proceedings.
ffi
fi
Digital Crime

• Digital crime refers to any criminal activity that involves the use of digital devices
or digital technologies.

• This can include crimes committed using computers, smartphones, tablets, or


any other electronic devices.

• Digital crimes may encompass a wide range of illegal activities, including but not
limited to fraud, identity theft, intellectual property theft, unauthorized access to
computer systems, and distribution of illegal content (e.g., piracy, child
exploitation materials).

• Digital crime can occur both online and o ine, as long as it involves the use of
digital technologies.
ffl
Cyber-Crime

• Cybercrime speci cally refers to criminal activities that are conducted over
the internet or through computer networks.

• It involves the use of computers, networks, and internet-based technologies


to commit unlawful acts.

• Cybercrime often involves the exploitation of vulnerabilities in computer


systems or networks for malicious purposes, such as hacking, malware
distribution, phishing, ransomware attacks, denial-of-service (DoS) attacks,
and data breaches.
fi
Importance of CF in Modern Investigation
Digital Evidence Recovery

• Digital devices often hold critical evidence in various forms such as emails,
documents, photos, and chat logs.

• Example: In the case of a nancial fraud investigation, emails exchanged


between parties involved can serve as crucial evidence for prosecution.
fi
Importance of CF in Modern Investigation
Crime Reconstruction and Timeline Establishment

• Digital artifacts help reconstruct events, establish timelines, and identify


perpetrators.

• Example: In a cyberbullying case, examining social media posts, timestamps,


and IP addresses can help reconstruct the sequence of events and identify
the originator of the bullying.
Store
💡Case Scenario 🗼 🏪 🗼
🤵At the o ce 3Km
- Timecard 2Km 🗼
- Mobile phone 🏢
🗼 🤵 Dead at home
5Km
🏡 - Neighbor calls the police
🗼
🗼
ffi
Importance of CF in Modern Investigation
Identi cation of Suspects and Victims

• Computer forensics aids in


identifying both suspects and
victims through digital footprints
left behind on various platforms.

• Example: In a kidnapping case,


tracking the location data from the
victim's mobile device can assist
law enforcement in locating the
victim and apprehending the
perpetrator.
fi
Importance of CF in Modern Investigation
Corroboration of Witness Testimony

• Digital evidence can corroborate or


refute witness testimony,
strengthening the credibility of
statements.

• Example: In a hit-and-run accident,


surveillance footage retrieved from
nearby cameras can corroborate
witness statements regarding the
make and model of the vehicle
involved.
Importance of CF in Modern Investigation
Uncovering Hidden Information

• Computer forensics techniques can reveal hidden or deleted information that


perpetrators attempt to conceal.

• Example: In a corporate espionage case, forensic analysis of a suspect's


computer might uncover deleted les containing sensitive company data.

• Example: Uncovering information hidden in partition gap


fi
Importance of CF in Modern Investigation
Admissible Evidence in Court

• Properly collected and analyzed digital evidence is admissible in court, aiding


in the prosecution or defense of legal cases.

• Example: In a cybercrime trial, digital evidence such as logs of unauthorized


access to a network can be presented to support the charges against the
defendant.
Digital Forensics - Subfields
Computer Forensics

• This sub eld focuses on the investigation


of computers and computing devices
such as desktops, laptops, servers, and
mobile devices.

• It involves the examination of hard drives,


memory, operating systems, and
applications to recover data and traces of
activities relevant to the investigation.
fi
Digital Forensics - Subfields
Network Forensics

• Network forensics involves the monitoring


and analysis of network tra c to
`investigate security incidents, intrusions, or
unauthorized activities.

• It aims to reconstruct network activities,


identify sources of attacks, and gather
evidence related to network-based crimes.
ffi
Possible Computer Forensics Career Paths

• Computer investigations and


forensics falls into two distinct
categories
1. Public investigations
2. Private or corporate
investigations
Possible Computer Forensics Career Paths
Public Investigations

• Involves government agencies responsible for


criminal investigation and prosecution

• Organization must observe legal guidelines.


• Examples:
• TZ- CID (Criminal Investigation Division)
• USA - CIA ( Criminal Investigation Agency)
• USA - FBI ( Federal Bureau of Investigation)
Possible Computer Forensics Career Paths
Private or Cooperate Investigations

• Deals with private companies, non-law-enforcement government agencies,


and lawyers.

• Aren’t governed directly by criminal law but cooperate policies


• Governed by internal policies that de ne expected employee behavior and
conduct in the workplace.

• Examples:
• TZ - BOT, CRDB, NMB, TCRA
• International - KROLL
fi
Computer Forensic Process
4 Stages

• Assess the Situation: Anaylyze


the scope of the investigation and
the action to be taken

• Acquire the Data: Gather,


protect, and preserve the original
evidence.
Computer Forensic Process
4 Stages

• Analyze the data: Examine and


correlate digital evidence with
events of interest that will help
you make a case

• Report the Investigation: Gather


and organize collected
information and write nal report
fi
Computer Forensic Process
Assess the Situation

• To conduct an investigation, you rst need to


obtain proper authorization unless existing
policies and procedures provide incident
response authorization.

• It is also important to understand the laws that


might apply to the investigation as well as any
internal organization policies that might exist.

• Determining who should respond to an incident


is important to conducting a successful
investigation.
fi
Computer Forensic Process
Assess the Situation

• A thorough, clearly documented assessment of


the situation is required to prioritize your actions
and justify the resources for the internal
investigation.

• A detailed document containing all information


you consider relevant provides a starting point
for the next phase and for the nal report
preparation.
fi
Computer Forensic Process
Documentation

• Thorough documentation of the forensic process is


essential to ensure transparency, repeatability,
and admissibility of evidence in court.

• This includes documenting the procedures


followed, tools used, ndings, observations, and
conclusions reached during the investigation.

• Creating consistent, accurate, and detailed


documentation throughout the investigation
process will help with the ongoing investigation.

• Before you begin the next phase, ensure that you


have obtained a responsible decision maker's
signo on the documentation that you created on
the previous phase
ff
fi
Computer Forensic Process
Acquire the Data

• You need a collection of hardware and software


tools to acquire data during an investigation.

• Collect data either locally or over a network.


Acquiring the data locally has the advantage of
greater control over the computer(s) and data
involved.

• When evidence is collected and ready for


analysis, it is important to store and archive the
evidence in a way that ensures its safety and
integrity.
Computer Forensic Process
Analyze the Data

• Analyzing network data involves the


examination of various aspects of network
tra c and communication patterns to uncover
evidence of security breaches, unauthorized
access, or malicious activities.

• The goal is to uncover valuable insights,


identify the root cause of security incidents,
and support e ective incident response and
remediation e orts.
ffi
ff
ff
Computer Forensic Process
Analyze the Data

• Analysis of host data in forensic investigation


involves examining the digital information
stored on individual computers, servers, or
other devices to uncover evidence relevant to
a speci c incident or investigation.
fi
Digital Forensic Process
Analyze the Data

• The storage media you collected during the


Acquire the Data phase will contain many
les.

• You need to analyze these les to determine


their relevance to the incident, which can be a
daunting task because storage media such as
hard disks and backup tapes often contain
hundreds of thousands of les.
fi
fi
fi
Computer Forensic Process
Reporting

• A comprehensive forensic report is generated to summarize the ndings of


the investigation and present the evidence in a clear, organized, and
understandable manner.

• The report typically includes an;


- Executive summary,
- detailed analysis of ndings,
- methodologies employed, and
- conclusions drawn.
fi
fi
Computer Forensics - Key Challenges

• Encrypted data can be di cult to access and decrypt, making it harder for
forensic investigators to collect evidence.

• Criminals may attempt to destroy digital evidence by wiping or destroying


devices, requiring specialized data recovery techniques

• Criminals use anti-forensic techniques to hide, alter, or remove traces of


their crimes, making it more challenging for investigators to gather evidence

• There are often no clear guidelines or standards for dealing with digital
evidence in court, and the admissibility of evidence can be limited
ffi
Computer Forensics - Key Challenges

• Rapid changes in technology, operating systems, and application software


can make it di cult to read digital evidence from older versions to support
newer versions

• Producing electronic records and storing them can be extremely costly, and
legal practitioners must have extensive computer knowledge to produce
authentic and convincing evidence

• The lack of technical knowledge by investigating o cers can result in the


desired outcome not being achieved

• Limited resources, such as time and budget, can hinder the investigation
process
ffi
ffi
Computer Forensics - Techniques
Cross-Drive Analysis

• Cross-drive analysis is a powerful


forensic technique that enables
examiners to uncover hidden
relationships, patterns, and evidence
across multiple digital storage devices.

• This approach involves comparing the


contents, metadata, and other
attributes of les or data across
di erent drives to identify patterns, https://www.bit4law.com/en/
connections, or inconsistencies that
may be relevant to an investigation. Read if interested

Such techniques have the potential to identify drives of interest from a large set
ff
fi
Computer Forensics - Techniques
Live Analysis

• Live analysis, also known as live forensics or volatile data analysis, is a digital
forensic technique that involves the real-time examination and analysis of
data residing in the volatile memory (RAM) of a running computer system.

• Live analysis deals with data that is actively present in the computer's
memory and is lost when the system is powered o or restarted.

ff
Computer Forensics - Techniques
Recovery of Deleted Files

• A common technique used in computer forensics is the recovery of deleted


les.

• Modern forensic software have their own tools for recovering or carving out
deleted data.

• Most operating systems and le systems do not always erase physical le


data, allowing investigators to reconstruct it from the physical disk sectors.

• File carving involves searching for known le headers within the disk image
and reconstructing deleted materials.
fi
fi
fi
fi
Computer Forensics - Techniques
Steganography
• Steganography is the practice of
concealing secret information within a
carrier medium, such as an image, audio
le, video, or text, without attracting
attention to the existence of the hidden
data

• Unlike encryption, which focuses on


making the content of a message
unintelligible to unauthorized users,
steganography aims to hide the
existence of the communication itself.
fi

You might also like