What is Computer Forensics?

Acquisition of Computer Evidence

Preservation
Analysis
Court Presentation

What constitutes digital evidence?

Any information being subject to human
intervention or not, that can be extracted from
a computer.
Must be in human-readable format or capable
of being interpreted by a person with expertise
in the subject.

History & Development

Francis Galton (1822-1911)
First definitive study of fingerprints
Leone Lattes (1887-1954)
Discovered blood groupings (A,B,AB, & 0)
Calvin Goddard (1891-1955)
Firearms and bullet comparison
Albert Osborn (1858-1946)
Developed principles of document examination
Hans Gross (1847-1915)
First treatise on using scientific disciplines in
criminal investigations.

Computer Forensics examples

Recovering thousands of deleted emails
Performing investigation post employment
termination
Recovering evidence post formatting hard
drive
Performing investigation after multiple
users had taken over the system

Types of Cyber crime

Unauthorized Access
Denial of Service
Extortion
Theft
Spoofing or Imposter
Sites
Sabotage
Espionage
Computer Fraud
Copyright Violation
Cyber terrorism

Forgery and
Counterfeiting
Internet Fraud
SEC Fraud and Stock
Manipulation
Child Pornography
Stalking & Harassment
Credit Card Fraud &
Skimming
Identity theft
Tsunami fraud

Types of Computer Forensics

Disk (data) Forensics

Network Forensics
Email Forensics
Internet Forensics
Portable Device Forensics (flash cards,
PDAs, Blackberries, email, pagers, cell
phones, IM devices, etc.)

Disk Forensics
Disk forensics is the process of
acquiring and analyzing the data stored
on some form of physical storage
media.
Includes the recovery of hidden and
deleted data.

Network Forensics
Network forensics is the process of
examining network traffic.
After-the-fact analysis of transaction
logs
Real-time analysis via network
monitoring
1.Sniffers
2.Real-time tracing

Email Forensics
Email forensics is the study of source and
content of electronic mail as evidence.
identifying the actual sender and
recipient of a message, date/time it was
sent.
Often email is very incriminating.

Tracking down the email evidence

Reading Email Headers
How to interpret Email Headers
How do I get my email program to reveal
the full, unmodified email?

Internet Forensics
Internet or Web forensics is the process
of piecing together where and when a
user has been on the Internet.
E.g., Scott Peterson,
Michael Jackson

Source Code Forensics

To determine software ownership or software
liability issues.
Review of actual source code.
Examination of the entire development
process
e.g., development procedures,
documentation review, and review of source
code revisions.

Computer Forensics evidence

processing guidelines
1. Understand the suspects
2. Electronic evidence considerations
3. Secure the machine and the data
4. Examine the Live System and record
open applications

5. Power down carefully

6. Inspect for traps
7. Fully document hardware
configuration
8. Duplicate the hard drives
9. E-mail review

Who Uses Computer Forensics?

Criminal Prosecutors
Rely on evidence obtained from a computer to
prosecute suspects and use as evidence

Civil Litigations
Personal and business data discovered on a
computer can be used in fraud, divorce, harassment,
or discrimination cases

Insurance Companies
Evidence discovered on computer can be
used to mollify costs (fraud, workers
compensation, arson, etc)

 Private Corporations
Obtained evidence from employee computers can
be used as evidence in harassment, fraud, and
embezzlement cases

Law Enforcement Officials

Rely on computer forensics to backup search
warrants and post-seizure handling

Individual/Private Citizens
Obtain the services of professional computer
forensic specialists to support claims of
harassment, abuse, or wrongful termination from
employment

Computer Forensics requirements

Hardware
Familiarity with all internal and external
devices/components of a computer
Thorough understanding of hard drives and settings
Understanding motherboards and the various
chipsets used
Power connections
Memory

BIOS
Understanding how the BIOS works
Familiarity with the various settings and limitations of
the BIOS

 Operation Systems

Windows 3.1/95/98/ME/NT/2000/2003/XP
DOS
UNIX
LINUX
VAX/VMS

Software
Familiarity with most popular software packages
such as Office

Forensic Tools
Familiarity with computer forensic techniques and the
software packages that could be used

E-evidence todays fingerprint and

smoking gun
Zacarias Moussaoui
20th hijacker in the 9/11 terrorist
attacks against the U.S.
his laptop, 4 computers, and several
email accounts (
Zacarias Moussaoui passing
[email protected]) were
through a London airport.
searched for e-evidence
[BBC]
FBI discovered that the 19 hijackers
used Kinko's computers in various
cities to gain access to the Internet to
plan 9/11.

Future of Computer Forensics

Computer forensics is now part of criminal investigations.
Crimes & methods to hide crimes are becoming more
sophisticated.
Computer forensics will be in demand for as long as
there are criminals and misbehaving people.
Will attract students and law professionals who need to
update their skills.