COMPUTER FORENSICS

By
DIVYA.M.K.
1SG07CS021
Computer Science and Engineering
UNDER THE GUIDANCE OF: Prof. Mallikarjuna shastry
Contents
Introduction
Abstract
Architecture of computer forensics
Computer forensics process
Advantages
Disadvantages
Applications
Conclusion
Future enhancement
References
2
Introduction
Computer forensics(CF) is a branch of digital
forensic science.
It is most often associated with computer crime , but
it may also be used in civil proceedings.
Evidence from computer forensic investigations is
usually subjected to the same guidelines and practices
of other digital evidence.
The scope of forensic analysis can vary from simple
information retrieval to reconstructing a series of
events.
3
Abstract
As in any investigation, establishing that an incident
has occurred is the first key step.
Secondly, the incident needs to be evaluated to
determine if computer forensics may be required.
Preservation of evidence is the first rule in the
process.
The level of training and expertise required to execute
a forensics task will largely depend on the level of
evidence required in the case.
4
Computer Forensic Architecture
The Open Computer Forensics Architecture (OCFA)
is a modular computer forensics framework built by
the Dutch National Police Agency.
The architecture forms an environment for recursive
extraction of data and metadata from digital evidence.
The Open Computer Forensics Architecture aims to
be highly modular, robust, fault tolerant, recursive and
scalable.

5
6
Computer Forensic process
Steps to be followed[2]
Prepare a case
Conducting
investigation
Protecting evidence
Completing case

7
Preparing a case
Examining a company policy violation[3]
• Companies often establish policies for computer use by
employees.
• Employees misusing resources can cost companies millions
of dollars
• Misuse includes:
 Surfing the Internet
 Sending personal e-mails
 Using company computers for personal tasks

8
Conducting Investigation
A number of techniques are used during computer
forensics investigation[1].
 Cross-drive analysis
 Live analysis
 Recovery of deleted files

9
Cross-drive analysis(CDA)
 CDA is a forensic technique that
correlates information found on
multiple hard drives.
 It uses another technique called
Forensic Feature Extraction(FFE).
 The process , which is still being
researched , can be used for anomaly
detection.

10
Live Analysis(LA)
LA is the process of examining
the computers from within the
OS using existing sysadmin
tools to extract evidence.
This technique is useful when
dealing with Encrypting File
Systems(EFS).
One application of LA is to
recover RAM data.

11
Recovery of Deleted Files
Recovering the deleted
files is the common
technique used in CF
process.
Most OS and FS allow
physical file data to be
reconstructed from the
physical disk sectors.
This technique involves a
Process called File carving.

12
Protecting Evidence
Take all necessary
measures to avoid
damaging the evidence.
Place the evidence in a
secure container.
Transport the evidence to
computer forensics lab.
Secure evidence by
locking the container.

13
Completing the Case
You need to produce a final report
State what you did and what you found
You can even include logs from the forensic tools you
used
If required, use a report template
The report should show conclusive evidence that the
suspect did or did not commit a crime or violate a
company policy

14
Advantages
Computer forensics’ main advantage is its ability to
search and analyze a mountain of data quickly,
thoroughly and efficiently.
Investigate and uncover evidence of illegal activities
conducted via computer.
Investigate and uncover evidence of crimes that
weren't directly committed via computer.
Valuable data that has been lost and deleted by
offenders can be retrieved.
15
Disadvantages
The main disadvantage is the cost when retrieving
data.
Computer forensic specialists must have complete
knowledge of legal requirements, evidence handling
and storage and documentation procedures.
Legal practitioners involved in the case must also
have knowledge of computer forensics.
CF analyst should prove in court of law that data is
tampered.

16
Applications
Criminal Prosecutors Civil Litigations
 Child Pornography cases  Fraud
 Homicides  Divorce
 Embezzlement  Breach of Contract
 Financial Fraud  Copy right
Insurance Companies
 False Accident Reports
 Workman’s
Compensation Cases
Applications(continued)
Large Corporations
 Embezzlement
 Insider Trading
Law Enforcement
Any Individual
 Claims
• Sexual harassment
• Age discrimination
• Wrongful termination from job
• Background checks

18
Conclusion
With computers becoming more and more involved in
our everyday lives, both professionally and socially,
there is a need for computer forensics.
This field will enable crucial electronic evidence to
be found, whether it was lost, deleted, damaged, or
hidden, and used to prosecute individuals who believe
they have successfully beaten the system.
Future enhancement
Computer forensic tools will be about 5 times as fast,
and twice as sophisticated.
A lot of automated tools for collection and initial
processing of evidence are starting to be released.
These tools can be used by less-trained people, so it
may be that data collection and preliminary
processing will be faster.
More Open Source forensic tools will be available for
free for those willing to learn to use them.
20
References
1. Michael G. Noblett; Mark M. Pollitt, Lawrence A.
Presley (October 2000). "Recovering and examining
computer forensic evidence". Retrieved 26 July 2010.
2. A Yasinsac; RF Erbacher, DG Marks, MM Pollitt
(2003). "Computer forensics education". IEEE Security
& Privacy. Retrieved 26 July 2010.
3. Warren G. Kruse; Jay G. Heiser (2002). Computer
forensics: incident response essentials. Addison-Wesley.
pp. 392. ISBN 0201707195. Retrieved 6 December
2010.
21
THANK YOU

22