Understanding Computer

Forensics

1
 Unit -5 Syllabus
 Introduction
 Historical Background of CyberForensics
 Digital Forensics Science
 The Need for Computer Forensics
 Cyber Forensics and Digital Evidence
 Forensics Analysis of E-Mail
 Digital Forensics Life Cycle
 Chain of Custody concept
 Network Forensics
 Approaching a computer network Investigation
 Challenges in Computer Forensics
 Special Tools and Techniques
 Forensics Auditing

2
 7.1.INTRODUCTION
The purpose of this chapter is to address the other side of
the crime. That is use of forensic techniques in the
investigation of cyber crimes.
Cyber forensics is a very large domain and plays a key
role in investigation of crime.
Evidence is extremely important from legal perspective.
Only the technically trained and experienced experts
should be involved in investigation activities.

3
 7.2. Historical Background of
Cyberforeniscs
Computer is either the subject or the object of
cybercrimes or used as a tool to commit a cybercrime.
The earliest recorded computer crimes occurred in 1969
and 1970 when student protestors burned computers at
various universities.
Around the same time, people were discovering methods
for gaining unauthorized access.
Computer Intrusion and fraud committed with the help of
computers were the first crimes to be widely recognized
as a new type of crime.
4
 7.2. Historical Background of
Cyberforeniscs contd..
The application of computer for investigating computer
based crime has led to development of a new field called
computer forensics.
Sometimes, computer forensics is also referred to as
digital forensics.
Computer forensics is still a relatively new discipline and
a fast growing profession.
The focus of computer forensics is to find out digital
evidence.

5
 7.3. Digital Forensics Science
Computer forensics is the use of analytical and
investigative techniques to identify ,collect examine and
preserve evidence or information which is magnetically
stored or encoded.
Or
Digital forensics is the use of scientifically derived and
proven methods towards the preservation, validation,
identification, analysis ,interpretation ,documentation and
preservation of digital evidence.

6
7.3.Digital Forensics Science contd..
The role of digital forensics is to :
Uncover and document evidence and leads.
Assist in showing a pattern of events.
Connect attack and victim computers.
Reveal an end –to-end path of events leading to a
compromise attempt.
Extract data that may be hidden.

7
7.3.Digital Forensics Science contd..
Typical Scenarios involved are:
Employee Internet abuse
Data leak/data breach
Criminal fraud and deception cases
Copyright violation.

8
 7.4. The Need for Computer Forensics
The convergence of Information and Communications
Technology (ICT) has many advantages to mankind and
at the same time provides avenues for misuse as well as
opportunities for committing crime.
This has lead to new risks for computer users and also
increased opportunities for social harm.
Many threats arise from illegal Internet activities that
extend beyond the firewall and require new investigative
and forensics approaches.

9
 7.4. The Need for Computer Forensics
contd..
Some forensic services are:
Data culling and targeting
Cell phone forensics
Expert affidavit report
PDA forensics
Production of evidence

10
7.5. Cyber forensics and Digital Evidence
Cyber forensics can be divided into two domains:

1. computer forensics
2. network forensics
Many security threats are possible though computer
networks.
Network forensics is the study of network traffic to search
for truth in civil, criminal and administrative matters to
protect users and resources from exploitation.

11
7.5.1. Cyber forensics and Digital Evidence
contd..
As compared to physical evidence ,digital evidence is
different in nature because it has some unique
characteristics.
i) First of all digital evidence is much easier to
change /manipulate.
ii) Second, digital copies can be made without harming
original. At the same time the integrity of digital
evidence can be proven.

12
 7.5.1. The Rules of Evidence
According to the “Indian Evidence Act 1872” “Evidence
means and includes:
1. All statements which the court permits or requires
to be made before it by witnesses, in relation to matter
of fact under inquiry, are called oral evidence.
2. All documents that are produced for the inspection
of the court are called documentary evidence.

13
 7.5.1 The Rules of Evidence contd..
Following are some guidelines for the digital evidence
collection phase:
1. Adhere to site’s security policy and engage the appropriate
incident handling and law enforcement personnel.
2.Capture a picture of the system as accurately as possible.
3.keep detailed notes with dates and times.
4.Note the difference between the system clock and Coordinated
Universal Time (UTC).
5.Be prepared to testify outlining all actions you took and at what
times.
6. Minimize changes to the data as you are collecting it.
14
 7.5.1 The Rules of Evidence contd…
7. Remove external avenues for change.
8. Do collection first and analysis later.

15
 7.6. Forensics Analysis of E-Mail
Forensics Analysis of E-Mails is an important aspect of
cyber forensics analysis . It helps to find the authenticity of
an E-mail when suspected.
 An E-Mail system is the hardware and software that
controls the flow of E-Mail.
The two most important components are the E-Mail server
and the E-Mail gateway.
 E-Mail servers are computers that forward, collect ,store
and deliver E-Mails to their clients.
E-Mail gateways are the connections between E-Mail
servers.
16
17
7.6. Forensics Analysis of E-Mail contd..
the primary evidence in email investigations is the email
header. The email header contains a considerable amount
of information about the email.
Email header analysis should start from bottom to top,
because the bottom-most information is the information
from the sender, and the top-most information is about the
receiver.
The following picture depicts a sample header.

18
19
20
 7.6.1. RFC2822
RFC2822 is the Internet Message Format. According to
the Internet specification RFC2822,there are several forms
of valid E-Mail addresses, like [email protected],
john@[10.0.3.10].
Many E-Mail address validators on the web fail to
recognize some of those valid E-Mail addresses.
Some examples of invalid E-mail addresses are:
joshi@[email protected]
[email protected]
[email protected]
21
 7.6.1. RFC2822 contd…
The RFC2822 standard applies only to the Internet message
format and some of the semantics of message contents. It
contains no specification of the information in the envelope.
This standard is not intended to dictate the internal formats
used by sites, the specific message system features that they
are expected to support, or any of the characteristics of user
interface programs that create or read messages.
In addition, this standard does not specify an encoding of the
characters for either transport or storage; that is, it does not
specify the number of bits used or how those bits are
specifically transferred over the wire or stored on disk.
22
 7.7. Digital Forensics Life Cycle
The major issues of cyber forensics involves Identification of
potential digital evidence and determine as to where might the
evidence be. Which devices were used by suspects? reservation
of evidence on the electronic crime scene, prevent loss and
contamination and ensure proper documentation and further
extract the evidence and present in a legally acceptable manner,
taking due care to privacy related issues.
As per FBI’s (Federal Bureau of Investigation) view, digital
evidence is present in nearly every crime scene. That is why
law enforcement must know how to recognize, seize,
transport and store original digital evidence to preserve it for
forensics examination.
23
 Digital Forensics Process

Digital forensics evidence consists of exhibits.

The exhibits are introduced as evidence by either side.
Testimony is presented to establish the process.
The party must show the evidence.
Digital forensics evidence can be challenged.
Forensics experts formulate a cost proposal.
Proposed timeline of activities, lists of anticipated deliverables
and a plan for production and turnover of evidence.
Submission of a preliminary risk analysis for the forensics
service being proposed.
24
Digital Forensics Process

25
Phases in Computer Forensics/Digital Forensics
1. Preparation and identification
2. Collection and recording
3. Storing and transporting
4. Examination/investigation
5. Analysis, interpretation and attribution
6. Reporting
7. Testifying

26
Preparing for the Evidence and Identifying the Evidence
In order to be processed and applied, evidence must
be identified as evidence. It can happen that there is an
enormous amount of potential evidence available for a
legal matter .

27
Collecting and Recording Digital Evidence
Digital evidence can be collected from many sources. Some
sources of Digital evidence are:
Computers
Cell phones
Digital cameras
Hard drives
CD-ROM
USB memory devices
Digital thermometers
Black boxes inside automobiles
RFID tags and webpages
28
 Storing and Transporting Digital Evidence
1.Image computer media using a write-blocking tool to ensure
that no data is added to the suspect device
2. Establish and maintain the chain of custody
3. Document everything that has been done
4. Only use tools and methods that have been tested and evaluated
to validate their accuracy and reliability.
5. Care must be taken in transportation to prevent spoliation (in a
hot car, digital media tends to lose bits).
6. Care must be taken to preserve chain of custody and assure that
a witness can testify accurately about what took place.
29
Examining/Investigating Digital Evidence
Special care must be taken to ensure that the forensics
specialist has the legal authority to seize, copy and examine
the data.
Sometimes authority stems from a search warrant.
As a general rule, one should not examine digital information
unless one has the legal authority to do so.
Amateur forensics examiners should keep this in mind before
starting any unauthorized investigation.
30
Analysis, Interpretation and Attribution
Analysis, interpretation and attribution of evidence are the most difficult
aspects encountered by most forensics analysts.

Analysis, interpretation and attribution of digital forensics evidence can be

reconciled with non-digital evidence.
Digital forensics evidence can be externally stipulated.

Open-source tools are available to conduct analysis of open ports, mapped

drives on the live computer system.
Holding unpowered RAM below −60°C will help preserve the residual data
by an order of magnitude, thus improving the chances of successful
recovery. However, it is impractical to do this during a field examination.
31
Reporting
A report is generated.
The report may be in a written form or an oral testimony (or
combination of the two).

Evidence, analysis, interpretation and attribution to be

presented in the form of expert reports, depositions and
testimony.

Presentation of the report (a complex and tricky process)

32
Testifying
This phase involves presentation and cross-examination of
expert witnesses. Depending on the country and legal
Frame works in which a cyber crime is registered, certain
standards may apply with regard to the issues of expert
witnesses.

33
 7.8. Chain of Custody Concept
 It is the central concept in cyberforensics/digital forensics
investigation.
 It is the process of validating how many kinds of evidences have been
gathered, tracked and protected on the way to a court of law.
 It is essential to get in the habit of protecting all evidences equally so
that they will hold up in court.
 The purpose is that the proponent of a piece of evidence must
demonstrate that it is what it purports to be.
 There is a reliable information to suggest that the party offering the
evidence can demonstrate that the piece of evidence is actually, in
fact what the party claims it to be and can further demonstrate its
origin and the handling of the evidence because it was acquired.
34
 Chain of Custody Concept
The chain of custody is a chronological written record of
those individuals who have had custody of the evidence from
its initial acquisition until its final disposition.
A chain of custody begins when an item of relevant evidence is
collected, and the chain is maintained until the evidence is
disposed off.
The chain of custody assumes continuous accountability.
 This accountability is important because if not properly
maintained, an evidence may be inadmissible in court

35
 7.9. Network Forensics
This discipline is included within the computer
forensics science.
Wireless forensics is a discipline within the
network forensics field
 The goal is to provide the methodology and tools
required to collect and analyze (wireless) network traffic
that can be presented as valid digital evidence in a court
of law.
The evidence collected can correspond to plain data or
with the broad usage of VoIP technologies, especially
over wireless can include voice conversations

36
 Network Forensics
It involves capturing all data moving over Wi-Fi network
and analyzing network events to
 Uncover network anomalies.
 Discover source of security attacks
 Investigate breaches
The security analyst must follow the same general
principles that apply to computer forensics
 Identify, preserve and analyze the evidence to impartially
report the findings and conclusions

37
 7.10. Approaching a computer network
Investigation
Phases involved in the forensics investigation:
 Secure the subject system ( from tampering or unauthorized
changes during the investigation)
 Take a copy of hard drive ( if applicable and appropriate)
 Identify and recover all files (including deleted files)
 Access/view/copy hidden, protected and temp files
 Study “special” areas on the drive (e.g.. Residue from previously
deleted files)
 Investigate the settings and any data from applications and
programs used on the system
 Consider general factors relating to the user’s computer and other
activity and habits in the context of the investigation
 Create detailed and considered report, containing an assessment
of the data and information collected
38
 Approaching a computer network Investigation

Certain things should be avoided during the forensics

investigation depending on the nature of the computer
system being investigated.
For e.g. one should avoid changing date/time stamps or
changing data itself (“Study it but Do Not Change”)
Crucial not-to-forget things
Engagement contract and non-disclosure
agreement(NDA)

39
 7.10.1. Typical Elements in a Forensics
Investigation Engagement Contract
Authorization
The customer will be asked to agree on facilitating the
engagement by providing all authorizations, security or legal
clearances as required prior or throughout the course of the
forensics investigation engagement
Confidentiality
Any confidential information disclosed by the customer
under the agreement remains the owner’s sole property and
computer forensics laboratory shall employ reasonable
measures to prevent the unauthorized use of customer
information
40
 Typical Elements in a Forensics Investigation
Engagement Contract
Payment
Customer agrees to pay the forensics laboratory, which includes
 Charges for lab services
 Travel and per diem expenses for onsite work
 Shipping and insurance and actual expenses
 Media, off-the-shelf software used
Consent and acknowledgment
Any consent required of either party becomes effective only if
provided in a commercially reasonable manner
Customer needs to acknowledge that equipment/data/media
may be damaged prior to forensics lab receipt
Also acknowledge forensics lab to complete its investigation
may result in damage to equipment/data/media

41
 Typical Elements in a Forensics Investigation
Engagement Contract
Limitation of liability
Forensics lab will not consider itself to be liable for
 Physical functioning of equipment
 Data loss
 Loss of revenue or profits
 Goodwill
 Anticipated savings
 Any consequential loss

42
7.10.2. Solving a computer forensics case
Steps involved in solving a computer forensics case
1. Prepare for the forensics examination
2. Talk to key people to find out what you are looking for
3. If the case has a sound foundation, start assembling
tools to collect data. Identify the target media
4. Collect data from target media
5. To extract the contents of the computer, connect it to
portable hard drive and then boot the computer
according to the directions for the software you are using
6. When collecting evidence, be sure to check E-mail
records as well

43
 Solving a computer forensics case
7. Examine collected evidence on the image you have
created
8. Analyze the evidence you have collected by manually
looking into storage media. More often criminals will
hide incriminating information in pictures stored on
target computer
9. Report your findings back to your client

44
 7.16. Challenges in Computer Forensics
A microcomputer may have 200 GB or more storage capacity.
There are more than 5.2 billion messages expected to be sent and
received in the US alone per day.
There are more than 3 billion indexed web pages worldwide.
There are more than 550 billion documents online.
Terabytes of data are stored on tape or hard drives.
Most of existing tools and methods allow anyone to alter any
attribute associated with digital data.
Encryption is a major antiforensics technique and key word
search can be defeated by renaming file names.
45
7.16.1. Technical Challenges: Understanding the
Raw Data and its Structure
Two aspects of technical Challenges faced in digital forensics
investigation
“Complexity” problem
“Quantity” problem
 It faces complexity problem because acquired data is lowest
and most raw format. Non-technical people may find more
difficult to understand such format
 The directory is a layer of abstraction in the file system.
 Non-file system layers of abstraction
1. ASCII
2. HTML Files
3. Windows Registry
4. Network Packets
5. Source Code

46
7.16.1. Technical Challenges: Understanding the
Raw Data and its Structure
Digital forensics is also challenged by the “quantity

problem”
It involves the hugeness of digital forensics to analyze.

It is inefficient to analyze every single piece of it.

Data reduction techniques need to be used to solve this.

Data reduction is done by grouping data into one larger

event or by removing known data.

47
 7.16.2. The Legal Challenges in Computer
Forensics and Data Privacy Issues
Evidence, to be admissible in court, must be relevant,
material and competent, and its probative value must
outweigh any prejudicial effect.
Digital evidence can be easily duplicated and modified;
often it can be without even leaving any traces; it can
present special problems related to competency.
Digital evidence needs to satisfy the legal admissibility
requirements.
Modern computers have enormous data storage facilities.
Gigabyte disk drives are common and a single computer may
contain several such drives.

48
The Legal Challenges in Computer Forensics and
Data Privacy Issues
Seizing and freezing of digital evidence can no longer be

accomplished just by burning a single CD-ROM.

Failure to freeze the evidence prior to opening the files can

invalidate critical evidence.

There is also the problem of locating the relevant evidence

within massive amounts of data.

Artificial limitations imposed by constitutional, statutory

and procedural issues.

49
 Various personnel involved in digital
forensics/computer forensics
1. Technicians
 Who carry out technical aspects of gathering evidence
 They have sufficient technical skills to gather information from digital
devices, understand software and hardware as well as networks
 Forensics analysis of e mails is also important

2. Policy makers
 They establish forensics policies that reflect broad considerations
 But they must be familiar with computing and forensics also

3. Professionals
 Who must have extensive technical skills as well as good understanding
of legal procedures.

50
 7.17. Special Tools and Techniques
Most tools have the same underlying principles:
1. Creating forensics quality or sector-by-sector images of
media
2. Locating deleted/old partitions
3. Ascertaining date/time stamp information
4. Obtaining data from slack space
5. Recovering or “undeleting” files and directories, “carving” or
recovering data based on file headers/file footers
6. Performing keyword searches
7. Recovering Internet history information
51
7.17.1. Digital forensics tools ready reckenor
List of carving tools is divided in three main categories
1. Data Recovery
2. Partition recovery
3. carving

52
53
54
55
7.17.2. Special Technique: Data Mining used in
Cyberforensics
Depending on the type of cybercrimes, the impact and
the impacted parties can vary.

Some impact and impacted parties

1. National security and government
2. Financial impacts and individuals
3. Brand image and organizations

56
 Techniques of Data Mining
1.Entity extraction
This technique is used to identify particular patterns from
data such as text, images or audio
2.Clustering techniques
This involves grouping of data items into classes with similar
characteristics to maximize or minimize intraclass similarity
3.Association rule mining
This technique discovers frequently occurring item sets in a
database and presents the patterns as rules

57
 Techniques of Data Mining
 Automated techniques to analyze different types of crimes
need a unifying framework describing how to apply them.
 There is a need for understanding the relationship between
analysis capability and crime type characteristics. This
understanding can help investigators more effectively to use
those techniques to identify trends and patterns, address
problem areas and even predict crimes.

58
 Forensics Auditing
1. It is also known as “forensics accounting.”

2. It is a specialized form of accounting.

3. It includes the steps needed to detect and deter fraud.

4. Forensics auditors make use of the latest technology

to examine financial documents and investigate
white-collar crimes such as frauds, identity theft,
funds embezzlement, security fraud, etc.
59
 Forensics Auditing
5. Uses accounting, auditing and investigative techniques.

6. Forensics accounting professionals are assigned specialty

tasks.
7. Forensics auditors are responsible for detecting fraud,
identifying individuals involved, collecting evidence,
presenting the evidence in criminal proceedings, etc.

60