Puter Forensics
Puter Forensics
Puter Forensics
data mining to
computer
forensics
Definition
What is Computer Forensics??
Computer forensics involves the preservation,
identification, extraction, documentation, and
interpretation of computer media for
evidentiary and/or root cause analysis.
Evidence might be required for a wide range of
computer crimes and misuses
Multiple methods of
Discovering data on computer system
Recovering deleted, encrypted, or damaged file
information
Monitoring live activity
Detecting violations of corporate policy
Information collected assists in arrests,
prosecution, termination of employment, and
preventing future illegal activity
Definition (cont)
What Constitutes Digital Evidence?
Any information being subject to human
intervention or not, that can be extracted from a
computer.
Must be in human-readable format or capable of
being interpreted by a person with expertise in
the subject.
Computer Forensics Examples
Recovering thousands of deleted emails
Performing investigation post employment
termination
Recovering evidence post formatting hard
drive
Performing investigation after multiple
users had taken over the system
Reasons For Evidence
Wide range of computer crimes and misuses
Non-Business Environment: evidence collected by
Federal, State and local authorities for crimes
relating to:
Theft of trade secrets
Fraud
Extortion
Industrial espionage
Position of pornography
SPAM investigations
Virus/Trojan distribution
Homicide investigations
Intellectual property breaches
Unauthorized use of personal information
Forgery
Perjury
Reasons For Evidence (cont)
Computer related crime and violations
include a range of activities including:
Business Environment:
Theft of or destruction of intellectual property
Unauthorized activity
Tracking internet browsing habits
Reconstructing Events
Inferring intentions
Selling company bandwidth
Wrongful dismissal claims
Sexual harassment
Software Piracy
Who Uses Computer
Forensics?
Criminal Prosecutors
Rely on evidence obtained from a computer to
prosecute suspects and use as evidence
Civil Litigations
Personal and business data discovered on a
computer can be used in fraud, divorce,
harassment, or discrimination cases
Insurance Companies
Evidence discovered on computer can be
used to mollify costs (fraud, worker’s
compensation, arson, etc)
Private Corporations
Obtained evidence from employee computers
can
be used as evidence in harassment, fraud, and
embezzlement cases
Who Uses Computer
Forensics?
Law Enforcement(cont)
Officials
Rely on computer forensics to backup search
warrants and post-seizure handling
Individual/Private Citizens
Obtain the services of professional computer
forensic specialists to support claims of
harassment, abuse, or wrongful termination
from employment
Handling Evidence
Admissibility of Evidence
Legal rules which determine whether potential
evidence can be considered by a court
Must be obtained in a manner which ensures
the authenticity and validity and that no
tampering had taken place
No possible evidence is damaged,
destroyed, or otherwise compromised by
the procedures used to search the
computer
Preventing viruses from being introduced
to a computer during the analysis process
Extracted / relevant evidence is properly
handled and protected from later
mechanical
or electromagnetic damage
Handling Evidence (cont)
Non-Volatile Information
This includes information, configuration
settings, system files and registry settings that
are available after reboot
Accessed through drive mappings from system
This information should investigated and
reviewed from a backup copy
Computer Forensic
Requirements
Hardware
Familiarity with all internal and external
devices/components of a computer
Thorough understanding of hard drives and
settings
Understanding motherboards and the various
chipsets used
Power connections
Memory
BIOS
Understanding how the BIOS works
Familiarity with the various settings and
limitations of the BIOS
Computer Forensic
Requirements
Operation Systems (cont)
Windows 3.1/95/98/ME/NT/2000/2003/XP
DOS
UNIX
LINUX
VAX/VMS
Software
Familiarity with most popular software
packages
such as Office
Forensic Tools
Familiarity with computer forensic techniques
and the software packages that could be used
Anti-Forensics
Software that limits and/or corrupts
evidence that could be collected by an
investigator
Performs data hiding and distortion
Exploits limitations of known and used
forensic tools
Works both on Windows and LINUX based
systems
In place prior to or post system acquisition
Evidence Processing
Guidelines
New Technologies Inc. recommends
following 16 steps in processing evidence
They offer training on properly handling
each step
Step 1: Shut down the computer
Considerations must be given to volatile information
Prevents remote access to machine and destruction
of evidence (manual or ant-forensic software)
Step 2: Document the Hardware Configuration
of The System
Note everything about the computer configuration
prior to re-locating
Evidence Processing
Guidelines
Step 3: Transport(cont)
the Computer System to A
Secure Location
Do not leave the computer unattended unless it
is locked in a secure location
Step 4: Make Bit Stream Backups of Hard Disks
and Floppy Disks
Step 5: Mathematically Authenticate Data on All
Storage Devices
Must be able to prove that you did not alter
any of the evidence after the computer
came into your possession
Step 6: Document the System Date and Time
Step 7: Make a List of Key Search Words
Step 8: Evaluate the Windows Swap File
Evidence Processing
Guidelines (cont)
Step 9: Evaluate File Slack
File slack is a data storage area of which most
computer users are unaware; a source of
significant security leakage.
Step 10: Evaluate Unallocated Space (Erased
Files)
Step 11: Search Files, File Slack and Unallocated
Space for Key Words
Step 12: Document File Names, Dates and Times
Step 13: Identify File, Program and Storage
Anomalies
Step 14: Evaluate Program Functionality
Step 15: Document Your Findings
Step 16: Retain Copies of Software Used
What is Digital Evidence
and How is it Different?
Information and data of investigative value
that is stored on or transmitted by an
electronic device
Specific wording not only to seize the media but also to access
data stored within the media…there is a difference
This requirement provides protection at the time of trial preventing the examiner
of the evidence from unlawful search of the data contained on the items
submitted. This is an example of how digital evidence differs from other types of
evidence that can be seen “in plain sight”. A search warrant to collect possible
evidence of a crime at the scene typically covers the evidence you can walk into
a room and see or touch. It is a more intrusive search to get into a laptop,
remove the hard drive and examine (search) for evidence of a crime.
http://www.cca.courts.state.tx.us/tcjiu/ppt/10-Lan
d.pptx